Skip to content

Update full-cluster-secret-store example to reference secret namespaces#4964

Merged
Skarlso merged 2 commits intoexternal-secrets:mainfrom
jazware:patch-1
Jul 3, 2025
Merged

Update full-cluster-secret-store example to reference secret namespaces#4964
Skarlso merged 2 commits intoexternal-secrets:mainfrom
jazware:patch-1

Conversation

@jazware
Copy link
Copy Markdown
Contributor

@jazware jazware commented Jun 27, 2025

Problem Statement

What is the problem you're trying to solve?

The example as written doesn't work if you're trying to create an external secret in any namespace other than the one with your AWS access key secrets in it. We should specify the namespace of the secrets in the ClusterSecretStore example so that it actually works for people following along when creating ExternalSecrets in another namespace that reference the cluster-wide store.

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Enhancing the docs to include the namespace field in secret ref examples for an ExternalSecretStore

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@jazware
Update full-cluster-secret-store example to reference secret namespaces
00c8be2 
The example as written doesn't work if you're trying to create an external secret in any namespace other than the one with your AWS access key secrets in it. We should specify the namespace of the secrets in the ClusterSecretStore example so that it actually works for people following along when creating ExternalSecrets in another namespace that reference the cluster-wide store.

Signed-off-by: Jaz <ericvolp12@gmail.com>
@jazware jazware requested a review from a team as a code owner June 27, 2025 23:29
@jazware jazware requested a review from Skarlso June 27, 2025 23:29
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 3, 2025

This won't work if it's being use by an external secret that is NOT in that namespace. That is why it's left empty. Normally, the namespace would be used that is the namespace of the referencing object.

What was your error? I assume your error was that you created a secret in a different namespace than the external secret that was referencing this ClusterSecretStore?

I cannot accept this PR as is, but if you would like to add a NOTE in the documentation using this, I'll accept that. :)

@jazware
Copy link
Copy Markdown
Contributor Author

jazware commented Jul 3, 2025
edited
Loading

The ClusterSecretStore should allow you to create ExternalSecrets in any namespace and successfully load them from your provider.

If you put the AWS credentials for your ClusterSecretStore css in namespace foo with secret name awssm-secret, then you create an ExternalSecret in namespace bar referencing the ClusterSecretStore css (which should be cluster wide and not care about what namespace you reference it from), the ExternalSecret in namespace bar will fail to populate throwing an error that ClusterSecretStore css cannot find awssm-secret in namespace bar.

If, however, you specify the namespace: foo in accessKeyIDSecretRef and secretAccessKeySecretRef when defining ClusterSecretStore css, creating an ExternalSecret in namespace bar will work fine.

The point here is that a ClusterSecretStore is a cluster-wide object. If I want to access AWS secrets from a new namespace, the default configuration would require me to copy the awssm-secret secret into every namespace I want to define an ExternalSecret in which basically defeats the whole purpose of having a cluster-wide Secret Store.

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 3, 2025

Ah, sorry, I think AWS is a bit special. This results in referrent auth I believe. We really should bring together how everything works. Sometimes this isn't allowed. But AWS does allow it. :D argh.

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 3, 2025

Ah nevermind. I think I found the right code. This will never be not confusing. :D

@Skarlso Skarlso merged commit 14737f3 into external-secrets:main Jul 3, 2025
2 checks passed
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Jul 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jazware
Copy link
Copy Markdown
Contributor Author

jazware commented Jul 3, 2025

Awesome, thanks!

alliseeisgold pushed a commit to alliseeisgold/external-secrets that referenced this pull request Jul 10, 2025
@jazware @Skarlso
Update full-cluster-secret-store example to reference secret namespac…
6d281dc 
…es (external-secrets#4964)

The example as written doesn't work if you're trying to create an external secret in any namespace other than the one with your AWS access key secrets in it. We should specify the namespace of the secrets in the ClusterSecretStore example so that it actually works for people following along when creating ExternalSecrets in another namespace that reference the cluster-wide store.

Signed-off-by: Jaz <ericvolp12@gmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: asrormirzoev <asrormirzoev@yandex-team.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jazware @Skarlso