fix: use HookSucceeded with orphan propagation for oneShot ExternalSecret#15
Conversation
…cret Switch the oneShot hook-delete-policy from BeforeHookCreation to HookSucceeded so the keycloak-users ExternalSecret is removed as early as possible after syncing. Add PrunePropagationPolicy=orphan to prevent ArgoCD from cascade-deleting the K8s Secret when the ExternalSecret is pruned. Remove the one-shot label on the ExternalSecret itself since HookSucceeded handles its deletion. Rename the cleanup label from ztvp.io/cleanup to validatedpatterns.io/cleanup. Signed-off-by: Min Zhang <minzhang@redhat.com>
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
I was testing it but I found some problems with the cleanup job
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
The keycloak app and the import and cleanup jobs are working correctly. The keycloak-users secret has been successfully deleted. The NPs have been applied. Everything OK
LGTM
…neShot Replace deletionPolicy: Retain with creationPolicy: Orphan when oneShot is enabled. Orphan prevents ESO from setting an ownerReference on the Secret, so Kubernetes GC will not cascade-delete it when ArgoCD removes the ExternalSecret hook. Add creationPolicy as a configurable value (default: Owner) for the non-oneShot case. Signed-off-by: Min Zhang <minzhang@redhat.com>
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Thanks @minmzzhang for working through the deletion issues. Can you regenerate the README so that it includes the creationPolicy value?
helm-docs generates compact markdown tables that fail the super-linter prettier check. Add a containerized prettier step (jauderho/prettier) to the helm-docs target so README.md is always formatted correctly. Signed-off-by: Min Zhang <minzhang@redhat.com>
The README.md is regenerated with the latest contents. I also updated the Makefile to include a prettier formatting as the current one always fails the super-linter. |
3 participants
Switch the oneShot hook-delete-policy from BeforeHookCreation to HookSucceeded so the keycloak-users ExternalSecret is removed as early as possible after syncing. Add PrunePropagationPolicy=orphan to prevent ArgoCD from cascade-deleting the K8s Secret when the ExternalSecret is pruned. Remove the one-shot label on the ExternalSecret itself since HookSucceeded handles its deletion. Rename the cleanup label from ztvp.io/cleanup to validatedpatterns.io/cleanup.