I'm deploying my app on GKE using Helm and included external-secrets in my charts to pull secrets from GCP Secret Manager. After the initial installation of external-secrets and applying my SecretStore and ExternalSecret, everything works fine. However, when I try to upgrade the ExternalSecret by adding another GCP secret reference, the SecretStore, ExternalSecret, and the associated Kubernetes secret all disappear. The only solution I've found is to recreate the external-secrets pod and then run another Helm upgrade. I'm unsure if this is the expected behavior or if I'm missing a configuration. Also, just to clarify, the External Secrets Operator runs in its own namespace while the resources are defined in my app's chart.
1 Answer
It sounds like your issue might be due to how you're updating the CRDs when you perform the Helm upgrade. Try updating the CRDs separately from your chart. This should help prevent them from being destroyed during an upgrade.
I see, but the templates I included are from a separate chart containing multiple resources. Should I consider isolating the external-secret resources into their own chart?