fix(eso): chart 0.6.2 - revert fullnameOverride; use templated SA in ClusterSecretStore

Chart 0.6.1's fullnameOverride attempted to give ESO resources stable names (just 'external-secrets' instead of '<release>-external-secrets') but ArgoCD couldn't fully drain the prefixed resources from 0.6.0, leaving sync stuck. Reverting: keep the subchart's default release- prefixed naming, template the SA reference in ClusterSecretStore via {{ .Release.Name }}-external-secrets so it resolves correctly per cluster.
2026-05-07 21:01:38 +03:00
parent ddc01def62
commit 52a157f187
3 changed files with 12 additions and 18 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
      Git).

 type: application
-version: 0.6.1
-appVersion: "0.6.1"
+version: 0.6.2
+appVersion: "0.6.2"

 dependencies:
  - name: cert-manager
--- a/templates/openbao-secretstore.yaml
+++ b/templates/openbao-secretstore.yaml
@@ -27,7 +27,11 @@ spec:
          mountPath: {{ .Values.externalSecrets.openbao.mountPath | quote }}
          role: {{ .Values.externalSecrets.openbao.role | default "eso" | quote }}
          serviceAccountRef:
-            name: external-secrets
+            # ESO subchart names its SA `<release>-external-secrets`
+            # (no fullnameOverride — see values.yaml). The OpenBao
+            # role's bound_service_account_names must match this
+            # exact name (e.g. `qsoft-platform-external-secrets`).
+            name: "{{ .Release.Name }}-external-secrets"
            namespace: odoosky-system
 {{- end }}
 {{- end }}
--- a/values.yaml
+++ b/values.yaml
@@ -278,20 +278,10 @@ externalSecrets:
 # first apply. Resource limits conservative — ESO is event-driven
 # and idle most of the time.
 #
-# fullnameOverride locks the SA + Deployment + Service names to plain
-# "external-secrets" (no <release-name>- prefix), so the OpenBao role
-# binding and our ClusterSecretStore.serviceAccountRef can reference
-# a stable name across every cluster.
+# We keep the subchart's default release-prefixed naming
+# (`<release>-external-secrets`) — i.e., we DON'T set
+# fullnameOverride. The ClusterSecretStore manifest references the
+# SA via `{{ .Release.Name }}-external-secrets` so the name resolves
+# correctly per-cluster.
 external-secrets:
  installCRDs: true
-  fullnameOverride: "external-secrets"
-  serviceAccount:
-    name: external-secrets
-  webhook:
-    fullnameOverride: "external-secrets-webhook"
-    serviceAccount:
-      name: external-secrets-webhook
-  certController:
-    fullnameOverride: "external-secrets-cert-controller"
-    serviceAccount:
-      name: external-secrets-cert-controller