I'm facing a challenge with our canary deployment strategy when it comes to managing external secrets. Right now, when we deploy a new version, only the latest old secret (like service-secret-26) gets deleted, while the even older secrets (like service-secret-25 and before) linger on. This leads to a buildup of outdated secrets over time. Has anyone else had this problem or found a good way to automate the removal of these old secrets? Any advice would be greatly appreciated! Thanks!!!
2 Answers
What version of External Secrets Operator (ESO) are you using? Are all those old secrets just sitting there without being used? That might be worth checking out first.
It sounds like those orphaned resources are indicating a flaw in your setup. It would be best to resolve that first. For cleaning up the old secrets, you'll have to handle that on a case-by-case basis until you get to the root of the issue. There are plenty of guides available online that can help you automate this clean-up with something like a CronJob, or you can do it manually if that feels easier for now.
I switched from blue-green deployment to canary, and that's where I'm seeing the orphan issues.