원클릭으로 Manus에서 모든 스킬 실행

$pwd:

argocd-externalsecret-namespace-permission

Name: Argocd Externalsecret Namespace Permission
Author: divinevideo

// Fix ArgoCD ExternalSecret deployment failing with "namespace X is not permitted in project Y". Use when: (1) ExternalSecret shows OutOfSync in ArgoCD but won't sync, (2) ArgoCD application status shows "namespace X is not permitted in project 'infrastructure'", (3) ExternalSecret targets a namespace managed by a different ArgoCD project, (4) Using apps-of-apps pattern with separate infrastructure and application projects.

Manus에서 실행

$ git log --oneline --stat

stars:253

forks:50

updated:2026년 5월 5일 02:08

SKILL.md

readonly

name	argocd-externalsecret-namespace-permission
description	Fix ArgoCD ExternalSecret deployment failing with "namespace X is not permitted in project Y". Use when: (1) ExternalSecret shows OutOfSync in ArgoCD but won't sync, (2) ArgoCD application status shows "namespace X is not permitted in project 'infrastructure'", (3) ExternalSecret targets a namespace managed by a different ArgoCD project, (4) Using apps-of-apps pattern with separate infrastructure and application projects.
author	Claude Code
version	1.0.0
date	"2026-01-29T00:00:00.000Z"

ArgoCD ExternalSecret Namespace Permission Error

Problem

ExternalSecrets defined in a shared "external-secrets-resources" ApplicationSet fail to deploy to namespaces that aren't in the ArgoCD project's allowed destinations. The sync shows OutOfSync but refuses to apply.

Context / Trigger Conditions

ArgoCD application shows OutOfSync status but doesn't sync

Checking application resources shows:

message: namespace gorse is not permitted in project 'infrastructure'

ExternalSecret is in a shared ApplicationSet (e.g., external-secrets-resources)
Target namespace belongs to a different application (e.g., gorse app in default project)
Using apps-of-apps pattern with project-based isolation

Root Cause

ArgoCD projects define allowed destination namespaces. When ExternalSecrets are deployed via a centralized "infrastructure" project but target namespaces managed by application-specific projects, the infrastructure project doesn't have permission to deploy to those namespaces.

Solution

Move the ExternalSecret from the shared external-secrets-resources to the application itself.

Step 1: Create ExternalSecret in the application

# k8s/applications/gorse/base/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gorse-secrets
  namespace: gorse
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-secret-manager
    kind: ClusterSecretStore
  target:
    name: gorse-secrets
    creationPolicy: Owner
  data:
    - secretKey: api_key
      remoteRef:
        key: gorse-api-key-ENVIRONMENT

Step 2: Add to application kustomization

# k8s/applications/gorse/base/kustomization.yaml
resources:
  - namespace.yaml
  - external-secret.yaml  # Add here
  - deployment.yaml

Step 3: Add environment-specific patches in overlays

# k8s/applications/gorse/overlays/staging/kustomization.yaml
patches:
  - target:
      kind: ExternalSecret
      name: gorse-secrets
    patch: |-
      - op: replace
        path: /spec/data/0/remoteRef/key
        value: gorse-api-key-staging

Step 4: Remove from external-secrets-resources

Remove the ExternalSecret from k8s/external-secrets/base/ and all overlay patches.

Verification

Sync the application: argocd app sync gorse
Check ExternalSecret status: kubectl get externalsecrets -n gorse
Verify secret created: kubectl get secrets -n gorse

Alternative Solutions

Option 1: Expand project destinations

Add the namespace to the infrastructure project's allowed destinations in ArgoCD. Not recommended as it breaks project isolation.

Option 2: Use ClusterSecretStore

If using ClusterSecretStore, the secret can be referenced from any namespace. The ExternalSecret itself still needs to be in an allowed namespace.

Notes

This pattern is common when migrating from monolithic to modular ArgoCD setups
Each application should own its secret definitions for better isolation
ClusterSecretStore remains shared; only ExternalSecret moves
The "infrastructure" project typically manages cluster-wide resources, not app-specific secrets

related-skills.json

같은 저장소

e2e-test.md

from "divinevideo/divine-mobile"

Run and debug Flutter E2E integration tests that exercise the real app against a local Docker backend (no mocks). Use when running E2E tests, debugging failures, or working on the local harness.

2026-05-27253

review-before-commit.md

from "divinevideo/divine-mobile"

Review all uncommitted changes before pushing. Checks for dead code, stale comments, CLAUDE.md rule violations, unused imports, and inconsistencies introduced during the current session. Invoke with /review-before-commit.

2026-05-11253

art-direct.md

from "divinevideo/divine-mobile"

Art direction for any content — reads text, PDF, Word, HTML, PPT, then proposes 2-3 creative directions with photography style, mood, and visual language. After selection, generates AI image prompts and visual briefs section-by-section. Use when the user shares content and needs visual direction, image sourcing, or creative direction for any material.

2026-05-05253

async-await-null-race-condition.md

from "divinevideo/divine-mobile"

Fix "Null check operator used on a null value" errors when an object is set to null during an async await. Use when: (1) Object reference is nullified while awaiting, (2) Code accesses object with ! after await returns, (3) Cancel/dispose operations run concurrently with async operations on same object. Solution: capture local reference before await.

