feat(controller): add flag to enable/disable secretstore reconcile (#5653)

Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

cmd/controller/root.go

@@ -84,6 +84,7 @@ var (
 	zapTimeEncoding                       string
 	namespace                             string
 	enableClusterStoreReconciler          bool
+	enableSecretStoreReconciler           bool
 	enableClusterExternalSecretReconciler bool
 	enableClusterPushSecretReconciler     bool
 	enablePushSecretReconciler            bool
@@ -197,21 +198,24 @@ var rootCmd = &cobra.Command{
 			}
 		}
 
-		ssmetrics.SetUpMetrics()
-		if err = (&secretstore.StoreReconciler{
-			Client:            mgr.GetClient(),
-			Log:               ctrl.Log.WithName("controllers").WithName("SecretStore"),
-			Scheme:            mgr.GetScheme(),
-			ControllerClass:   controllerClass,
-			RequeueInterval:   storeRequeueInterval,
-			PushSecretEnabled: enablePushSecretReconciler,
-		}).SetupWithManager(mgr, controller.Options{
-			MaxConcurrentReconciles: concurrent,
-			RateLimiter:             ctrlcommon.BuildRateLimiter(),
-		}); err != nil {
-			setupLog.Error(err, errCreateController, "controller", "SecretStore")
-			os.Exit(1)
+		if enableSecretStoreReconciler {
+			ssmetrics.SetUpMetrics()
+			if err = (&secretstore.StoreReconciler{
+				Client:            mgr.GetClient(),
+				Log:               ctrl.Log.WithName("controllers").WithName("SecretStore"),
+				Scheme:            mgr.GetScheme(),
+				ControllerClass:   controllerClass,
+				RequeueInterval:   storeRequeueInterval,
+				PushSecretEnabled: enablePushSecretReconciler,
+			}).SetupWithManager(mgr, controller.Options{
+				MaxConcurrentReconciles: concurrent,
+				RateLimiter:             ctrlcommon.BuildRateLimiter(),
+			}); err != nil {
+				setupLog.Error(err, errCreateController, "controller", "SecretStore")
+				os.Exit(1)
+			}
 		}
+
 		if enableClusterStoreReconciler {
 			cssmetrics.SetUpMetrics()
 			if err = (&secretstore.ClusterStoreReconciler{
@@ -354,6 +358,7 @@ func init() {
 	rootCmd.Flags().StringVar(&zapTimeEncoding, "zap-time-encoding", "epoch", "Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano')")
 	rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
 	rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.")
+	rootCmd.Flags().BoolVar(&enableSecretStoreReconciler, "enable-secret-store-reconciler", true, "Enable secret store reconciler.")
 	rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.")
 	rootCmd.Flags().BoolVar(&enableClusterPushSecretReconciler, "enable-cluster-push-secret-reconciler", true, "Enable cluster push secret reconciler.")
 	rootCmd.Flags().BoolVar(&enablePushSecretReconciler, "enable-push-secret-reconciler", true, "Enable push secret reconciler.")

deploy/charts/external-secrets/README.md

@@ -97,6 +97,7 @@ The command removes all the Kubernetes components associated with the chart and
 | crds.createClusterPushSecret | bool | `true` | If true, create CRDs for Cluster Push Secret. |
 | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
 | crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
+| crds.createSecretStore | bool | `true` | If true, create CRDs for Secret Store. |
 | createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
 | deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
 | dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
@@ -167,6 +168,7 @@ The command removes all the Kubernetes components associated with the chart and
 | processClusterPushSecret | bool | `true` | if true, the operator will process cluster push secret. Else, it will ignore them. |
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
 | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
+| processSecretStore | bool | `true` | if true, the operator will process secret store. Else, it will ignore them. |
 | rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
 | rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |

deploy/charts/external-secrets/templates/deployment.yaml

@@ -82,6 +82,9 @@ spec:
           {{- if not .Values.processPushSecret }}
           - --enable-push-secret-reconciler=false
           {{- end }}
+          {{- if not .Values.processSecretStore }}
+          - --enable-secret-store-reconciler=false
+          {{- end }}
           {{- if .Values.controllerClass }}
           - --controller-class={{ .Values.controllerClass }}
           {{- end }}

deploy/charts/external-secrets/values.schema.json

@@ -293,6 +293,9 @@
                 },
                 "createPushSecret": {
                     "type": "boolean"
+                },
+                "createSecretStore": {
+                    "type": "boolean"
                 }
             }
         },
@@ -592,6 +595,9 @@
         "processPushSecret": {
             "type": "boolean"
         },
+        "processSecretStore": {
+            "type": "boolean"
+        },
         "rbac": {
             "type": "object",
             "properties": {

