ShortNamesConflict in uuids.generators.external-secrets.io CRD when deploying external-secrets.io v0.10.2 (causes reconciliation loop in Flux) #3882
Description
Describe the bug
I’ve encountered an issue while deploying external-secrets.io version 0.10.2 on both a K3S and Talos Kubernetes Cluster using Flux and the official Helm chart. The problem occurs with the uuids.generators.external-secrets.io CustomResourceDefinition (CRD), which fails to become fully established due to a short name conflict.
The uuids.generators.external-secrets.io CRD and passwords.generators.external-secrets.io CRD both attempt to use the short name "password", causing Kubernetes to report a ShortNamesConflict with the message:
"password" is already in use
As a result, the status of uuids.generators.external-secrets.io remains false due to this conflict. Flux interprets this status as an error and repeatedly retries reconciliation, leading to a reconciliation loop without successfully applying the kustomization.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
creationTimestamp: "2024-09-09T04:58:11Z"
generation: 1
labels:
kustomize.toolkit.fluxcd.io/name: external-secrets-crds
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: uuids.generators.external-secrets.io
resourceVersion: "2046923"
uid: 352acf59-bb7c-413b-b5ea-fa16cadf7603
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: kubernetes
namespace: default
path: /convert
port: 443
conversionReviewVersions:
- v1
group: generators.external-secrets.io
names:
categories:
- password
kind: UUID
listKind: UUIDList
plural: uuids
shortNames:
- password
singular: uuid
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
Password generates a random password based on the
configuration parameters in spec.
You can specify the length, characterset and other attributes.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: UUIDSpec controls the behavior of the uuid generator.
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
categories:
- password
kind: UUID
listKind: UUIDList
plural: uuids
singular: uuid
conditions:
- lastTransitionTime: "2024-09-09T04:58:11Z"
message: '"password" is already in use'
reason: ShortNamesConflict
status: "False"
type: NamesAccepted
- lastTransitionTime: "2024-09-09T04:58:11Z"
message: not all names are accepted
reason: NotAccepted
status: "False"
type: Established
storedVersions:
- v1alpha1To Reproduce
(Flux is probably not required to reproduce the short name conflict. Using kubectl should be sufficient. I've tried Chart values "installCRDs: true" and "installCRDs: false" with the same result.)
- Deploy external-secrets.io version 0.10.2 using the official Helm chart in a Kubernetes cluster (tested in K3S and Talos Kubernetes clusters).
- Use Flux to manage the deployment and apply the CRDs.
- Observe that the
uuids.generators.external-secrets.ioCRD fails to be established due to a short name conflict withpasswords.generators.external-secrets.io. - Flux enters a reconciliation loop, unable to complete due to the unresolved CRD conflict.
Kubernetes / Flux Manifest:
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 10m
url: https://charts.external-secrets.io
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 10m
ref:
branch: main
url: http://github.com/external-secrets/external-secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: external-secrets-crds
namespace: flux-system
spec:
interval: 10m
path: ./deploy/crds
prune: true
sourceRef:
kind: GitRepository
name: external-secrets
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: flux-system
spec:
releaseName: external-secrets
targetNamespace: external-secrets
interval: 10m
chart:
spec:
chart: external-secrets
version: 0.10.2
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
install:
createNamespace: trueExpected behavior
The uuids.generators.external-secrets.io CRD should either:
- Not use the short name "password", or
- Handle the conflict more gracefully by using a unique short name, allowing Kubernetes to apply the CRDs without errors.
Additional context
Environment:
- external-secrets.io version: 0.10.2
- Helm chart: official external-secrets.io Helm chart
- Kubernetes distribution: K3S v1.30.4+k3s1 and Talos 1.7.5 with K8s v1.30.0
- Flux version: v2.3.0