-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathkustomization.yaml
More file actions
92 lines (90 loc) · 3.4 KB
/
Copy pathkustomization.yaml
File metadata and controls
92 lines (90 loc) · 3.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: external-secrets
commonAnnotations:
argocd.argoproj.io/sync-wave: "1"
resources:
- external-secret.yaml
- cluster-secret-store.yaml
helmCharts:
- name: external-secrets
repo: https://charts.external-secrets.io
version: 2.7.0
releaseName: external-secrets
valuesFile: values.yaml
includeCRDs: true
# ESO 2.4.0 ships ~620KB CRDs (clustersecretstores.yaml, secretstores.yaml).
# That blows past the 256KB annotation cap on `kubectl.kubernetes.io/last-applied-configuration`
# any time ArgoCD falls back to client-side apply. Per ArgoCD docs and
# argo-cd#11269 / #26279, the resource-level annotation
# `argocd.argoproj.io/sync-options: ServerSideApply=true` forces SSA on these
# CRDs even if Argo's per-resource manager state drifts. Belt-and-braces with
# the app-level `ServerSideApply=true` syncOption — Argo CD migrations from
# client-side → server-side ownership are documented as brittle.
#
# Field-manager migration was bootstrapped out of band on 2026-04-27 via
# `kubectl get crd $X -o yaml | kubectl apply --server-side --force-conflicts
# --field-manager=argocd-controller -f -` for the four pre-existing CRDs.
# The new CRDs in 2.4.0 (pushsecrets, clusterpushsecrets, clustergenerators,
# generatorstates) get created SSA-native on first apply.
patches:
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalsecrets.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
"api-approved.kubernetes.io": "unapproved, request-not-required"
"external-secrets.io/conversion-strategy": "none"
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clustersecretstores.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
"api-approved.kubernetes.io": "unapproved, request-not-required"
"external-secrets.io/conversion-strategy": "none"
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: secretstores.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterexternalsecrets.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: pushsecrets.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterpushsecrets.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clustergenerators.generators.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true
- patch: |
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: generatorstates.generators.external-secrets.io
annotations:
argocd.argoproj.io/sync-options: ServerSideApply=true