From 6e22bd26b346b44aa9ee8d8bac836690f04d5ff5 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Thu, 23 Apr 2026 22:09:45 +0000
Subject: [PATCH] fix: wait directly on ESO Helm readiness

---
 .gitea/workflows/deploy.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 302890e..95e41c6 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -266,6 +266,14 @@ jobs:
             done
           }
 
+          eso_diagnostics() {
+            kubectl -n flux-system get kustomizations,helmrepositories,helmcharts,helmreleases || true
+            kubectl -n flux-system describe kustomization addon-external-secrets || true
+            kubectl -n flux-system describe helmrepository external-secrets || true
+            kubectl -n flux-system describe helmrelease external-secrets || true
+            kubectl -n external-secrets get pods -o wide || true
+          }
+
           kubectl create namespace flux-system --dry-run=client -o yaml | kubectl apply -f -
           ssh-keyscan -p "${FLUX_GIT_PORT}" "${FLUX_GIT_HOST}" > /tmp/flux_known_hosts
           kubectl -n flux-system create secret generic flux-system \
@@ -291,11 +299,19 @@ jobs:
           flux_rollout_status helm-controller
           kubectl -n flux-system wait --for=condition=Ready gitrepository/platform --timeout=300s
           kubectl -n flux-system wait --for=condition=Ready kustomization/infrastructure --timeout=600s
-          # Wait for ESO objects to be created before waiting on their conditions
+          # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
-          kubectl -n flux-system wait --for=condition=Ready kustomization/addon-external-secrets --timeout=900s
+          kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
+          wait_for_resource flux-system helmrepository.source.toolkit.fluxcd.io/external-secrets 600
+          if ! kubectl -n flux-system wait --for=condition=Ready helmrepository/external-secrets --timeout=900s; then
+            eso_diagnostics
+            exit 1
+          fi
           wait_for_resource flux-system helmrelease.helm.toolkit.fluxcd.io/external-secrets 600
-          kubectl -n flux-system wait --for=condition=Ready helmrelease/external-secrets --timeout=900s
+          if ! kubectl -n flux-system wait --for=condition=Ready helmrelease/external-secrets --timeout=1800s; then
+            eso_diagnostics
+            exit 1
+          fi
           wait_for_resource "" crd/clustersecretstores.external-secrets.io 900
           wait_for_resource "" crd/externalsecrets.external-secrets.io 900
           kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io