From 7b2eca07ab525cdb1eac599ec4f0b1bd0c3e90e9 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Fri, 24 Apr 2026 15:24:58 +0000 Subject: [PATCH] fix: pull external-secrets chart from OCI --- .gitea/workflows/deploy.yml | 31 ++++++++++++++++--- .../helmrelease-external-secrets.yaml | 12 +++---- .../helmrepository-external-secrets.yaml | 8 ----- .../external-secrets/kustomization.yaml | 2 +- .../ocirepository-external-secrets.yaml | 13 ++++++++ 5 files changed, 45 insertions(+), 21 deletions(-) delete mode 100644 infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml create mode 100644 infrastructure/addons/external-secrets/ocirepository-external-secrets.yaml diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 7f16a9d..33abac8 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -237,14 +237,37 @@ jobs: } eso_diagnostics() { - kubectl -n flux-system get kustomizations,helmrepositories,helmcharts,helmreleases || true + kubectl -n flux-system get kustomizations,ocirepositories,helmrepositories,helmcharts,helmreleases || true kubectl -n flux-system describe kustomization addon-external-secrets || true - kubectl -n flux-system describe helmrepository external-secrets || true - kubectl -n flux-system describe helmchart.source.toolkit.fluxcd.io flux-system-external-secrets || true + kubectl -n flux-system describe ocirepository external-secrets || true kubectl -n flux-system describe helmrelease external-secrets || true kubectl -n external-secrets get pods -o wide || true } + wait_for_flux_oci_helm_release() { + local oci_name="$1" + local release_name="$2" + local target_namespace="$3" + local oci_timeout="$4" + local release_timeout="$5" + local reconcile_at + + wait_for_resource flux-system "ocirepository.source.toolkit.fluxcd.io/${oci_name}" 600 + reconcile_at="$(date +%s)" + kubectl -n flux-system annotate "ocirepository/${oci_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite + kubectl -n flux-system annotate "helmrelease/${release_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite + + if ! kubectl -n flux-system wait --for=condition=Ready "ocirepository/${oci_name}" --timeout="${oci_timeout}"; then + eso_diagnostics + exit 1 + fi + + if ! kubectl -n flux-system wait --for=condition=Ready "helmrelease/${release_name}" --timeout="${release_timeout}"; then + eso_diagnostics + exit 1 + fi + } + flux_helm_diagnostics() { local repo_name="$1" local chart_name="$2" @@ -318,7 +341,7 @@ jobs: # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details. wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600 kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite - wait_for_flux_helm_release external-secrets flux-system-external-secrets external-secrets external-secrets 900s 1800s 1800s + wait_for_flux_oci_helm_release external-secrets external-secrets external-secrets 1800s 1800s wait_for_resource "" crd/clustersecretstores.external-secrets.io 900 wait_for_resource "" crd/externalsecrets.external-secrets.io 900 kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io diff --git a/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml b/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml index 18e580b..8bde2fa 100644 --- a/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml +++ b/infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml @@ -6,14 +6,10 @@ metadata: spec: interval: 10m targetNamespace: external-secrets - chart: - spec: - chart: external-secrets - version: 2.1.0 - sourceRef: - kind: HelmRepository - name: external-secrets - namespace: flux-system + chartRef: + kind: OCIRepository + name: external-secrets + namespace: flux-system install: createNamespace: true remediation: diff --git a/infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml b/infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml deleted file mode 100644 index 1128f31..0000000 --- a/infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-secrets - namespace: flux-system -spec: - interval: 1h - url: https://charts.external-secrets.io diff --git a/infrastructure/addons/external-secrets/kustomization.yaml b/infrastructure/addons/external-secrets/kustomization.yaml index b446151..f7789cf 100644 --- a/infrastructure/addons/external-secrets/kustomization.yaml +++ b/infrastructure/addons/external-secrets/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - - helmrepository-external-secrets.yaml + - ocirepository-external-secrets.yaml - helmrelease-external-secrets.yaml diff --git a/infrastructure/addons/external-secrets/ocirepository-external-secrets.yaml b/infrastructure/addons/external-secrets/ocirepository-external-secrets.yaml new file mode 100644 index 0000000..577a0c9 --- /dev/null +++ b/infrastructure/addons/external-secrets/ocirepository-external-secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 10m + url: oci://ghcr.io/external-secrets/charts/external-secrets + ref: + tag: 2.1.0 + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy