Operator fails to throws errors when Cluster-wide CRDs are disabled in Helm chart

[Skaronator]

Describe the bug

The Helm chart provides fine-grained toggles to disable specific CRDs (e.g., createClusterExternalSecret: false). However, even when these are disabled via Helm, the external-secrets operator still attempts to register/watch these resources upon startup.

This results in a continuous loop of controller-runtime errors because the expected Custom Resource Definitions do not exist in the cluster.

external-secrets/deploy/charts/external-secrets/values.yaml

Lines 57 to 69 in 22c2b02

	crds:
	# -- If true, create CRDs for Cluster External Secret.
	createClusterExternalSecret: true
	# -- If true, create CRDs for Cluster Secret Store.
	createClusterSecretStore: true
	# -- If true, create CRDs for Secret Store.
	createSecretStore: true
	# -- If true, create CRDs for Cluster Generator.
	createClusterGenerator: true
	# -- If true, create CRDs for Cluster Push Secret.
	createClusterPushSecret: true
	# -- If true, create CRDs for Push Secret.
	createPushSecret: true

To Reproduce
Steps to reproduce the behavior:

1. Install the Helm chart with the following values.yaml to disable cluster-scoped resources:

   crds:
     createClusterExternalSecret: false
     createClusterSecretStore: false
     createClusterPushSecret: false

2. Observe the operator logs:

   {"level":"error","ts":1766042645.255767,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterSecretStore.external-secrets.io","error":"no matches for kind \"ClusterSecretStore\" in version \"external-secrets.io/v1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}
   {"level":"error","ts":1766042645.258123,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterPushSecret.external-secrets.io","error":"no matches for kind \"ClusterPushSecret\" in version \"external-secrets.io/v1alpha1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}
   {"level":"error","ts":1766042645.2629368,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterExternalSecret.external-secrets.io","error":"no matches for kind \"ClusterExternalSecret\" in version \"external-secrets.io/v1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}
   {"level":"error","ts":1766042655.25636,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterSecretStore.external-secrets.io","error":"no matches for kind \"ClusterSecretStore\" in version \"external-secrets.io/v1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}
   {"level":"error","ts":1766042655.2655754,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterPushSecret.external-secrets.io","error":"no matches for kind \"ClusterPushSecret\" in version \"external-secrets.io/v1alpha1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}
   {"level":"error","ts":1766042655.2712674,"logger":"controller-runtime.source.Kind","msg":"if kind is a CRD, it should be installed before calling Start","kind":"ClusterExternalSecret.external-secrets.io","error":"no matches for kind \"ClusterExternalSecret\" in version \"external-secrets.io/v1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...[]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:75\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:87\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/loop.go:88\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/home/runner/go/pkg/mod/k8s.io/apimachinery@v0.34.1/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind[...]).Start.func1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.3/pkg/internal/source/kind.go:68"}

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Helm Chart Version: 1.1.1
ESO Version: 1.1.1
Kubernetes: AWS EKS 1.34

[Skarlso]

Set these values as well to false:

# -- if true, the operator will process cluster external secret. Else, it will ignore them.
# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
processClusterExternalSecret: true

# -- if true, the operator will process cluster push secret. Else, it will ignore them.
processClusterPushSecret: true

# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true

# -- if true, the operator will process cluster generator. Else, it will ignore them.
processClusterGenerator: true

[Skaronator]

Ah, got it! Thanks for the quick heads-up. That totally fixed it, but it’s definitely an easy one to miss since the CRD toggle and the processor toggle are separated.

Do you think it would make sense to clean up the YAML structure in a future update to make this more intuitive? Right now, having them in two different places feels like a bit of a trap for new users.

Maybe something more grouped like this?

clusterStore:
   process: true
   installCRD: true

clusterGenerator:
   process: true
   installCRD: true

Or even just adding a small note in the values.yaml comments near the CRD section pointing to the process flags?

[Skarlso]

Should definitely add a comment there 💯%.

[Skarlso]

Do you think it would make sense to clean up the YAML structure in a future update to make this more intuitive? Right now, having them in two different places feels like a bit of a trap for new users.

We can't do that because we would break existing installations. A document/comment would be super helpful though. :)