fix: force sync rancher bootstrap secrets

.gitea/workflows/deploy.yml

@@ -716,10 +716,41 @@ jobs:
             done
           }
 
+          wait_for_rancher_bootstrap_secrets() {
+            local timeout_seconds="$1"
+            local deadline
+            local force_sync
+            deadline=$(($(date +%s) + timeout_seconds))
+
+            while [ "$(date +%s)" -lt "${deadline}" ]; do
+              force_sync="$(date +%s)"
+              kubectl -n flux-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true
+              kubectl -n cattle-system annotate externalsecret/rancher-bootstrap-password external-secrets.io/force-sync="${force_sync}" --overwrite || true
+
+              if kubectl wait --for=condition=Ready clustersecretstore/doppler-hetznerterra --timeout=30s \
+                && kubectl -n flux-system wait --for=condition=Ready externalsecret/rancher-bootstrap-password --timeout=30s \
+                && kubectl -n cattle-system wait --for=condition=Ready externalsecret/rancher-bootstrap-password --timeout=30s \
+                && kubectl -n flux-system get secret/rancher-bootstrap-password >/dev/null 2>&1 \
+                && kubectl -n cattle-system get secret/rancher-bootstrap-password >/dev/null 2>&1; then
+                return 0
+              fi
+
+              sleep 30
+            done
+
+            echo "Timed out waiting for Rancher bootstrap ExternalSecrets to sync" >&2
+            kubectl get clustersecretstore/doppler-hetznerterra -o yaml || true
+            kubectl -n flux-system get externalsecret/rancher-bootstrap-password -o yaml || true
+            kubectl -n cattle-system get externalsecret/rancher-bootstrap-password -o yaml || true
+            kubectl -n external-secrets logs deploy/external-secrets-external-secrets --tail=120 || true
+            exit 1
+          }
+
           echo "Waiting for Rancher..."
-          wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher-secrets 600
+          wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher-secrets 900
-          reconcile_flux_resource flux-system kustomization/addon-rancher-secrets 600
+          reconcile_flux_resource flux-system kustomization/addon-rancher-secrets 900
-          kubectl -n flux-system wait --for=condition=Ready kustomization/addon-rancher-secrets --timeout=600s
+          kubectl -n flux-system wait --for=condition=Ready kustomization/addon-rancher-secrets --timeout=900s
+          wait_for_rancher_bootstrap_secrets 900
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-rancher 600
           reconcile_flux_resource flux-system kustomization/addon-rancher 1800
           wait_for_resource flux-system helmrelease.helm.toolkit.fluxcd.io/rancher 600

infrastructure/addons/kustomization-rancher-secrets.yaml

@@ -13,22 +13,5 @@ spec:
   dependsOn:
     - name: addon-external-secrets-store
   wait: false
-  healthChecks:
+  timeout: 15m
-    - apiVersion: external-secrets.io/v1
-      kind: ExternalSecret
-      name: rancher-bootstrap-password
-      namespace: flux-system
-    - apiVersion: v1
-      kind: Secret
-      name: rancher-bootstrap-password
-      namespace: flux-system
-    - apiVersion: external-secrets.io/v1
-      kind: ExternalSecret
-      name: rancher-bootstrap-password
-      namespace: cattle-system
-    - apiVersion: v1
-      kind: Secret
-      name: rancher-bootstrap-password
-      namespace: cattle-system
-  timeout: 5m
   suspend: false