ExternalSecret fails if its name is >92 characters long #4052
Description
Whats the problem?
Currently, when an ExternalSecret has a name >92 characters long, it will fail to generate the target secret.
This is problematic, because Secret names can have up to 253 characters, and many users like to name their ExternalSecret the same as the target Secret resource.
NOTE: I am talking about the name of the ExternalSecret itself, there is no issue with creating a target Secret up to 253 characters long (assuming the ExternalSecret is 92 characters or less).
Why is it happening?
The problem is that we are trying to include the name of the ExternalSecret in the metadata.managedFields[0].manager of the target Secrets, and Kubernetes limits this field to 128 characters.
Here is the template variable for the manager field name:
For example, a target Secret might look like this:
apiVersion: v1
kind: Secret
metadata:
name: target-secret
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
...
manager: externalsecrets.external-secrets.io/<NAME_OF_EXTERNAL_SECRET>
operation: Update
time: "2024-01-01T00:00:00Z"What's the solution?
The purpose of the metadata.managedFields[0].manager is to indicate which controller manages each fields as part of server side apply. Realistically, we should just be setting this field to the string "external-secrets-controller" because the external-secrets controller is managing this field and the ExternalSecret resource is not the "controller".
How can I reproduce this?
- Using external-secrets v0.18.5 or earlier
- Create the following SecretStore:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Fake
metadata:
name: my-fake-secret
namespace: default
spec:
data:
foo: bar
baz: bang- Create the following ExternalSecret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
## THIS WILL FAIL: it is 93 characters long
name: 123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123
## THIS WILL SUCCEED: it is 92 characters long
#name: 123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-12
namespace: default
spec:
refreshInterval: 60s
target:
name: my-target-secret
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Fake
name: my-fake-secret- Observe that the status of the ExternalSecret becomes
SecretSyncedErrorand the logs in external-secrets become:
{"level":"error","ts":1730139939.7042181,"logger":"controllers.ExternalSecret","msg":"could not update Secret","ExternalSecret":{"name":"123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123","namespace":"default"},"error":"CreateOptions.meta.k8s.io "" is invalid: fieldManager: Too long: must have at most 128 bytes","stacktrace":"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).markAsFailed\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:360\ngithub.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:335\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:224"}