Add flag to set CRD names in cert controller (#1811)

* added new crd-names flag to reconcile only installed CRDs in cert controller Signed-off-by: Steven Bressey <sbressey@bressey.me> * add guide to disable cluster features Signed-off-by: Steven Bressey <sbressey@bressey.me> * fix fmt Signed-off-by: Steven Bressey <sbressey@bressey.me> Co-authored-by: Steven Bressey <sbressey@bressey.me>
2024-12-14 11:57:59 +00:00 · 2022-12-13 20:56:30 +01:00 · 2022-12-13 20:56:30 +01:00 · 7416a84b2a
commit 7416a84b2a
parent 3762297fb3
5 changed files with 29 additions and 5 deletions
--- a/cmd/certcontroller.go
+++ b/cmd/certcontroller.go
@ -69,11 +69,7 @@ var certcontrollerCmd = &cobra.Command{
 		}
 		crdctrl := crds.New(mgr.GetClient(), mgr.GetScheme(),
 			ctrl.Log.WithName("controllers").WithName("webhook-certs-updater"),
-			crdRequeueInterval, serviceName, serviceNamespace, secretName, secretNamespace, []string{
-				"externalsecrets.external-secrets.io",
-				"clustersecretstores.external-secrets.io",
-				"secretstores.external-secrets.io",
-			})
+			crdRequeueInterval, serviceName, serviceNamespace, secretName, secretNamespace, crdNames)
 		if err := crdctrl.SetupWithManager(mgr, controller.Options{
 			MaxConcurrentReconciles: concurrent,
 		}); err != nil {
@ -120,6 +116,7 @@ func init() {
 	certcontrollerCmd.Flags().StringVar(&serviceNamespace, "service-namespace", "default", "Webhook service namespace")
 	certcontrollerCmd.Flags().StringVar(&secretName, "secret-name", "external-secrets-webhook", "Secret to store certs for webhook")
 	certcontrollerCmd.Flags().StringVar(&secretNamespace, "secret-namespace", "default", "namespace of the secret to store certs")
+	certcontrollerCmd.Flags().StringSliceVar(&crdNames, "crd-names", []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"}, "CRD names reconciled by the controller")
 	certcontrollerCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
--- a/cmd/root.go
+++ b/cmd/root.go
@ -67,6 +67,7 @@ var (
 	storeRequeueInterval                  time.Duration
 	serviceName, serviceNamespace         string
 	secretName, secretNamespace           string
+	crdNames                              []string
 	crdRequeueInterval                    time.Duration
 	certCheckInterval                     time.Duration
 	certLookaheadInterval                 time.Duration
--- a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
+++ b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
@ -51,6 +51,10 @@ spec:
          - --service-namespace={{ .Release.Namespace }}
          - --secret-name={{ include "external-secrets.fullname" . }}-webhook
          - --secret-namespace={{ .Release.Namespace }}
+          {{ if not .Values.crds.createClusterSecretStore -}}
+          - --crd-names=externalsecrets.external-secrets.io
+          - --crd-names=secretstores.external-secrets.io
+          {{- end -}}
          {{- range $key, $value := .Values.certController.extraArgs }}
            {{- if $value }}
          - --{{ $key }}={{ $value }}
--- a/docs/guides/disable-cluster-features.md
+++ b/docs/guides/disable-cluster-features.md
@ -0,0 +1,21 @@
+# Deploying without ClusterSecretStore and ClusterExternalSecret
+
+When deploying External Secrets Operator via Helm chart, the default configuration will install `ClusterSecretStore` and `ClusterExternalSecret` CRDs and these objects will be processed by the operator.
+
+In order to disable both or one of these features, it is necessary to configure the `crds.*` Helm value, as well as the `process*` Helm value, as these 2 values are connected.
+
+If you would like to install the operator without `ClusterSecretStore` and `ClusterExternalSecret` management, you will have to :
+
+* set `crds.createClusterExternalSecret` to false
+* set `crds.createClusterSecretStore` to false
+* set `processClusterExternalSecret` to false
+* set `processClusterStore` to false
+
+Example:
+
+```bash
+helm install external-secrets external-secrets/external-secrets --set crds.createClusterExternalSecret=false \
+--set crds.createClusterSecretStore=false \
+--set processClusterExternalSecret=false \
+--set processClusterStore=false
+```
--- a/docs/guides/introduction.md
+++ b/docs/guides/introduction.md
@ -13,3 +13,4 @@ the API. Please pick one of the following guides:
 * [Decoding Strategy](decoding-strategy.md)
 * [v1beta1 Migration](v1beta1.md)
 * [Deploying image from main](using-latest-image.md)
+* [Deploying without cluster features](disable-cluster-features.md)