Allow deployment with ESO > v0.17.0#276
Conversation
Thubo
changed the title
There was a problem hiding this comment.
Pull request overview
This PR upgrades the External Secrets Operator (ESO) integration from the v1beta1 API to the stable v1 API, which became available in ESO v0.17.0. The change adds explicit field specifications for conversionStrategy, decodingStrategy, and metadataPolicy to prevent ArgoCD from detecting configuration drift when ESO server-side applies these default values.
- Updates the API version check and apiVersion from
external-secrets.io/v1beta1toexternal-secrets.io/v1 - Explicitly sets three remoteRef fields (
conversionStrategy: Default,decodingStrategy: None,metadataPolicy: None) to their default values to prevent ArgoCD drift - Applies changes to both username and password secret entries in the ExternalSecret manifest
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,5 +1,5 @@ | |||
| {{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") (.Values.externalSecret) }} | |||
| apiVersion: external-secrets.io/v1beta1 | |||
| {{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1") (.Values.externalSecret) }} | |||
There was a problem hiding this comment.
Changing the API version check from "external-secrets.io/v1beta1" to "external-secrets.io/v1" is a breaking change that requires External Secrets Operator >= v0.17.0. Users with older ESO versions will no longer have the ExternalSecret resource created, breaking their deployments. This breaking change should be documented in the Chart.yaml version bump (currently at 2.2.0) as a major version change, and should include upgrade notes or backwards compatibility handling. Consider documenting the minimum required ESO version in the Chart.yaml or README.md, and consider bumping the chart version to 3.0.0 to signal the breaking change.
| {{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1") (.Values.externalSecret) }} | ||
| apiVersion: external-secrets.io/v1 |
There was a problem hiding this comment.
The upgrade from external-secrets.io/v1beta1 to v1 API requires External Secrets Operator version 0.17.0 or later. This breaking change requirement should be documented in the chart's README.md or values.yaml to inform users of the minimum ESO version needed when using the externalSecret feature. Without this documentation, users may encounter unexpected failures when the ExternalSecret resource is not created due to the API version check.
|
Looks good. Seems 0.17 was released in May so that is reasonable. |
I hope i got things right. Please let me know if not. Thanks! |
|
Thank you! |
|
Side note: I just noticed that the Helm Chart Version 3.0.0 already references the AppVersion 2.4.0 (https://github.com/movetokube/postgres-operator/blob/ext-postgres-operator-3.0.0/charts/ext-postgres-operator/Chart.yaml#L12) which is not yet published: https://github.com/movetokube/postgres-operator/pkgs/container/postgres-operator Just a heads-up: Folks might run into issues when trying to install w/o explicitly overwriting the tag to 2.3.0 :) |
ExternalSecretwith a more recent version of the External Secrets Operator. (https://github.com/external-secrets/external-secrets/releases/tag/v0.17.0)