externalsecret-controller: please apply your changes to the latest version and try again

[atsai1220]

Describe the solution you'd like
I would like for ExternalSecrets controller to update the status of external-secrets without erroring out.

What is the added value?
Currently we are generating a new token every few seconds because the controller is stuck in a loop of trying to update existing externalsecrets status but is unable to.

Give us examples of the outcome
the crd

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  annotations:
    meta.helm.sh/release-name: falco-fleet-falco-manifests
    meta.helm.sh/release-namespace: falco
    objectset.rio.cattle.io/id: default-falco-fleet-falco-manifests
  creationTimestamp: "2021-05-19T17:19:57Z"
  generation: 3
  labels:
    app.kubernetes.io/managed-by: Helm
    objectset.rio.cattle.io/hash: 823783ed6018879b56ee0e3083df1de5715a6778
  name: falco-aws-credentials
  namespace: falco
  resourceVersion: "146513378"
  selfLink: /apis/external-secrets.io/v1alpha1/namespaces/falco/externalsecrets/falco-aws-credentials
  uid: 840e9dbb-fc38-4aef-a9f3-297399e609ea
spec:
  data:
  - remoteRef:
      key: rancher/shared_cluster_data/aws
      property: AWS_ACCESSKEYID
    secretKey: AWS_ACCESSKEYID
  - remoteRef:
      key: rancher/shared_cluster_data/aws
      property: AWS_SECRETACCESSKEY
    secretKey: AWS_SECRETACCESSKEY
  - remoteRef:
      key: rancher/shared_cluster_data/aws
      property: AWS_REGION
    secretKey: AWS_REGION
  - remoteRef:
      key: rancher/shared_cluster_data/aws
      property: AWS_SQS_URL
    secretKey: AWS_SQS_URL
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: containerservices
  target:
    name: aws-credentials
status:
  conditions:
  - lastTransitionTime: "2021-05-19T17:21:10Z"
    message: Secret was synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2021-05-20T18:52:27Z"

In the logs

2021-05-20T18:47:49.461Z	ERROR	controllers.ExternalSecret	unable to update status	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices", "error": "Operation cannot be fulfilled on externalsecrets.external-secrets.io \"falco-aws-credentials\": the object has been modified; please apply your changes to the latest version and try again"}
github.com/go-logr/zapr.(*zapLogger).Error
	/home/runner/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132
github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile
	/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:146
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.1/pkg/internal/controller/controller.go:297
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.1/pkg/internal/controller/controller.go:252
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.1/pkg/internal/controller/controller.go:215
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.UntilWithContext
	/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:99

Observations (Constraints, Context, etc):

We are using Helm to create ExternalSecret CRDs. Could that affect how the controller updates object status? Specifically the controller is erroring out here:

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 144 to 147 in d40be4f

	err = r.Status().Update(ctx, &externalSecret)
	if err != nil {
	log.Error(err, "unable to update status")
	}

Any guidance would be much appreciated. I'm not too sure why the controller is having a hard time refreshing... Thank you! :)

[atsai1220]

This is resolved for me. The issue was my CD pipeline was think the external-secrets object has been changed because its status changed and now there are two controllers competing over who gets to update this file. Clue is at metadata.resourceVersion.

[atsai1220]

I thought this was resolved for me but the issue came back. Hope someone could provide some insight regarding this. Thank you!

[moolen]

I think that happens when a stale item of a Kind=ExternalSecret is in the controller cache. That means someone else touched the external-secret. This may be a race-condition in your CD as you suggested (or some other controller doing $things).
This isn't a real issue as the controller will reconcile the state eventually (with backoff if required).

I thought of retrying the status update but this is an anti-pattern (see here)

I think we should return an error here to trigger the reconciliation of the status field as it contains important metadata.

[atsai1220]

I think that happens when a stale item of a Kind=ExternalSecret is in the controller cache. That means someone else touched the external-secret. This may be a race-condition in your CD as you suggested (or some other controller doing $things).
This isn't a real issue as the controller will reconcile the state eventually (with backoff if required).

I thought of retrying the status update but this is an anti-pettern (see here)

I think we should return an error here to trigger the reconciliation of the status field as it contains important metadata.

Thank you for the insight. We do have two controllers modifying both files but it seems like external-secrets eventually reconciles and back-off.