From 6ed0a29253e6eec9d2a5faa8837654b9d6136348 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Sat, 2 May 2026 18:27:05 +0000 Subject: [PATCH] fix: force sync rancher bootstrap secrets --- .gitea/workflows/deploy.yml | 37 +++++++++++++++++-- .../addons/kustomization-rancher-secrets.yaml | 19 +--------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index dfe1acd..276897d 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -716,10 +716,41 @@ jobs: done } + wait_for_rancher_bootstrap_secrets() { + local timeout_seconds="$1" + local deadline + local force_sync + deadline=$(($(date +%s) + timeout_seconds)) + + while [ "$(date +%s)" -lt "${deadline}" ]; do + force_sync="$(date +%s)" + kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true + kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true + + if kubectl wait --for=condition=Ready clustersecretstore/doppler-hetznerterra --timeout=30s \ + && kubectl -n flux-system wait --for=condition=Ready externalsecret/rancher-bootstrap-password --timeout=30s \ + && kubectl -n cattle-system wait --for=condition=Ready externalsecret/rancher-bootstrap-password --timeout=30s \ + && kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \ + && kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then + return 0 + fi + + sleep 30 + done + + echo "Timed out waiting for Rancher bootstrap ExternalSecrets to sync" >&2 + kubectl get clustersecretstore/doppler-hetznerterra -o yaml || true + kubectl -n flux-system get externalsecret/rancher-bootstrap-password -o yaml || true + kubectl -n cattle-system get externalsecret/rancher-bootstrap-password -o yaml || true + kubectl -n external-secrets logs deploy/external-secrets-external-secrets --tail=120 || true + exit 1 + } + echo "Waiting for Rancher..." - wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher-secrets 600 - reconcile_flux_resource flux-system kustomization/addon-rancher-secrets 600 - kubectl -n flux-system wait --for=condition=Ready kustomization/addon-rancher-secrets --timeout=600s + wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher-secrets 900 + reconcile_flux_resource flux-system kustomization/addon-rancher-secrets 900 + kubectl -n flux-system wait --for=condition=Ready kustomization/addon-rancher-secrets --timeout=900s + wait_for_rancher_bootstrap_secrets 900 wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher 600 reconcile_flux_resource flux-system kustomization/addon-rancher 1800 wait_for_resource flux-system helmrelease.helm.toolkit.fluxcd.io/rancher 600 diff --git a/infrastructure/addons/kustomization-rancher-secrets.yaml b/infrastructure/addons/kustomization-rancher-secrets.yaml index 0e1d38a..295de29 100644 --- a/infrastructure/addons/kustomization-rancher-secrets.yaml +++ b/infrastructure/addons/kustomization-rancher-secrets.yaml @@ -13,22 +13,5 @@ spec: dependsOn: - name: addon-external-secrets-store wait: false - healthChecks: - - apiVersion: external-secrets.io/v1 - kind: ExternalSecret - name: rancher-bootstrap-password - namespace: flux-system - - apiVersion: v1 - kind: Secret - name: rancher-bootstrap-password - namespace: flux-system - - apiVersion: external-secrets.io/v1 - kind: ExternalSecret - name: rancher-bootstrap-password - namespace: cattle-system - - apiVersion: v1 - kind: Secret - name: rancher-bootstrap-password - namespace: cattle-system - timeout: 5m + timeout: 15m suspend: false