Labels not getting included in the generated secret

Question

Labels not getting included in the generated secret

aupadh12 opened this issue 3 years ago · 2 comments

Hello Team,

I am using AWS Secret Manager for storing my secrets and password and then using external secrets to pull them.
I am also using argocd for which we have implemented AzureAD authentication method for seamless integration. However, at the moment it is not possible to fetch client secret directly into Argocd secret. Thus, we have to add
app.kubernetes.io/part-of: argocd label to any secret in same namespace where Argo CD is deployed. But the secret which is generated using the external secret does not have this label added into it although I added in the kind: external secrets and also deployment yaml files for external secrets.
Please see the yaml files below:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: azure-secrets
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
spec:
  backendType: secretsManager
  roleArn: arn:aws:iam::123456789:role/eks_external_secrets
  region: us-east-1
  dataFrom:
    - azure_secrets

and

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-external-secrets
  namespace: external-secrets
  labels:
    app.kubernetes.io/name: kubernetes-external-secrets
    helm.sh/chart: kubernetes-external-secrets-8.3.0
    app.kubernetes.io/instance: kubernetes-external-secrets
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: kubernetes-external-secrets
      app.kubernetes.io/instance: kubernetes-external-secrets
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kubernetes-external-secrets
        app.kubernetes.io/instance: kubernetes-external-secrets
        app.kubernetes.io/part-of: argocd
    spec:
      serviceAccountName: kubernetes-external-secrets
      containers:
        - name: kubernetes-external-secrets
          image: external-secrets/kubernetes-external-secrets:8.3.0
          ports:
          - name: prometheus
            containerPort: 3001
          imagePullPolicy: IfNotPresent
          resources:
            {}

Am I missing something here?
I need that label to be present in the generated secret.

Answer 1 · 2021-09-24T02:13:23.000Z

Should be able to provide a template in the external secret.

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: azure-secrets
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/part-of: argocd
  backendType: secretsManager
  roleArn: arn:aws:iam::123456789:role/eks_external_secrets
  region: us-east-1
  dataFrom:
    - azure_secrets

Answer 2 · 2021-09-24T07:17:31.000Z

Hi @Flydiverny ,

This worked!!
Thank you very much for the help here.