ESO (External Secrets Operator) Breaking Change in 0.10.0

If you update the External Secrets Operator (ESO) to version 0.10.0 or later, you may see the following message in the logs or event list.

What does this mean, and how can you fix it?

The v0.10.0 release notes include the following:

If you work in a platform team and do not use the SecretStore kind often, this change can be easy to miss.

ESO has several components. One core resource is SecretStore, where you can configure providers, including the WebhookProvider. There is also a Webhook kind, but we will not focus on it here. The key point is that the relation to this error message is more obvious in the Webhook docs than in the SecretStore docs. No offense to the ESO team, this is a complex topic.

Let’s look at the SecretStore .spec section.

# oc -n ${NAMESPACE} get SecretStore.external-secrets.io webhook-secret-store -o yaml|yq '.spec'
provider:
  webhook: <1>
    caProvider:
      key: enterprise-pki-ca
      name: root-certs
      type: Secret
    headers:
      Authorization: Basic {{ print .auth.username ":" .auth.password  | b64enc }}
      Content-Type: application/json
    result:
      jsonPath: $
    secrets:
      - name: auth
        secretRef:
          name: webkook-cred-secret <2>
    url: https://company.internal/{{ print .remoteRef.key | replace "%2F"  "/" | replace "%40" "@" }}

<1> This is the WebhookProvider.
<2> This secretRef points to the secret that must include the label external-secrets.io/type: webhook, as described in the message above.

Now let’s look at the secret .metadata.labels section.

# oc -n ${NAMESPACE} get secrets webkook-cred-secret -o yaml|yq '.metadata.labels'
... more labels
external-secrets.io/type: webhook # <<<<<<<<<<<<<< requierd
... more labels

With that context, the log message becomes much clearer.

In short: