Flagger continuously logs errors when a Deployment references an optional Secret #1867
Description
Describe the bug
Flagger continuously logs errors when a Deployment references an optional Secret via env.valueFrom.secretKeyRef.optional: true, but the Secret does not exist.
Despite the error spam in logs, the Canary analysis proceeds successfully and completes as expected.
This behavior is misleading and noisy: Kubernetes itself treats optional secrets as valid configuration, but Flagger still attempts to fetch the Secret and logs an error on every reconciliation loop.
{
"level": "error",
"ts": "2025-12-10T13:04:11.208Z",
"caller": "canary/config_tracker.go:228",
"msg": "secret mixpanel-token.default get query failed: secret mixpanel-token.default get query error: secrets \"mixpanel-token\" not found",
"stacktrace": "github.com/fluxcd/flagger/pkg/canary.(*ConfigTracker).GetTargetConfigs\n\t/workspace/pkg/canary/config_tracker.go:228\n..."
}
To Reproduce
env:
- name: VITE_MIX_PANEL_TOKEN
valueFrom:
secretKeyRef:
name: mixpanel-token
key: MIXPANEL_TOKEN
optional: true
Expected behavior
Flagger should not log errors for missing Secrets when secretKeyRef.optional: true is set.
At most, this condition should be logged at debug or info level, or ignored entirely.
Canary reconciliation and advancement should remain unchanged.
Additional context
- Flagger version: 1.42
- Kubernetes version: 1.34