Upgrading to 0.16.1 - ClusterExternalSecret - secret already exists

[sonalita]

Describe the bug
We are upgrading from 0.11.0 to 0.16.1. We deploy external-secrets with Helm via Flux.
We are facing an issue in that the ClusterExternalSecret is failing to apply due to "secret already exists in namespace" for our existing secrets.

To Reproduce
Steps to reproduce the behavior:

This is our manifest that is applied via Flux and Kustomize:

apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
  name: common-external-secrets
spec:
  externalSecretName: "common-secrets"
  namespaceSelectors:
    matchLabels:
      secp.aviva.com/common-es: "true"
  namespaces:
    - "flux-system"
  refreshTime: "1m"

  externalSecretSpec:
    secretStoreRef:
      name: common-secrets
      kind: ClusterSecretStore

    refreshInterval: "1h"
    target:
      name: common-secrets
      creationPolicy: 'Owner'
      template:
        engineVersion: v2
        data:
          proxy: '{{ .http_proxy }}'
          HTTP_PROXY: '{{ .http_proxy }}'
          HTTPS_PROXY: '{{ .http_proxy }}'
          NO_PROXY: '${no_proxy}'
    data:
    - secretKey: http_proxy
      remoteRef:
        key: ${secrets_path_common}
        property: http_proxy

Expected behavior
The manifest should apply without error

I have tried a couple of things

• changing creationPolicy to "Merge"
• Patching out the "OwnerReferences" from the existing secrets.

The only workaround I have currently is to delete the CusterExternalSecrets object, which will delete the secrets and then let Flux rereconcile.

Any ideas/suggestions would be greatly appreciated.

[gusfcarvalho]

Try changing the owner references from both the CES and the underlying ES objects. That should make it work

[sonalita]

@gusfcarvalho Thank you for the prompt response. When you say "change" do you mean remove them with kubectl edit / kubectl patch? or edit the actual values - if so, to what?

[perpective2410]

@sonalita We've had the same issue with argoCD. We had to force sync (see screenshot). I imagine you'd have the same kind of option with Flux

[Meallia]

The issue is probably coming from those lines:

external-secrets/pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

Lines 279 to 282 in 8cad02f

	func isExternalSecretOwnedBy(es *esv1.ExternalSecret, cesName string) bool {
	owner := metav1.GetControllerOf(es)
	return owner != nil && owner.APIVersion == esv1.SchemeGroupVersion.String() && owner.Kind == esv1.ClusterExtSecretKind && owner.Name == cesName
	}

owner.APIVersion is external-secrets.io/v1beta1 and SchemeGroupVersion must be external-secrets.io/v1

[gusfcarvalho]

The issue is probably coming from this line:

external-secrets/pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

Line 281 in 8cad02f

return owner != nil && owner.APIVersion == esv1.SchemeGroupVersion.String() && owner.Kind == esv1.ClusterExtSecretKind && owner.Name == cesName
owner.APIVersion is external-secrets.io/v1beta1 and SchemeGroupVersion must be external-secrets.io/v1

:o you're right!!!

Can you create a PR adding a check for v1beta1 as well? 😄 I'd love to have your handle as the finder and fixer of this!

[sonalita]

Thank you, @Meallia. Great work! I'm looking forward to the PR getting merged and released.

[johnvanhienen]

Hey, we've got a similar error (target is owned by another ExternalSecret) but for the externalSecret kind instead of ClusterExternalSecret.

This piece however does contain the logic regarding ignoring the API version which is proposed in the PR of @Meallia.

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 377 to 381 in 8cad02f

	if currentOwner != nil {
	currentOwnerGK := schema.FromAPIVersionAndKind(currentOwner.APIVersion, currentOwner.Kind).GroupKind()
	ownerIsESKind = currentOwnerGK.String() == esv1.ExtSecretGroupKind
	ownerIsCurrentES = ownerIsESKind && currentOwner.Name == externalSecret.Name
	}