fix: sync wave for secretstore externalsecret

chart/README.md

@@ -43,11 +43,10 @@ Helm chart to deploy internal ingress controller with VPN access to internal ser
 | podSecurityContext | object | `{}` | Security Context for Pods |
 | replicaCount | int | `1` | Number of Replicas, only if HPA is not enabled |
 | resources | object | `{"limits":{"cpu":"50m","memory":"256Mi"},"requests":{"cpu":"15m","memory":"128Mi"}}` | resource limits |
+| secretAnnotation | object | `{"argocd.argoproj.io/sync-wave":"-2"}` | Secret Annotations (External Secrets) to control synchronization |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10000}` | Generate security Context |
 | serviceTree | object | `{"layer":"1","module":"tunnel","platform":"sulfoxide","service":"boron"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
-| sulfoxide-bromine | object | `{"annotations":{"helm.sh/hook":"pre-install,pre-upgrade","helm.sh/weight":"-5"},"rootSecret":{"ref":"SULFOXIDE_BORON"},"storeName":"doppler-boron"}` | Create SecretStore via secret of secrets pattern |
-| sulfoxide-bromine.annotations."helm.sh/hook" | string | `"pre-install,pre-upgrade"` | Helm hook to run |
-| sulfoxide-bromine.annotations."helm.sh/weight" | string | `"-5"` | Helm weight to run |
+| sulfoxide-bromine | object | `{"annotations":{"argocd.argoproj.io/sync-wave":"-3"},"rootSecret":{"ref":"SULFOXIDE_BORON"},"storeName":"doppler-boron"}` | Create SecretStore via secret of secrets pattern |
 | sulfoxide-bromine.rootSecret | object | `{"ref":"SULFOXIDE_BORON"}` | Secret of Secrets reference |
 | sulfoxide-bromine.rootSecret.ref | string | `"SULFOXIDE_BORON"` | DOPPLER Token Reference |
 | sulfoxide-bromine.storeName | string | `"doppler-boron"` | Store name to create |

chart/templates/secret.yaml

@@ -4,8 +4,7 @@ kind: Secret
 metadata:
   name: {{ .Values.auth.secretName }}
   annotations: {{- include "sulfoxide-boron.annotations" . | nindent 4 }}
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-2"
+    {{- toYaml .Values.secretAnnotation | nindent 4 }}
   labels: {{- include "sulfoxide-boron.labels" . | nindent 4 }}
 data:
   TUNNEL_TOKEN: {{ b64enc .Values.auth.internal.token }}
@@ -17,8 +16,7 @@ kind: ExternalSecret
 metadata:
   name: {{ .Release.Name -}}-external-secret
   annotations: {{- include "sulfoxide-boron.annotations" . | nindent 4 }}
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-2"
+    {{- toYaml .Values.secretAnnotation | nindent 4 }}
   labels: {{- include "sulfoxide-boron.labels" . | nindent 4 }}
 spec:
   refreshInterval: {{ .Values.auth.external.refreshInterval }}

chart/values.suicune.opal-ruby.yaml

@@ -2,6 +2,22 @@ serviceTree:
   landscape: suicune
   cluster: opal-ruby
 
+# -- Create SecretStore via secret of secrets pattern
+sulfoxide-bromine:
+  annotations:
+    # -- Helm hook to run
+    helm.sh/hook: pre-install,pre-upgrade
+    # -- Helm weight to run
+    helm.sh/weight: "-5"
+
+
+# -- Secret Annotations (External Secrets) to control synchronization
+secretAnnotation:
+  # -- Helm hook to run
+  helm.sh/hook: pre-install,pre-upgrade
+  # -- Helm weight to run
+  helm.sh/weight: "-4"
+
 auth:
   internal:
     enable: false

chart/values.yaml

@@ -8,10 +8,7 @@ serviceTree:
 # -- Create SecretStore via secret of secrets pattern
 sulfoxide-bromine:
   annotations:
-    # -- Helm hook to run
-    helm.sh/hook: pre-install,pre-upgrade
-    # -- Helm weight to run
-    helm.sh/weight: "-5"
+    argocd.argoproj.io/sync-wave: "-3"
   # -- Store name to create
   storeName: doppler-boron
   # -- Secret of Secrets reference
@@ -20,6 +17,10 @@ sulfoxide-bromine:
     ref: "SULFOXIDE_BORON"
 
 
+# -- Secret Annotations (External Secrets) to control synchronization
+secretAnnotation:
+  argocd.argoproj.io/sync-wave: "-2"
+
 # -- Cloudflare Tunnel Token
 auth: