Skip to content

fix: disable ClusterPushSecret reconciler when using scoped RBAC in helm chart#4571

Merged
gusfcarvalho merged 2 commits intoexternal-secrets:mainfrom
mrsimo:disable-cluster-push-secret-scoped-rbac
Mar 20, 2025
Merged

fix: disable ClusterPushSecret reconciler when using scoped RBAC in helm chart#4571
gusfcarvalho merged 2 commits intoexternal-secrets:mainfrom
mrsimo:disable-cluster-push-secret-scoped-rbac

Conversation

@mrsimo
Copy link
Copy Markdown
Contributor

@mrsimo mrsimo commented Mar 20, 2025
edited
Loading

Problem Statement

The new ClusterPushSecret requires cluster-wide RBAC permissions to run. The Helm chart doesn't disable it when using namespaced / scoped RBAC. The way it's implemented it doesn't disable it when passing processClusterPushSecret either.

Related Issue

Didn't create an issue because it seemed a straightforward change.

Proposed Changes

Disable ClusterPushSecret by default when using scoped RBAC.

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@mrsimo
Helm: disable ClusterPushSecret reconciler when using scoped RBAC
a1dd47f 
Signed-off-by: Albert Llop <mrsimo@gmail.com>
@mrsimo mrsimo requested a review from a team as a code owner March 20, 2025 09:09
@mrsimo mrsimo requested a review from knelasevero March 20, 2025 09:09
@gusfcarvalho
Copy link
Copy Markdown
Member

gusfcarvalho commented Mar 20, 2025
edited
Loading

Hi @mrsimo ! thanks for your contribution 💪 🥳

Just waiting for tests to pass in order to 📦 it

@mrsimo
Copy link
Copy Markdown
Contributor Author

mrsimo commented Mar 20, 2025

Cool! Thank you @gusfcarvalho!!

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 20, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@gusfcarvalho gusfcarvalho merged commit e2f47e8 into external-secrets:main Mar 20, 2025
2 of 3 checks passed
ivankatliarchuk added a commit to gofogo/external-secrets-fork that referenced this pull request Mar 20, 2025
@ivankatliarchuk
Merge branch 'main' into feat-aws-tags-1821
472ce24 
* main:
  Clarify that setting `spec.refreshInterval` to 0 disables all update behaviour (external-secrets#4567)
  Helm: disable ClusterPushSecret reconciler when using scoped RBAC (external-secrets#4571)
  Exclude unused resources from rbac (external-secrets#4572)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gusfcarvalho gusfcarvalho gusfcarvalho approved these changes

@knelasevero knelasevero Awaiting requested review from knelasevero knelasevero was automatically assigned from external-secrets/maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrsimo @gusfcarvalho