provider-sql icon indicating copy to clipboard operation
provider-sql copied to clipboard
verified publisher icon crossplane-contrib

deletion of role fails if secretRef is not found

Open jasonwbarnett opened this issue 1 year ago • 1 comments

What happened?

When I deleted a Role (postgresql.sql.crossplane.io/v1alpha1) that has a passwordSecretRef and the referenced secret is missing, it fails to delete the role.

  - lastTransitionTime: "2024-07-02T22:28:00Z"
    message: 'observe failed: cannot get password secret: Secret "database" not found'
    reason: ReconcileError
    status: "False"
    type: Synced

What is the use case?

I am using Argo CD to deploy applications onto K8s and there is race condition where the namespace and it's secret may be deleted before the Role. This creates a funky situation where the Role is left dangling forever.

How can we reproduce it?

Create a role using an existing passwordSecretRef. Then delete the secret. Finally, delete the Role.

What environment did it happen in?

Provider version: 0.9.0 Crossplane version: 1.16.0 K8s: EKS

jasonwbarnett avatar Jul 02 '24 22:07 jasonwbarnett

We solved this kind of problems with Usages, but we control the secret as well.

mleahu avatar Oct 17 '24 18:10 mleahu

This is as designed as we don't know the state of the role if the secret has been deleted, and as @mleahu says this can be fixed with Usage.

chlunde avatar Jun 15 '25 19:06 chlunde