Promoting to `0.16`

[gusfcarvalho]

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@=="v1alpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed.
Double check your CRD installation process finished successfully

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

Use 0.16.1 as opposed to 0.16.0 on your installation path. That should be fixed on this release

My issue is not here What do I do?

Add a message to this thread.

[ccggeo]

So now using

16.0.0 and have attempted to create a secret with

apiVersion: external-secrets.io/v1

But getting

Error: UPGRADE FAILED: failed to create resource: Internal error occurred: conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Any ideas?

[ccggeo]

kubectl api-resources -o wide | grep externalsecrets
clusterexternalsecrets              ces                                 external-secrets.io/v1                    false        ClusterExternalSecret              delete,deletecollection,get,list,patch,create,update,watch   external-secrets
externalsecrets                     es                                  external-secrets.io/v1                    true         ExternalSecret                     delete,deletecollection,get,list,patch,create,update,watch   external-secrets

The resource does exist with that version

[e3b0c442]

After upgrading to 0.16 helm chart with ArgoCD (just updating the tag), the new pod crashloops:

{"level":"error","ts":1744657816.037545,"logger":"setup","msg":"unable to create controller","controller":"ExternalSecret","error":"no matches for kind \"ExternalSecret\" in version \"external-secrets.io/v1\"","stacktrace":"github.com/external-secrets/external-secrets/cmd/controller.init.func2\n\t/home/runner/work/external-secrets/external-secrets/cmd/controller/root.go:234\ngithub.com/spf13/cobra.(*Command).execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1071\ngithub.com/external-secrets/external-secrets/cmd/controller.Execute\n\t/home/runner/work/external-secrets/external-secrets/cmd/controller/root.go:304\nmain.main\n\t/home/runner/work/external-secrets/external-secrets/main.go:24\nruntime.main\n\t/opt/hostedtoolcache/go/1.24.2/x64/src/runtime/proc.go:283"}

[e3b0c442]

I will note that CRD does not exist in the cluster, though clusterexternalsecrets/v1 does.

[Chrisell]

I will note that CRD does not exist in the cluster, though clusterexternalsecrets/v1 does.

Just to note, you mention clusterexternalsecrets/v1 exists but your error references kind "ExternalSecret"

[Chrisell]

Upgrading to 0.16.0 for us also resulted in issues with the conversion webhook. Removing the conversion strategy appears to have resolved it temporariliy but not sure of the potential consequences of that: example: https://github.com/external-secrets/external-secrets/blob/main/deploy/crds/bundle.yaml#L1982-L1991

[fallard84]

Similar error related to the clustersecretstores conversion webhook. We are deploying the helm charts using kustomize and kapp:

kapp: Error: update customresourcedefinition/clustersecretstores.external-secrets.io (apiextensions.k8s.io/v1) cluster:
  Updating resource customresourcedefinition/clustersecretstores.external-secrets.io (apiextensions.k8s.io/v1) cluster:
    API server says:
      CustomResourceDefinition.apiextensions.k8s.io "clustersecretstores.external-secrets.io" is invalid: 

  - spec.conversion.strategy: Required value

  - spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

[gusfcarvalho]

Upgrading to 0.16.0 for us also resulted in issues with the conversion webhook. Removing the conversion strategy appears to have resolved it temporariliy but not sure of the potential consequences of that: example: https://github.com/external-secrets/external-secrets/blob/main/deploy/crds/bundle.yaml#L1982-L1991

we dont have a conversion webhook anymore - that was only needed for v1alpha1 which was deprecated. We bumped helm chart flags to change the default behavior to remove it. How are you deploying your CRDs?

[gusfcarvalho]

is it part of helm releases?

[gusfcarvalho]

Similar error related to the clustersecretstores conversion webhook. We are deploying the helm charts using kustomize and kapp:

kapp: Error: update customresourcedefinition/clustersecretstores.external-secrets.io (apiextensions.k8s.io/v1) cluster:
  Updating resource customresourcedefinition/clustersecretstores.external-secrets.io (apiextensions.k8s.io/v1) cluster:
    API server says:
      CustomResourceDefinition.apiextensions.k8s.io "clustersecretstores.external-secrets.io" is invalid: 

  - spec.conversion.strategy: Required value

  - spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

likewise, I think you need to change your kustomize to remove the webhook. I'm checking whats happening with the built in bundle

[gusfcarvalho]

kubectl api-resources -o wide | grep externalsecrets
clusterexternalsecrets              ces                                 external-secrets.io/v1                    false        ClusterExternalSecret              delete,deletecollection,get,list,patch,create,update,watch   external-secrets
externalsecrets                     es                                  external-secrets.io/v1                    true         ExternalSecret                     delete,deletecollection,get,list,patch,create,update,watch   external-secrets

The resource does exist with that version

can you try force disabling conversion webhooks?

[gusfcarvalho]

I have found the issue if you are installing crds with kubectl apply -f to our bundle. (see #4664). That's exactly what you need to fix and can fix manually if you want to.

[Chrisell]

Yeah we were installing separately with the bundle

[gusfcarvalho]

Yeah we were installing separately with the bundle

using that file version on the PR fixes the issue for you?