kubernetes.core
kubernetes.core copied to clipboard
ansible-collections
Replace of immutable secret fails
SUMMARY
I have a secret that sets its immutable field to true and thus cannot be changed through a normal apply operation but requires a replacement in case its data does change. According to https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html#parameter-force a replacement should have happened but it fails instead
ISSUE TYPE
- Bug Report
COMPONENT NAME
kubernetes.core.k8s
ANSIBLE VERSION
ansible [core 2.17.4]
config file = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
configured module search path = ['/home/seb/.config/ansible/home/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/lib/python3.12/site-packages/ansible
ansible collection location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible
executable location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/ansible
python version = 3.12.6 (main, Sep 9 2024, 22:11:19) [Clang 18.1.8 ] (/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/python)
jinja version = 3.1.4
libyaml = True
COLLECTION VERSION
# /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible/ansible_collections
Collection Version
--------------- -------
kubernetes.core 5.0.0
CONFIGURATION
ANSIBLE_HOME(env: ANSIBLE_HOME) = /home/seb/.config/ansible/home
COLLECTIONS_PATHS(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = ['/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible']
CONFIG_FILE() = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
DEFAULT_STDOUT_CALLBACK(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = yaml
DEFAULT_VAULT_PASSWORD_FILE(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.VAULT_PASSWORD
EDITOR(env: EDITOR) = /var/home/seb/.local/bin/hx
GALAXY_CACHE_DIR(env: ANSIBLE_GALAXY_CACHE_DIR) = /home/seb/.cache/ansible/galaxy
INTERPRETER_PYTHON(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = auto_silent
MAX_FILE_SIZE_FOR_DIFF(env: ANSIBLE_MAX_DIFF_SIZE) = 104857600
PAGER(env: PAGER) = less
OS / ENVIRONMENT
Fedora 40
STEPS TO REPRODUCE
- name: Create secret
delegate_to: localhost
kubernetes.core.k8s:
template: some-secret.yaml
state: present
force: true
Use the following secret (or any other that sets immutable: true ):
apiVersion: v1
kind: Secret
metadata:
name: some-secret
namespace: "{{ some_namespace }}"
stringData:
token: "{{ some_token }}"
immutable: true
EXPECTED RESULTS
My expectation was that this changing the data of an immutable secret with force: true does work
ACTUAL RESULTS
fatal: [test-cluster -> localhost]: FAILED! => changed=false
msg: 'Failed to replace object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Secret \\"some-secret\\" is invalid: data: Forbidden: field is immutable when `immutable` is set","reason":"Invalid","details":{"name":"some-secret","kind":"Secret","causes":[{"reason":"FieldValueForbidden","message":"Forbidden: field is immutable when `immutable` is set","field":"data"}]},"code":422}\n'''
reason: Unprocessable Entity
@sebhoss this is a server-side issue. The force=true option replaces the resource whether it exists or not. A post request is issued to the server, however, it fails because you have set immutable=true. The only way to fix that is to delete and re-create the secret
@abikouo thanks - I guess I was looking for something like kubectl replace but with Ansible doing the replacement only if there is a difference and thus avoid to delete/create the secret on every execution.
@abikouo thanks - I guess I was looking for something like
kubectl replacebut with Ansible doing the replacement only if there is a difference and thus avoid to delete/create the secret on every execution.
you can read content with the k8s_info module, then compare it with the desired state, and then have a block with when that will be invoked only in case the content doesn't match
I'm running into something similar with a deployment (when editing labels and selectors....) (Immutable fields on the Deployment in this case, rather than an immutable object)
fatal: [localhost]: FAILED! => {
"changed": false,
"reason": "Unprocessable Entity"
}
MSG:
Failed to apply object: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Deployment.apps \\"kubelet-csr-approver\\" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{\\"app\\":\\"kubelet-csr-approver\\", \\"name\\":\\"kubelet-csr-approver\\"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable","reason":"Invalid","details":{"name":"kubelet-csr-approver","group":"apps","kind":"Deployment","causes":[{"reason":"FieldValueInvalid","message":"Invalid value: v1.LabelSelector{MatchLabels:map[string]string{\\"app\\":\\"kubelet-csr-approver\\", \\"name\\":\\"kubelet-csr-approver\\"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable","field":"spec.selector"}]},"code":422}\n'
I also hoped that setting force=true would work around it... (I'm currently considering a rescue block, but need to move the definition around to avoid having to duplicate it..)
