fix(eso): chart 0.7.1 — explicit CRD defaults to clear ArgoCD OutOfSync
ArgoCD was reporting all 6 ExternalSecrets as OutOfSync because the live CRs had conversionStrategy/decodingStrategy/metadataPolicy fields filled in by the CRD defaults that werent in the chart manifests. Stamping them explicitly so the diff is clean. Tower UI will now show Provisioning state correctly transition to Ready.
This commit is contained in:
OdooSky v3
@@ -23,8 +23,8 @@ description: |
|
|||||||
Git).
|
Git).
|
||||||
|
|
||||||
type: application
|
type: application
|
||||||
version: 0.7.0
|
version: 0.7.1
|
||||||
appVersion: "0.7.0"
|
appVersion: "0.7.1"
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
|
|||||||
@@ -27,6 +27,9 @@ spec:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: tenants/{{ .Values.tenant.id }}/cloudflare-token
|
key: tenants/{{ .Values.tenant.id }}/cloudflare-token
|
||||||
property: api_token
|
property: api_token
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@@ -33,14 +33,23 @@ spec:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: platform/docker-mirror-pull
|
key: platform/docker-mirror-pull
|
||||||
property: registry
|
property: registry
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
- secretKey: username
|
- secretKey: username
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: platform/docker-mirror-pull
|
key: platform/docker-mirror-pull
|
||||||
property: username
|
property: username
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
- secretKey: password
|
- secretKey: password
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: platform/docker-mirror-pull
|
key: platform/docker-mirror-pull
|
||||||
property: password
|
property: password
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@@ -33,5 +33,11 @@ spec:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: platform/gitea-archive-pull
|
key: platform/gitea-archive-pull
|
||||||
property: token
|
property: token
|
||||||
|
# CRD defaults stamped explicitly so ArgoCD's diff matches the
|
||||||
|
# live spec (otherwise the app sits in OutOfSync forever even
|
||||||
|
# though ESO is happily reconciling).
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@@ -38,10 +38,16 @@ spec:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
||||||
property: access_key
|
property: access_key
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
- secretKey: secret_key
|
- secretKey: secret_key
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
||||||
property: secret_key
|
property: secret_key
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@@ -1,17 +1,19 @@
|
|||||||
{{- if .Values.longhorn.enabled }}
|
{{- if .Values.longhorn.enabled }}
|
||||||
# Tenant data StorageClass. Tower's instance overlays don't pin a
|
# Tenant data StorageClass. Tower's instance overlays bind here in
|
||||||
# storageClassName today (they let the cluster default decide). Phase
|
# Phase 6 (Tower stamps storageClassName=longhorn-tenants on new
|
||||||
# 1 of ADR 0003 just defines this class so Phase 2/3 can flip new
|
# instance PVCs). Existing instances on local-path stay where they
|
||||||
# instances to bind here without further chart changes.
|
# are — Longhorn additive, doesn't replace.
|
||||||
#
|
#
|
||||||
# `replicaCount` comes from values; Standalone tier ships replicas=1
|
# `replicaCount` comes from values; Standalone tier ships replicas=1
|
||||||
# (durability is hourly S3, not local mirrors).
|
# (durability is hourly S3 backup, not local mirrors).
|
||||||
apiVersion: storage.k8s.io/v1
|
apiVersion: storage.k8s.io/v1
|
||||||
kind: StorageClass
|
kind: StorageClass
|
||||||
metadata:
|
metadata:
|
||||||
name: longhorn-tenants
|
name: longhorn-tenants
|
||||||
annotations:
|
annotations:
|
||||||
# Not the cluster default in Phase 1 — explicit opt-in only.
|
# Not the cluster default — explicit opt-in only via Tower's
|
||||||
|
# PVC-stamp logic. (Two default storage classes is a k8s
|
||||||
|
# misconfig; k3s already provides local-path as default.)
|
||||||
storageclass.kubernetes.io/is-default-class: "false"
|
storageclass.kubernetes.io/is-default-class: "false"
|
||||||
provisioner: driver.longhorn.io
|
provisioner: driver.longhorn.io
|
||||||
allowVolumeExpansion: true
|
allowVolumeExpansion: true
|
||||||
@@ -25,8 +27,8 @@ parameters:
|
|||||||
fsType: "ext4"
|
fsType: "ext4"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
# NOTE: The CSI VolumeSnapshotClass (snapshot.storage.k8s.io/v1) lives
|
# NOTE: The CSI VolumeSnapshotClass (snapshot.storage.k8s.io/v1) lives
|
||||||
# in Phase 3 of ADR 0003, alongside the Tower code that consumes it.
|
# in Phase 3 of ADR 0003, alongside the Tower code that consumes it
|
||||||
# It depends on the external-snapshotter CRDs which Longhorn does not
|
# AND the external-snapshotter CRDs (which Longhorn does not ship —
|
||||||
# ship — they're a separate install. Adding it here would fail the
|
# they're a separate install). Adding VolumeSnapshotClass here would
|
||||||
# initial sync on a fresh cluster. Phase 3 will land both together
|
# fail the initial sync. Phase 3 lands all three together: snapshotter
|
||||||
# (snapshotter CRDs + VolumeSnapshotClass + Tower VolumeClone path).
|
# CRDs + controller + VolumeSnapshotClass + Tower VolumeClone path.
|
||||||
|
|||||||
@@ -34,10 +34,16 @@ spec:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
||||||
property: access_key
|
property: access_key
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
- secretKey: secret_key
|
- secretKey: secret_key
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
||||||
property: secret_key
|
property: secret_key
|
||||||
|
conversionStrategy: Default
|
||||||
|
decodingStrategy: None
|
||||||
|
metadataPolicy: None
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
Reference in New Issue
Block a user