I'm working with Helm to deploy my app on GKE and trying to integrate the external-secrets feature to pull secrets from GCP's Secret Manager. After I installed external-secrets and set up the SecretStore and ExternalSecret for the first time, everything worked fine. However, when I attempt to modify the ExternalSecret by adding a new GCP Secret reference and perform a Helm upgrade, all of my SecretStore, ExternalSecret, and Kubernetes Secret resources disappear.
The only solution I've found is to recreate the external-secrets pod in its namespace and then running a Helm upgrade again. Here are the templates I'm using for the external-secrets:
```yaml
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
name: {{ .Values.serviceName }}-store
namespace: {{ coalesce .Values.global.namespace .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.serviceName }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
provider:
gcpsm:
projectID: {{ .Values.global.projectID | quote }}
auth:
workloadIdentity:
serviceAccountRef:
name: {{ coalesce .Values.global.serviceAccountName .Values.serviceAccountName }}
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.serviceName }}-external-secret
namespace: {{ coalesce .Values.global.namespace .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.serviceName }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
refreshInterval: 2m
secretStoreRef:
name: {{ .Values.serviceName }}-store
kind: SecretStore
target:
name: {{ .Values.serviceName }}-secret
creationPolicy: Owner
data:
- secretKey: DEMO_SECRET
remoteRef:
key: external-secrets-test-secret
```
I'm not sure if this behavior is normal or if I'm missing some configurations since I'm still learning Helm and Kubernetes. The ExternalSecrets operator is running in its own namespace, and I'm just unsure if I should avoid modifying the ExternalSecret after the first deployment or if there's another option.
1 Answer
To prevent the CRDs from being deleted during your Helm upgrade, try updating the CRDs separately from your Helm chart. This strategy usually helps keep your existing resources from disappearing unexpectedly.
The templates you're using are from a separate chart that includes many resources, like deployment and config maps. Should I consider creating a dedicated chart just for the external-secret resources?