ExternalSecret reconciliation silently stops with 2.0.1

[dnwlf]

Describe the bug
After upgrading to the External Secrets Operator 2.0.1 helm chart, clusters with a large number of ESO resources silently stop reconciling ESO resources.

One cluster where we observed this issue has the following ESO resource counts:

• ExternalSecret: ~3000
• SecretStore: ~140
• ClusterExternalSecrets: 2
• ClusterSecretStores: 2

We are unable to find any errors or warnings in the ESO controller logs that would indicate issues, the .status.refreshTime for ESO resources just stops updating.

We can tell that reconciliation is not completely broken. Restarting the ESO controller Deployment in a cluster does result in at least a single reconciliation of the cluster's ESO resources (based on .status.refreshTime), but reconciliation silently stops shortly after Deployment restart.

The CPU/Memory resource utilization of the ESO controller and webhook pods was well-under the configured requests/limits in clusters where we observed this issue.

We do not see this issue in clusters that have a smaller number of ESO resources deployed.

After reverting to the ESO 2.0.0 helm charts with no other cluster changes, reconciliation is once again working as-expected in all clusters.

To Reproduce
Steps to reproduce the behavior:

1. provide all relevant manifests

   # example values.yaml with the relevant ESO configuration for a cluster where we observed this issue
   external-secrets:
     replicaCount: 3
     concurrent: 50
     extraArgs:
       experimental-enable-vault-token-cache: true
       client-qps: 100
       client-burst: 200

2. provide the Kubernetes and ESO version
   1. GKE Version: 1.33.5
   2. ESO Version: 2.0.1 (via external-secrets helm chart)

Expected behavior
Reconciliation should not silently stop.

Screenshots
N/A

Additional context
If there is additional information that would be helpful to provide, please let me know and I can gather it. Unfortunately, at the time this issue occurred we weren't collecting all of the ESO metrics which would make this easier to troubleshoot/diagnose.

[Skarlso]

Hm, that's definitely not food. And you are sure that it's definitely between 2.0.0 and 2.0.1?

[Skarlso]

Looking at the changes it will sadly be some kind of update. :/

[Skarlso]

And just to be clear, it's the GKE store?

[Skarlso]

I actually found this!!!!!!! AND I remember finding this already IN ANOTHER PROJECT :DDD That's hilarious.

I can fix this.

[Skarlso]

Oh, yeah. It's controller-runtime update that added priority queue which misbehaves and other shenanigans by default that we took for granted before.

[Skarlso]

One potential recorded issue could be kubernetes-sigs/controller-runtime#3415.

But that appears to be in 0.23.0 🤔 Maybe it's only a partial fix.

What I can say now, is let's release my fix here and see if that even fixes your bug. If it did, it's definitely the priority queue. ( I suspect it is ).

[Skarlso]

Let's link to the main PQ issue kubernetes-sigs/controller-runtime#2374.

[dnwlf]

I appreciate your help, and that you’ve taken the time to look into this — and open an PR to address the issue before I even had a chance to chime in here. 😄

I had been eyeing that controller-runtime update that was part of 2.0.1 as a likely culprit, and not directly any ESO code.

I’m happy to jump on a new version as soon as possible, to confirm it fixes our issue or anything else I can do to assist.

[Skarlso]

👍 :) Thanks! I will ping you with it as soon as we release it next week. :D :)) 🙇