Improve external secrets validation job

Chart.yaml

@@ -3,7 +3,7 @@ description: A Helm chart to build and deploy secrets using external-secrets for
 keywords:
 - pattern
 name: aap-config
-version: 0.1.4
+version: 0.1.5
 dependencies:
 - name: vp-rbac
   version: '0.1.*'

README.md

@@ -1,6 +1,6 @@
 # aap-config
 
-![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square)
+![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square)
 
 A Helm chart to build and deploy secrets using external-secrets for ansible-edge-gitops
 
@@ -20,6 +20,9 @@ the 10-minute mark instead of every ten minutes as previously).
 external secrets validation job to prevent argo from proceeding past ES creation and
 erroring out early.
 
+* v0.1.5: Extend default deadline for external secret validation job. Remove
+namespaces from external secrets validation.
+
 ## Requirements
 
 | Repository | Name | Version |
@@ -47,7 +50,7 @@ erroring out early.
 | secretStore.name | string | `"vault-backend"` |  |
 | serviceAccountName | string | `"aap-config-sa"` |  |
 | serviceAccountNamespace | string | `"aap-config"` |  |
-| validationJob.activeDeadlineSeconds | int | `600` |  |
+| validationJob.activeDeadlineSeconds | int | `3600` |  |
 | validationJob.disabled | bool | `false` |  |
 | vp-rbac.clusterRoles.view-routes.rules[0].apiGroups[0] | string | `"route.openshift.io"` |  |
 | vp-rbac.clusterRoles.view-routes.rules[0].resources[0] | string | `"routes"` |  |

README.md.gotmpl

@@ -21,6 +21,9 @@ the 10-minute mark instead of every ten minutes as previously).
 external secrets validation job to prevent argo from proceeding past ES creation and
 erroring out early.
 
+* v0.1.5: Extend default deadline for external secret validation job. Remove
+namespaces from external secrets validation.
+
 {{ template "chart.homepageLine" . }}
 
 {{ template "chart.maintainersSection" . }}

templates/external-secrets-validation-job.yaml

@@ -10,7 +10,7 @@ spec:
   parallelism: 1
   completions: 1
   backoffLimit: 3
-  activeDeadlineSeconds: {{ $.Values.validationJob.activeDeadlineSeconds | default 300 }}
+  activeDeadlineSeconds: {{ $.Values.validationJob.activeDeadlineSeconds }}
   template:
     spec:
       restartPolicy: Never
@@ -25,7 +25,7 @@ spec:
         - |
           set -euo pipefail
 
-          echo "Starting external secrets validation for aap-config namespace..."
+          echo "Starting external secrets validation..."
 
           # List of external secrets to validate
           EXTERNAL_SECRETS=(
@@ -40,13 +40,13 @@ spec:
             echo "Checking secret: $secret_name"
 
             # Check if secret exists
-            if ! kubectl get secret "$secret_name" -n aap-config >/dev/null 2>&1; then
+            if ! kubectl get secret "$secret_name" >/dev/null 2>&1; then
               echo "ERROR: Secret $secret_name does not exist"
               return 1
             fi
 
             # Check if secret has data
-            local data_count=$(kubectl get secret "$secret_name" -n aap-config -o jsonpath='{.data}' | jq -r 'length')
+            local data_count=$(kubectl get secret "$secret_name" -o jsonpath='{.data}' | jq -r 'length')
             if [ "$data_count" -eq 0 ]; then
               echo "ERROR: Secret $secret_name exists but has no data"
               return 1
@@ -62,17 +62,17 @@ spec:
             echo "Checking ExternalSecret status: $external_secret_name"
 
             # Check if ExternalSecret exists
-            if ! kubectl get externalsecret "$external_secret_name" -n aap-config >/dev/null 2>&1; then
+            if ! kubectl get externalsecret "$external_secret_name" >/dev/null 2>&1; then
               echo "ERROR: ExternalSecret $external_secret_name does not exist"
               return 1
             fi
 
             # Check ExternalSecret status
-            local ready_status=$(kubectl get externalsecret "$external_secret_name" -n aap-config -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
+            local ready_status=$(kubectl get externalsecret "$external_secret_name" -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
             if [ "$ready_status" != "True" ]; then
               echo "ERROR: ExternalSecret $external_secret_name is not ready. Status: $ready_status"
               # Get more details about the error
-              kubectl get externalsecret "$external_secret_name" -n aap-config -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}' | xargs -I {} echo "Message: {}"
+              kubectl get externalsecret "$external_secret_name" -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}' | xargs -I {} echo "Message: {}"
               return 1
             fi
 
@@ -136,9 +136,6 @@ spec:
           for secret in "${EXTERNAL_SECRETS[@]}"; do
             echo "✅ $secret: ExternalSecret ready and Secret populated"
           done
-        env:
-        - name: NAMESPACE
-          value: aap-config
         resources:
           requests:
             memory: "64Mi"

values.yaml

@@ -30,7 +30,7 @@ serviceAccountNamespace: aap-config
 # Validation job configuration
 validationJob:
   disabled: false
-  activeDeadlineSeconds: 600
+  activeDeadlineSeconds: 3600
 
 # RBAC configuration using vp-rbac subchart
 vp-rbac:
@@ -44,27 +44,27 @@ vp-rbac:
         clusterRoles:
           - view-secrets-cms
           - view-routes
-          
+
   clusterRoles:
     view-secrets-cms:
       rules:
       - apiGroups: [""]
         resources: ["secrets", "configmaps"]
         verbs: ["get", "list", "watch"]
-        
+
     view-routes:
       rules:
       - apiGroups: ["route.openshift.io"]
         resources: ["routes"]
         verbs: ["get", "list", "watch"]
-    
+
   roles:
     view-all:
       rules:
       - apiGroups: ["*"]
         resources: ["*"]
         verbs: ["get", "list", "watch"]
-    
+
     # RBAC for external secrets validation (namespace-scoped)
     external-secrets-validator:
       rules: