fix: wait for ESO webhook before ClusterSecretStore

2026-04-24 23:13:03 +00:00
parent 7b2eca07ab
commit e56a3a6c38
2 changed files with 5 additions and 29 deletions
@@ -347,6 +347,9 @@ jobs:
          kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io
          kubectl wait --for=condition=established --timeout=600s crd/externalsecrets.external-secrets.io
          kubectl -n external-secrets rollout status deployment/external-secrets --timeout=600s
+          wait_for_resource external-secrets service/external-secrets-external-secrets-webhook 600
+          wait_for_resource external-secrets endpoints/external-secrets-external-secrets-webhook 600
+          kubectl -n external-secrets wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/external-secrets-external-secrets-webhook --timeout=600s
          # Create Doppler ClusterSecretStore now that ESO CRDs are available
          kubectl apply -f - <<'EOF'
          apiVersion: external-secrets.io/v1
@@ -16,35 +16,8 @@
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

- name: Check for ClusterSecretStore CRD
-  command: kubectl get crd clustersecretstores.external-secrets.io
-  register: doppler_clustersecretstore_crd
-  changed_when: false
-  failed_when: false
-
- name: Apply Doppler ClusterSecretStore
-  shell: |
-    cat <<'EOF' | kubectl apply -f -
-    apiVersion: external-secrets.io/v1
-    kind: ClusterSecretStore
-    metadata:
-      name: doppler-hetznerterra
-    spec:
-      provider:
-        doppler:
-          auth:
-            secretRef:
-              dopplerToken:
-                name: doppler-hetznerterra-service-token
-                key: dopplerToken
-                namespace: external-secrets
-    EOF
-  changed_when: true
-  when: doppler_clustersecretstore_crd.rc == 0
-
 - name: Note pending Doppler ClusterSecretStore bootstrap
  debug:
    msg: >-
-      Skipping Doppler ClusterSecretStore bootstrap because the External Secrets CRD
-      is not available yet. Re-run after External Secrets is installed.
-  when: doppler_clustersecretstore_crd.rc != 0
+      Doppler service token secret is bootstrapped. The deploy workflow creates the
+      ClusterSecretStore after External Secrets CRDs and webhook endpoints are ready.