Skip to content

fleet-local - external-secrets app - Not Ready #4147

New issue
New issue
Open
Open
fleet-local - external-secrets app - Not Ready#4147
Labels
kind/bug
@maksimsamt

Description

@maksimsamt
maksimsamt
opened on Sep 18, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

external-secrets app can be deployed on any downstream cluster (e.g. in fleet-default workspace).

But meanwhile cannot be deployed on local cluster (e.g. in fleet-local workspace).

Bundle external-secrets-app status in fleet-local workspace - Not Ready:

Image

Bundle snippet:

apiVersion: fleet.cattle.io/v1alpha1
kind: Bundle
metadata:
...
  name: external-secrets-app
  namespace: fleet-local
...
      summary:
        desiredReady: 1
        nonReadyResources:
          - bundleState: NotReady
            name: fleet-local/local
            nonReadyStatus:
              - apiVersion: apps/v1
                kind: Deployment
                name: external-secrets-cert-controller
                namespace: external-secrets
                summary:
                  message:
                    - Deployment does not have minimum availability.
                    - 'Available: 0/1'
                  state: updating
                  transitioning: true
              - apiVersion: apps/v1
                kind: Deployment
                name: external-secrets-webhook
                namespace: external-secrets
                summary:
                  message:
                    - Deployment does not have minimum availability.
                    - 'Available: 0/1'
                  state: updating
                  transitioning: true

BUT, both deployments/pods (external-secrets-cert-controller + external-secrets-webhook) are running:

Image

Expected Behavior

Ability to install external-secrets app on local cluster (e.g. in fleet-local workspace), without workarounds.

Steps To Reproduce

fleet.yaml:

defaultNamespace: external-secrets

helm:
  releaseName: external-secrets
  chart: external-secrets
  repo: https://charts.external-secrets.io
  values:
    global:
      nodeSelector:
        node-role.kubernetes.io/control-plane: "true"
    processClusterExternalSecret: false
    processClusterPushSecret: false
    processClusterStore: false
    processPushSecret: false
    crds:
      createClusterExternalSecret: false
      createClusterPushSecret: false
      createClusterSecretStore: false
      createPushSecret: false
    extraArgs:
      enable-cluster-external-secret-reconciler: "false"
      enable-cluster-push-secret-reconciler: "false"
      enable-cluster-store-reconciler: "false"
      enable-push-secret-reconciler: "false"
    webhook:
      extraArgs:
        tls-ciphers: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

targetCustomizations:
  - name: local
    clusterName: local
    helm:
      version: v0.19.2
  - name: downstream-cluster-name
    clusterName: downstream-cluster-name
    helm:
      version: v0.19.2
    
labels:
  app: external-secrets

Environment

- Architecture: amd64
- Fleet Version: 0.13.1
- Cluster:
  - Provider: RKE2
  - Options: 3 nodes
  - Kubernetes Version: 1.33.4
- Rancher: 2.12.1

Logs



Anything else?


Found workaround.

fleet.yaml:


...
targetCustomizations:
  - name: local
    clusterName: local
    helm:
      version: v0.19.2
      values:
        webhook:
          create: false
        certController:
          create: false
...


But I don't think so that disabling ValidatingWebhookConfiguration is good/stable solution.
Metadata
Metadata
Assignees
No one assigned
    Labels
    kind/bug
    Type
    No type
    Projects
    Fleet
    Status
    🆕 New
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions