synator icon indicating copy to clipboard operation
synator copied to clipboard

Published 20 hours ago verified publisher icon TheYkk

Synator didn't recreate secrets after etcd re-init

Open Philippians413 opened this issue 3 years ago • 7 comments

We use a combination of sealed-secrets and synator. After network downtime etcd cluster restarted. Secrets were created in source namespace, but synator weren't create them in namespaces that on include-namespaces block.

Also, is it possible for synator: if we delete secret in source namespace to keep secrets in namespaces that specified on include-namespaces block?

Philippians413 avatar Aug 27 '21 22:08 Philippians413

Thanks for using synator,

How can I reproduce this situation? Did synator delete copied secrets? because you said synator wasn't created secrets.

TheYkk avatar Aug 29 '21 14:08 TheYkk

It's very specific case, I'm not sure that it's possible to reproduce.

I just want to clarify some points:

  • is it possible that during upgrade_secret synator can delete secret? If yes, could you please add it in logs, because it's not obvious;
  • is it possible for synator: if we delete secret in source namespace to keep secrets in namespaces that specified on include-namespaces block?

Did synator delete copied secrets?

Yes

Philippians413 avatar Aug 30 '21 15:08 Philippians413

Hey @TheYkk We found that problem was not on synator side, but for our case it would be good to add this functionality:

if we delete secret in source namespace to keep secrets in namespaces that specified on include-namespaces block?

For example, we create secret in development namespace and add annotation for it

synator/include-namespaces: foo, bar, xyz

but if we delete this secret in development namespace, keep it in foo, bar, xyz namespaces. Is it possible? We would be grateful from our side

Regards, Bohdan

Philippians413 avatar Sep 20 '21 17:09 Philippians413

I think it's possible to do that. In the update part, we can ignore deletion requests.

TheYkk avatar Sep 21 '21 13:09 TheYkk

I ran into a similar issue with sealed secrets. I think the owner reference block on secrets created by sealed secrets is preventing them from being created in other namespaces.

  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: star-example-com-cert
    uid: 3c5845af-018f-4577-bbdd-023f0e7cbe9f
  resourceVersion: "199651653"
  uid: 57a4d0c7-7bbe-436c-a67a-67a5a1077de6

fenfir avatar Oct 28 '21 14:10 fenfir

@fenfir did you ever come up with a solution to this? I think the same thing is happening with Secrets created with SopsSecrets

zackb avatar May 09 '22 22:05 zackb

@fenfir @zackb You can check my fork until the pull request here is accepted. It removes ownerRef from metadata and secrets are not deleted by the Kubernetes garbage collector.

slax81 avatar Jan 15 '24 17:01 slax81