Add esv1.AnnotationForceSync for CES and ES

[ntnn]

Problem Statement

Add an annotation that allows refreshing all ExternalSecrets of a ClusterExternalSecret

Related Issue

Fixes #987

Proposed Changes

This PR adds the AnnotationRefresh to force refreshing CES and ES.
In the CES reconciliation the refresh annotation is set on the associated ES.
The annotation is pruned in CES if no status changes happened.
The annotation is pruned in ES in the mutation function.

The issue mentioned that it would be nice to transport labels and annotations from the CES to ES - but since the labels and annotations can already be configured through .Spec.ExternalSecretMetadata that seems superfluous (and sounds like a bad idea).

The docstring for AnnotationRefresh specifies that it only work on CES and ES. This could just as well be removed from the API and only be used in the respctive packages.
This would allow to implement the same refresh trigger for other kinds.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[ntnn]

While I was looking if refreshTime had some restrictions I found this in the FAQ: https://external-secrets.io/latest/introduction/faq/#can-i-manually-trigger-a-secret-refresh

You can trigger a secret refresh by using kubectl or any other kubernetes api client. You just need to change an annotation, label or the spec of the resource:

kubectl annotate es my-es force-sync=$(date +%s) --overwrite

So I'd go with that. Only problem now is that the force-sync annotation will never be cleaned up automatically.
E.g. a user sets force-sync on the CES, that gets propagated to the ES. Then the user removes it again from the CES - now all ES belonging to that CES still have the annotation.

One option would be to prune force-sync from ES if it isn't present on CES, but I could imagine that that leads to false positives when a user sets force-sync on an ES to only refresh that one.

Update: I think the case that a user sets force-sync on an ES and right in that moment the CES reconciles and removes the annotation is rather unlikely. On top that would still result in an update of the ES, so the desired update would still happen.

[gusfcarvalho]

While I was looking if refreshTime had some restrictions I found this in the FAQ: https://external-secrets.io/latest/introduction/faq/#can-i-manually-trigger-a-secret-refresh

You can trigger a secret refresh by using kubectl or any other kubernetes api client. You just need to change an annotation, label or the spec of the resource:

kubectl annotate es my-es force-sync=$(date +%s) --overwrite

So I'd go with that. Only problem now is that the force-sync annotation will never be cleaned up automatically. E.g. a user sets force-sync on the CES, that gets propagated to the ES. Then the user removes it again from the CES - now all ES belonging to that CES still have the annotation.

One option would be to prune force-sync from ES if it isn't present on CES, but I could imagine that that leads to false positives when a user sets force-sync on an ES to only refresh that one.

Update: I think the case that a user sets force-sync on an ES and right in that moment the CES reconciles and removes the annotation is rather unlikely. On top that would still result in an update of the ES, so the desired update would still happen.

this example for force-sync is not the only annotation that triggers an ES reconcile. Any annotation, as a matter of fact, will do.

IMO, what we should do here is just copy over the annotations / labels from CES to all managed ES, so that if someone does kubectl annotate ces foo=bar we will cascade the foo=bar label to every ES.

also, FWIW, force-sync on ES is also not cleaned up. It really doesn't matter for what we are trying to do.

[ntnn]

this example for force-sync is not the only annotation that triggers an ES reconcile. Any annotation, as a matter of fact, will do.

Yes, but it is a documented use-case and will most likely be used. Given that it is propagated on CES should be documented

IMO, what we should do here is just copy over the annotations / labels from CES to all managed ES, so that if someone does kubectl annotate ces foo=bar we will cascade the foo=bar label to every ES.

Again, I'd strongly advise against that. Tools like ArgoCD, kubectl with applyset etc.pp. will find their annotations and then prune the ES.

also, FWIW, force-sync on ES is also not cleaned up. It really doesn't matter for what we are trying to do.

It's not a matter of if it is cleaned up on ES or not. It is a matter of if you want to propagate only the creation or creation and deletion of the annotation.
Since the use case is that the ES should be updated when the CES annotation is added I think pruning it if it doesn't exist on the CES makes more sense.