deploy/charts/external-secrets/values.yaml

@@ -51,6 +51,8 @@ crds:
   createClusterExternalSecret: true
   # -- If true, create CRDs for Cluster Secret Store.
   createClusterSecretStore: true
+  # -- If true, create CRDs for Secret Store.
+  createSecretStore: true
   # -- If true, create CRDs for Cluster Generator.
   createClusterGenerator: true
   # -- If true, create CRDs for Cluster Push Secret.
@@ -107,6 +109,9 @@ processClusterPushSecret: true
 # -- if true, the operator will process cluster store. Else, it will ignore them.
 processClusterStore: true
 
+# -- if true, the operator will process secret store. Else, it will ignore them.
+processSecretStore: true
+
 # -- if true, the operator will process cluster generator. Else, it will ignore them.
 processClusterGenerator: true
 

docs/api/controller-options.md

@@ -18,7 +18,9 @@ The core controller is invoked without a subcommand and can be configured with t
 | `--concurrent`                                | int      | 1       | The number of concurrent reconciles.                                                                                                                               |
 | `--controller-class`                          | string   | default | The controller is instantiated with a specific controller name and filters ES based on this property                                                               |
 | `--enable-cluster-external-secret-reconciler` | boolean  | true    | Enables the cluster external secret reconciler.                                                                                                                    |
-| `--enable-cluster-store-reconciler`           | boolean  | true    | Enables the cluster store reconciler.                                                                                                                              |
+| `--enable-cluster-store-reconciler`           | boolean  | true    | Enables the cluster store 
+reconciler.                                                                                        
+| `--enable-secret-store-reconciler`            | boolean  | true    | Enables the secret store reconciler                                      |
 | `--enable-push-secret-reconciler`             | boolean  | true    | Enables the push secret reconciler.                                                                                                                                |
 | `--enable-cluster-push-secret-reconciler`     | boolean  | true    | Enables the cluster push secret reconciler.                                                                                                                        |
 | `--enable-secrets-caching`                    | boolean  | false   | Enable secrets caching for ALL secrets in the cluster (WARNING: can increase memory usage).                                                                        |

docs/guides/security-best-practices.md

@@ -29,9 +29,13 @@ spec:
           app: frontend
 ```
 
-### 3. Selectively Disable Reconciliation of Cluster-Wide Resources
+### 3. Selectively Disable Reconciliation of Resources
+
+ESO allows you to selectively disable the reconciliation of resources. You can disable reconciliation for:
+
+- **Cluster-wide resources**: `ClusterSecretStore`, `ClusterExternalSecret`
+- **Namespaced resources**: `SecretStore`, `PushSecret`
 
-ESO allows you to selectively disable the reconciliation of cluster-wide resources `ClusterSecretStore`, `ClusterExternalSecret`, and `PushSecret`.
 You can disable the installation of CRDs and reconciliation in the Helm chart, or disable reconciliation in the core controller.
 
 To disable reconciliation in the Helm chart:
@@ -40,6 +44,7 @@ To disable reconciliation in the Helm chart:
 processClusterExternalSecret: false
 processClusterStore: false
 processPushSecret: false
+processSecretStore: false
 ```
 
 To disable CRD installation in the Helm chart:
@@ -48,10 +53,13 @@ To disable CRD installation in the Helm chart:
 crds:
   createClusterExternalSecret: false
   createClusterSecretStore: false
+  createSecretStore: false
   createPushSecret: false
 ```
 
-Note that disabling CRD installation for a cluster-wide resource does not automatically disable its reconciliation.
+**Warning:** Disabling the `SecretStore` CRD will prevent ExternalSecrets from referencing namespaced SecretStores. Only use this if you exclusively use ClusterSecretStore.
+
+Note that disabling CRD installation for a resource does not automatically disable its reconciliation.
 The core controller will issue error logs if the CRD is not installed but the reconciliation is not disabled.
 
 To disable reconciliation in the core controller, set the following flags:
@@ -59,6 +67,7 @@ To disable reconciliation in the core controller, set the following flags:
 ```
 --enable-cluster-external-secret-reconciler=false
 --enable-cluster-store-reconciler=false
+--enable-secret-store-reconciler=false
 --enable-push-secret-reconciler=false
 ```