Alek's Blog

ESO (external secrets operator) breaking Change with 0.10.0

When you update the external secrets operator (eso) to the version 0.10.0 or above could you see the following message in the logs or in the event list.

info
Info

“secret does not contain needed label ‘external-secrets.io/type: webhook’. Update secret label to use it with webhook”

What does this means and how can this be fixed?

In the announcement of 0.10.0 can you see this information

warning
BREAKING CHANGE

🚨BREAKING CHANGE🚨

  • Webhook Generator Webhook generator labels have changed from generators.external-secrets.io/type: webhook to external-secrets.io/type: webhook.

  • Webhook Provider Webhook provider now can only use secrets that are labeled with external-secrets.io/type: webhook. This enforces explicit setup for webhook secrets by users.

In case you are an platform management person and don’t use the kind SecretStore very often can you be a little bit surprised and maybe confused about the information above.

The eso have several Components and one of the core resources is the SecretStore which offers the possibility to configure some providers and one of the provider is the WebhookProvider. There is also a kind Webhook which we don’t look at it. The important part is that in the documentation of the Webhook is the relation to the message above much better visible then in the SecretStore documentation. No offense to the eso team, it’s an complex topic.

Let’s take a look into the SecretStore .spec section.

# oc -n ${NAMESPACE} get SecretStore.external-secrets.io webhook-secret-store -o yaml|yq '.spec'
provider:
  webhook: <1>
    caProvider:
      key: enterprise-pki-ca
      name: root-certs
      type: Secret
    headers:
      Authorization: Basic {{ print .auth.username ":" .auth.password  | b64enc }}
      Content-Type: application/json
    result:
      jsonPath: $
    secrets:
      - name: auth
        secretRef:
          name: webkook-cred-secret <2>
    url: https://company.internal/{{ print .remoteRef.key | replace "%2F"  "/" | replace "%40" "@" }}

<1> You can see that this is the WebhookProvider
<2> This is the important secret from the secretRef which requires the label external-secrets.io/type: webhook from the message above.

Let’s take a look into the secret .metadata.labels section.

# oc -n ${NAMESPACE} get secrets webkook-cred-secret -o yaml|yq '.metadata.labels'
... more labels
external-secrets.io/type: webhook # <<<<<<<<<<<<<< requierd
... more labels

Now is the Information from the log much clearer, at least for me.

info
Info

“secret does not contain needed label ‘external-secrets.io/type: webhook’. Update secret label to use it with webhook”

I explain it like this.

abstract
Abstract

The secret which is used for the webhook in kind webhook or as provider in the secretstore must have the label ‘external-secrets.io/type: webhook’ so that the webhook process can use this secret for the custom webhook.