2026-05-05253

aws-v4-signing-custom-headers-gcs.md

from "divinevideo/divine-mobile"

Add custom metadata headers (x-amz-meta-*) to AWS v4 signed requests for GCS S3-compatible API. Use when: (1) Adding custom metadata to GCS uploads via S3 API, (2) Getting signature mismatch errors after adding new headers, (3) x-amz-meta-* headers being ignored or causing 403 errors. Custom headers MUST be included in canonical headers and signed headers list.

2026-05-05253

bash-herestring-newline-secrets.md

from "divinevideo/divine-mobile"

Fix password/secret authentication failures caused by trailing newlines when creating Google Cloud secrets (or similar) with bash here-strings. Use when: (1) Password authentication fails with correct password, (2) Secret created with `<<< "value"` syntax, (3) Error like "password authentication failed" or "invalid token" despite correct value. Bash here-strings (`<<<`) add a trailing newline that corrupts secrets.

2026-05-05253

package.json

"author": "divinevideo"

"repository": "divinevideo/divine-mobile"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

네트워크·컴퓨터 시스템 관리자컴퓨터 및 수학직15-1244L4

name	argocd-externalsecret-namespace-permission
description	Fix ArgoCD ExternalSecret deployment failing with "namespace X is not permitted in project Y". Use when: (1) ExternalSecret shows OutOfSync in ArgoCD but won't sync, (2) ArgoCD application status shows "namespace X is not permitted in project 'infrastructure'", (3) ExternalSecret targets a namespace managed by a different ArgoCD project, (4) Using apps-of-apps pattern with separate infrastructure and application projects.
author	Claude Code
version	1.0.0
date	"2026-01-29T00:00:00.000Z"

ArgoCD ExternalSecret Namespace Permission Error

Problem

Context / Trigger Conditions

ArgoCD application shows OutOfSync status but doesn't sync

Checking application resources shows:

message: namespace gorse is not permitted in project 'infrastructure'

ExternalSecret is in a shared ApplicationSet (e.g., external-secrets-resources)
Target namespace belongs to a different application (e.g., gorse app in default project)
Using apps-of-apps pattern with project-based isolation

Root Cause

Solution

Move the ExternalSecret from the shared external-secrets-resources to the application itself.

Step 1: Create ExternalSecret in the application

# k8s/applications/gorse/base/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gorse-secrets
  namespace: gorse
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-secret-manager
    kind: ClusterSecretStore
  target:
    name: gorse-secrets
    creationPolicy: Owner
  data:
    - secretKey: api_key
      remoteRef:
        key: gorse-api-key-ENVIRONMENT

Step 2: Add to application kustomization

# k8s/applications/gorse/base/kustomization.yaml
resources:
  - namespace.yaml
  - external-secret.yaml  # Add here
  - deployment.yaml

Step 3: Add environment-specific patches in overlays

# k8s/applications/gorse/overlays/staging/kustomization.yaml
patches:
  - target:
      kind: ExternalSecret
      name: gorse-secrets
    patch: |-
      - op: replace
        path: /spec/data/0/remoteRef/key
        value: gorse-api-key-staging

Step 4: Remove from external-secrets-resources

Remove the ExternalSecret from k8s/external-secrets/base/ and all overlay patches.

Verification

Sync the application: argocd app sync gorse
Check ExternalSecret status: kubectl get externalsecrets -n gorse
Verify secret created: kubectl get secrets -n gorse

Alternative Solutions

Option 1: Expand project destinations

Add the namespace to the infrastructure project's allowed destinations in ArgoCD. Not recommended as it breaks project isolation.

Option 2: Use ClusterSecretStore

If using ClusterSecretStore, the secret can be referenced from any namespace. The ExternalSecret itself still needs to be in an allowed namespace.

Notes

This pattern is common when migrating from monolithic to modular ArgoCD setups
Each application should own its secret definitions for better isolation
ClusterSecretStore remains shared; only ExternalSecret moves
The "infrastructure" project typically manages cluster-wide resources, not app-specific secrets

argocd-externalsecret-namespace-permission

ArgoCD ExternalSecret Namespace Permission Error

Problem

Context / Trigger Conditions

Root Cause

Solution

Step 1: Create ExternalSecret in the application

Step 2: Add to application kustomization

Step 3: Add environment-specific patches in overlays

Step 4: Remove from external-secrets-resources

Verification

Alternative Solutions

Option 1: Expand project destinations

Option 2: Use ClusterSecretStore

Notes

이 저장소의 다른 Skills

이 저장소의 다른 Skills

ArgoCD ExternalSecret Namespace Permission Error

Problem

Context / Trigger Conditions

Root Cause

Solution

Step 1: Create ExternalSecret in the application

Step 2: Add to application kustomization

Step 3: Add environment-specific patches in overlays

Step 4: Remove from external-secrets-resources

Verification

Alternative Solutions

Option 1: Expand project destinations

Option 2: Use ClusterSecretStore

Notes