Clarify the implications of setting refreshInterval to 0#4567
Clarify the implications of setting refreshInterval to 0#4567gusfcarvalho merged 2 commits intoexternal-secrets:mainfrom
Conversation
|
Hi @exaV ! The first rule below is exactly that - Emphasis on What made this documentation unclear to you when you read it? |
|
Thanks for the quick reply! The way the rules are currently written implies any of the three rules can trigger an update (independently of the other rules), but that does not happen in practice if refreshInterval is 0. I also wondered a bit at first if all three rules had to be met, but that would imply you'd have to change the ExternalSecret's We could also change the wording to something like the following: Or we could move it to the first sentence: |
I like that! let's do it! Thanks for your contribution |
…behaviour If `spec.refreshInterval` is `0` the `Kind=Secret` is never updated, even if annotations or spec changes. Signed-off-by: Patrick Del Conte <p.del.conte@hotmail.ch>
|
Thanks for your contribution!! 🙏🏾🙏🏾🙌🏾 |
|
* main: Clarify that setting `spec.refreshInterval` to 0 disables all update behaviour (external-secrets#4567) Helm: disable ClusterPushSecret reconciler when using scoped RBAC (external-secrets#4571) Exclude unused resources from rbac (external-secrets#4572)
Problem Statement
What is the problem you're trying to solve?
The documentation is very clear about when an ExternalSecret is updated, but it differs from the implementation in case
spec.refreshIntervalis set to 0. Somewhat surprisingly (to me at least) even setting the annotation from the FAQkubectl annotate es my-es force-sync=$(date +%s) --overwriteis skipped whenspec.refreshIntervalis0This change was introduced with #4086 and confirmed in the discussion here #3979
Proposed Changes
If this behaviour is not considered a bug, then the documentation should to mention it explicitly.
Checklist
git commit --signoffmake testmake reviewable