fix(eso): chart 0.6.2 - revert fullnameOverride; use templated SA in ClusterSecretStore
Chart 0.6.1's fullnameOverride attempted to give ESO resources stable
names (just 'external-secrets' instead of '<release>-external-secrets')
but ArgoCD couldn't fully drain the prefixed resources from 0.6.0,
leaving sync stuck. Reverting: keep the subchart's default release-
prefixed naming, template the SA reference in ClusterSecretStore via
{{ .Release.Name }}-external-secrets so it resolves correctly per
cluster.
This commit is contained in:
OdooSky v3
@@ -23,8 +23,8 @@ description: |
|
|||||||
Git).
|
Git).
|
||||||
|
|
||||||
type: application
|
type: application
|
||||||
version: 0.6.1
|
version: 0.6.2
|
||||||
appVersion: "0.6.1"
|
appVersion: "0.6.2"
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
|
|||||||
@@ -27,7 +27,11 @@ spec:
|
|||||||
mountPath: {{ .Values.externalSecrets.openbao.mountPath | quote }}
|
mountPath: {{ .Values.externalSecrets.openbao.mountPath | quote }}
|
||||||
role: {{ .Values.externalSecrets.openbao.role | default "eso" | quote }}
|
role: {{ .Values.externalSecrets.openbao.role | default "eso" | quote }}
|
||||||
serviceAccountRef:
|
serviceAccountRef:
|
||||||
name: external-secrets
|
# ESO subchart names its SA `<release>-external-secrets`
|
||||||
|
# (no fullnameOverride — see values.yaml). The OpenBao
|
||||||
|
# role's bound_service_account_names must match this
|
||||||
|
# exact name (e.g. `qsoft-platform-external-secrets`).
|
||||||
|
name: "{{ .Release.Name }}-external-secrets"
|
||||||
namespace: odoosky-system
|
namespace: odoosky-system
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
20
values.yaml
20
values.yaml
@@ -278,20 +278,10 @@ externalSecrets:
|
|||||||
# first apply. Resource limits conservative — ESO is event-driven
|
# first apply. Resource limits conservative — ESO is event-driven
|
||||||
# and idle most of the time.
|
# and idle most of the time.
|
||||||
#
|
#
|
||||||
# fullnameOverride locks the SA + Deployment + Service names to plain
|
# We keep the subchart's default release-prefixed naming
|
||||||
# "external-secrets" (no <release-name>- prefix), so the OpenBao role
|
# (`<release>-external-secrets`) — i.e., we DON'T set
|
||||||
# binding and our ClusterSecretStore.serviceAccountRef can reference
|
# fullnameOverride. The ClusterSecretStore manifest references the
|
||||||
# a stable name across every cluster.
|
# SA via `{{ .Release.Name }}-external-secrets` so the name resolves
|
||||||
|
# correctly per-cluster.
|
||||||
external-secrets:
|
external-secrets:
|
||||||
installCRDs: true
|
installCRDs: true
|
||||||
fullnameOverride: "external-secrets"
|
|
||||||
serviceAccount:
|
|
||||||
name: external-secrets
|
|
||||||
webhook:
|
|
||||||
fullnameOverride: "external-secrets-webhook"
|
|
||||||
serviceAccount:
|
|
||||||
name: external-secrets-webhook
|
|
||||||
certController:
|
|
||||||
fullnameOverride: "external-secrets-cert-controller"
|
|
||||||
serviceAccount:
|
|
||||||
name: external-secrets-cert-controller
|
|
||||||
|
|||||||
Reference in New Issue
Block a user