Kustomize: Update internal references that are going to be changes using namePrefix or nameSuffix

2 min read | by Jordi Prats

When using namePrefix or nameSuffix to change the names of the resources we are deplying using Kustomize, we need to make sure the cross object references get updated as well.

For example, if we have a SecretStore like this one:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: testvault-backend
  annotations:
    argocd.argoproj.io/sync-wave: "1"
spec:
  provider:
    vault:
      server: "http://testvault.testvault.svc.cluster.local:80"
      path: "secret"
      version: "v2"
      auth:
        tokenSecretRef:
          name: "vault-token"
          key: "token"

We'll need to make sure that the spec.secretStoreRef still points to that object after updating it's name with namePrefix and nameSuffix:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: eso-demo
  annotations:
    argocd.argoproj.io/sync-wave: "2"
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: testvault-backend
    kind: SecretStore
  data:
  - secretKey: demo
    remoteRef:
      key: secret/demo
      property: test

To do so we'll need to add a configurations entry to our kustomization.yaml like follows:

configurations:
  - nameReference.yaml

The nameReference.yaml file will contain the references that needs updating. With the following configuration we are going to tell Kustomize to update the field spec.secretStoreRef.name from the ExternalSecret with the updated name for the SecretStore object.

nameReference:
  - kind: SecretStore
    fieldSpecs:
      - kind: ExternalSecret
        path: spec/secretStoreRef/name

When we have multiple objects, we just need to make sure that the initial objects are pointing to the right one: Kustomize is going to take it from here to update references.

Posted on 05/01/2023