Commit a3b035b
committed
Push the hub CA via lookup() of a namespace
Currently we just push the hub ca in the golang-external-secrets
namespace. This is problematic once we move to the downstream ESO
because that uses different namespaces. In order to support both
ESO versions (upstream - golang-external-secret and downstream -
external-secrets) we tried different approaches.
Initially, we checked if a specific application existed
{{- $eso_ns := "golang-external-secrets" }}
{{- range .Values.clusterGroup.applications }}
{{- if or (eq .chart "openshift-external-secrets") (and (hasKey . "repoURL") .repoURL (hasSuffix "openshift-external-secrets" .repoURL)) (and (hasKey . "repoURL") .repoURL (hasSuffix "openshift-external-secrets-chart" .repoURL))
{{- $eso_ns = "external-secrets" }}
{{- end }}
{{- end }}
The problem with the above is that is just too fragile.
The approach we actually use here is the lookup functionality in ACM:
If the "external-secrets-operator" namespace exists on the spoke, we can
safely assume that we are using the downstream ESO, in which case the
policy with the CA of the hub will be pushed to the external-secrets
namespace (where the real ESO pods run).
Tested this with both the old upstream golang-external-secrets and with
the downstream ESO.1 parent eb579da commit a3b035b
2 files changed
Lines changed: 5 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
89 | 89 | | |
90 | 90 | | |
91 | 91 | | |
| 92 | + | |
92 | 93 | | |
93 | 94 | | |
94 | | - | |
| 95 | + | |
| 96 | + | |
95 | 97 | | |
96 | 98 | | |
97 | 99 | | |
| |||
100 | 102 | | |
101 | 103 | | |
102 | 104 | | |
103 | | - | |
| 105 | + | |
104 | 106 | | |
105 | 107 | | |
106 | 108 | | |
| |||
0 commit comments