search

fluxcd / kustomize-controller

The GitOps Toolkit Kustomize reconciler
https://fluxcd.io
Apache License 2.0
252 stars 181 forks source link

Constant rewriting of the CRD #1138

Open tropnikovvl opened 5 months ago

tropnikovvl commented 5 months ago

Hello!

Using Flux, I deployed the external-secrets operator and its CRD.

The fact is that the external-secrets operator stores the caBundle directly in the CRD and therefore Flux constantly overwrites it.

Question: is it possible to add some manifest fields to those ignored by Kustomization?

 {"level":"info","ts":"2024-04-16T11:13:17.992Z","msg":"server-side apply for cluster definitions completed","controller":"kustomization","controllerGroup":"kustomize.toolkit.fluxcd.io","controllerKind":"Kustomization","Kustomization":{"name":"crds-stack","namespace":"flux-system"},"namespace":"flux-system","name":"crds-stack","reconcileID":"c2167182-e883-4189-814e-7d895b0da69f","output":{"CustomResourceDefinition/clustersecretstores.external-secrets.io":"configured","CustomResourceDefinition/externalsecrets.external-secrets.io":"configured","CustomResourceDefinition/secretstores.external-secrets.io":"configured"}}
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.14/deploy/crds/bundle.yaml
 apiVersion: apiextensions.k8s.io/v1                                                                                                                                                                                                                                                                                                                                      
 kind: CustomResourceDefinition                                                                                                                                                                                                                                                                                                                                           
 metadata:                                                                                                                                                                                                                                                                                                                                                                
   annotations:                                                                                                                                                                                                                                                                                                                                                           
     controller-gen.kubebuilder.io/version: v0.14.0                                                                                                                                                                                                                                                                                                                       
   creationTimestamp: "2024-04-10T09:58:54Z"                                                                                                                                                                                                                                                                                                                              
   generation: 190                                                                                                                                                                                                                                                                                                                                                        
   labels:                                                                                                                                                                                                                                                                                                                                                                
     kustomize.toolkit.fluxcd.io/name: crds-stack                                                                                                                                                                                                                                                                                                                         
     kustomize.toolkit.fluxcd.io/namespace: flux-system                                                                                                                                                                                                                                                                                                                   
   name: clustersecretstores.external-secrets.io                                                                                                                                                                                                                                                                                                                          
   resourceVersion: "1265682"                                                                                                                                                                                                                                                                                                                                             
   uid: 89ad4f41-1a9c-4bd8-951a-b38ae52dbca5                                                                                                                                                                                                                                                                                                                              
 spec:                                                                                                                                                                                                                                                                                                                                                                    
   conversion:                                                                                                                                                                                                                                                                                                                                                            
     strategy: Webhook                                                                                                                                                                                                                                                                                                                                                    
     webhook:                                                                                                                                                                                                                                                                                                                                                             
       clientConfig:                                                                                                                                                                                                                                                                                                                                                      
         caBundle: long caBundle                                                                                                                                                                          
         service:                                                                                                                                                                                                                                                                                                                                                         
           name: external-secrets-webhook                                                                                                                                                                                                                                                                                                                                 
           namespace: external-secrets                                                                                                                                                                                                                                                                                                                                    
           path: /convert                                                                                                                                                                                                                                                                                                                                                 
           port: 443                                                                                                                                                                                                                                                                                                                                                      
       conversionReviewVersions:                                                                                                                                                                                                                                                                                                                                          
       - v1                                                                                                                                                                                                                                                                                                                                                               
   group: external-secrets.io                                                                                                                                                                                                                                                                                                                                             
   names:                                                                                                                                                                                                                                                                                                                                                                 
     categories:                                                                                                                                                                                                                                                                                                                                                          
     - externalsecrets                                                                                                                                                                                                                                                                                                                                                    
     kind: ClusterSecretStore                                                                                                                                                                                                                                                                                                                                             
     listKind: ClusterSecretStoreList                                                                                                                                                                                                                                                                                                                                     
     plural: clustersecretstores                                                                                                                                                                                                                                                                                                                                          
     shortNames:                                                                                                                                                                                                                                                                                                                                                          
     - css                                                                                                                                                                                                                                                                                                                                                                
     singular: clustersecretstore                                                                                                                                                                                                                                                                                                                                         
   scope: Cluster
stefanprodan commented 5 months ago

There is no way to ignore fields, you can only tell Flux to apply these objects as one-off:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
spec:
  patches:
  - patch: |
      - op: add
        path: /metadata/annotations/kustomize.toolkit.fluxcd.io~1ssa
        value: IfNotPresent
    target:
      kind: CustomResourceDefinition
      name: (clustersecretstores.external-secrets.io|secretstores.external-secrets.io)
tropnikovvl commented 5 months ago

@stefanprodan Thanks for the answer!

How then will the update process occur when changing the version? Will it even work?

stefanprodan commented 5 months ago

There is no update unless you remove the annotation from Git and cluster. I suggest using a HelmRelease for the external-secrets operator, as helm-controller doesn't correct drift by default and bundles will stay put.

stefanprodan commented 5 months ago

We do haven an issue for implementing fields ignore here https://github.com/fluxcd/pkg/issues/696. It may take months/years before I get to this unless someone steps in to work on it.