Secret not being retrieved #201
Description
What happened?
I have the following defined within my composition:
{{ $params := .observed.composite.resource.spec.parameters }}
---
apiVersion: meta.gotemplating.fn.crossplane.io/v1alpha1
kind: ExtraResources
requirements:
secret:
apiVersion: v1
kind: Secret
matchLabels:
name: argocd-credentials
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: argocdcredentials
labels:
release: argocdcredentials
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
labels:
argocd.argoproj.io/secret-type: repo-creds
name: argocd-credentials
namespace: argocd
stringData:
githubAppInstallationID: {{ .extraResources.secret.githubAppInstallationID }}
url: {{ .extraResources.secret.url }}
githubAppID: {{ .extraResources.secret.githubAppID }}
githubAppPrivateKey: {{ .extraResources.secret.githubAppPrivateKey }}
providerConfigRef:
name: {{ $params.providerConfigName }}
I can confirm that the secret exists within the default and crossplane-system namespaces:
apiVersion: v1
data:
githubAppID: ***
githubAppInstallationID: ***
githubAppPrivateKey: ***
url: ***
kind: Secret
metadata:
annotations:
reconcile.external-secrets.io/data-hash: 6c9d70a1baa6d576135c305aeb642062
creationTimestamp: "2025-03-16T08:58:06Z"
labels:
argocd.argoproj.io/secret-type: repo-creds
name: argocd-credentials
reconcile.external-secrets.io/created-by: 9b59df8c31bfb17f6cc480ee87ace93c
reconcile.external-secrets.io/managed: "true"
name: argoocd-credentials
namespace: default
ownerReferences:
- apiVersion: external-secrets.io/v1beta1
blockOwnerDeletion: true
controller: true
kind: ExternalSecret
name: argoocd-credentials
type: Opaque
I have set up debug logging on the go templating pod:
{"manifests": "\n---\napiVersion: meta.gotemplating.fn.crossplane.io/v1alpha1\nkind: ExtraResources\nrequirements: │
│ \n secret:\n apiVersion: v1\n kind: Secret\n matchLabels:\n name: argocd-credentials\n---\napiVersion: kubernetes.crossplane.io/v1alpha2\nkind: Object\nmetadata:\n annotati │
│ ons:\n gotemplating.fn.crossplane.io/composition-resource-name: argocdcredentials\n labels:\n release: argocdcredentials\nspec:\n deletionPolicy: Orphan\n forProvider:\n manife │
│ st:\n apiVersion: v1\n kind: Secret\n metadata:\n labels:\n argocd.argoproj.io/secret-type: repo-creds\n name: argocd-credentials\n namespace: │
│ argocd\n stringData:\n githubAppInstallationID: <no value>\n url: <no value>\n githubAppID: <no value>\n githubAppPrivateKey: <no value>\n providerConfigR │
│ ef:\n name: operations\n"}
It does not look like the ExternalResource is being read and there are no other errors or warnings in the logs.
If I change the ExternalResources to the following:
apiVersion: meta.gotemplating.fn.crossplane.io/v1alpha1
kind: ExtraResources
requirements:
secret:
apiVersion: v1
kind: Secret
matchName: argocd-credentials
I can see the following error:
defined/compositeresourcedefinition.apiextensions.crossplane.io cannot compose resources: cannot run Composition pipeline step "go-templating": fetching resources for secret: cannot get extra resource by name: an empty namespace may not be set when a resource name is provided
But I can't see how I can specify a namespace in the ExternalResources
Is there something wrong with my configuration?
How can we reproduce it?
What environment did it happen in?
Function version: v0.9.0