[gusfcarvalho]

Again, I'd strongly advise against that. Tools like ArgoCD, kubectl with applyset etc.pp. will find their annotations and then prune the ES.

They won't. They don't expect different annotations to it (because it is a child object. The ES would have OwnerReferences to the CES). If that was the case, any Secret we create with ExternalSecrets, by default, would be deleted (as we copy all labels and annotations by default). Maybe I'm missing something as to why this works on ES -> Secret but won't work on CES -> ES

We do have argocd/flux as part of our e2e - if that's a real concern here, we can always add e2e tests to make sure this feature is always working.

[gusfcarvalho]

It's not a matter of if it is cleaned up on ES or not. It is a matter of if you want to propagate only the creation or creation and deletion of the annotation.
Since the use case is that the ES should be updated when the CES annotation is added I think pruning it if it doesn't exist on the CES makes more sense.

Since this will be part of our reconcile loop, any changes to the annotations on CES, IMO, should be cascaded to all ES (creation, value updates, deletion).

Right now we diverge on which labels / annotations to go forward , but regardless if it is one or all, that above ☝️ should always be the case.

[ntnn]

I can change it so all labels and annotations are propagated, but that will cause problems.

The ES->S sync of labels and annotations resulted in this issue: #68
Which in turn resulted in this change: OCP-on-NERC/nerc-ocp-config#83

That's only the publicly known ones - and that is exactly what I mean with it will collide with what tools expect.

[ntnn]

They won't. They don't expect different annotations to it (because it is a child object. The ES would have OwnerReferences to the CES). If that was the case, any Secret we create with ExternalSecrets, by default, would be deleted (as we copy all labels and annotations by default). Maybe I'm missing something as to why this works on ES -> Secret but won't work on CES -> ES

No you're not missing anything - it was a bad example. You are right that gitops tools handle the relationship correctly - I still think that it isn't a good idea to copy all labels and annotations to the descendant by default.
It might work fine for ES->S because it is established, but if the same logic is implemented for CES->ES ESO would start to propagate the annotations and labels when people update and my guess is that that will break - maybe not everywhere but definitely somewhere.
That's why I restricted the change just to external-secrets.io/refresh in the first draft and now force-sync in the second.

Right now we diverge on which labels / annotations to go forward , but regardless if it is one or all, that above ☝️ should always be the case.

I think there it would strictly speaking be better to diverge. If CES would be a new addition I would agree that it should follow how ES works - but changing that now is too risky imho.

I think an allowlist of prefixes or something similar would be fine - or as the PR currently does just propagate creation, updates and deletion of the force-sync annotation that is repeatedly mentioned in the documentation.

[gusfcarvalho]

Yeah, ok. In any case, if another feature request comes by asking to sync more annotations/labels, we could add them afterwards. this one already fixes the main issue anyways 😄

[gusfcarvalho]

nit: let's make this annotation a const , and in the format : external-secrets.io/force-sync. We can update docs to reflect that as well, and it will be more clear to any user seeing this is the annotation that triggered it.

[jakobmoellerdev]

IMHO this shouldn't be a nit. The force sync annotation is something we would be stuck with for quite a while and it should be documented before merge, including its behavior

[ntnn]

Gladly, that matches what I had initially: b0ec13b#diff-48b6ea2bfdb10c1e1c6d5a543fde5d5d0a9c2208bcb4e3d37ea75730ed6517c1

[gusfcarvalho]

@ntnn can you also update ClusterExternalSecret docs, please, as a part of this PR? 🙏 🙇

[gusfcarvalho]

/ok-to-test sha=716d68b2b9138c0fbab86f62cfc62efc414aae33

[eso-service-account-app]

[Bot] - ✅ e2e for 716d68b2b9138c0fbab86f62cfc62efc414aae33 passed

[Skarlso]

@ntnn remaining things for you:

• Add docs
• Check out sonarcloud issue

Then it's good to go. :)

[ntnn]

This could also be deleted but I could imagine a user reading this in the FAQ, setting force-sync on CES and then wondering why this doesn't work.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud