lastpass-operator icon indicating copy to clipboard operation
lastpass-operator copied to clipboard

Published 20 hours ago verified publisher icon edgelevel

Secret name

Open tomasz2101 opened this issue 5 years ago • 8 comments

Hi, i want to understand why are you trying to use lastpass id in secret name? With deployment that will try to use that secret you will need to first create that secret and later assign it to deployment.

tomasz2101 avatar Jul 30 '19 09:07 tomasz2101

Hi, thanks for your interest in this project!

Well, I got what you mean, but the problem as you can see here, is that the secret name is not unique in lastpass.

Do you have any suggestion/recommendation?

Also, correct me if I'm wrong, but wouldn't kubernetes internal reconcile loop continue to try to "recreate" a deployment for example, until the secret will become available? Am I wrong?

niqdev avatar Jul 30 '19 16:07 niqdev

You have a point if you will let user create multi secrets with same name and group.

Maybe it would be a nice option to let user choose in lastpass resource if name should be generated based on lastpass id.

From developer point of view I shouldn't be forced to look into lastpass database to get full name of secret? I'm not sure if this is valid statment but it seems like lots of steps to get secret. Also that would require lastpass cli on your local machine to be able to see that id.

K8s will wait with pod for secret.

tomasz2101 avatar Jul 30 '19 17:07 tomasz2101

btw very nice code and good job 👏

tomasz2101 avatar Jul 30 '19 17:07 tomasz2101

You made a good point regarding the secret name/id. I'll keep the issue open for future reference and think about it... let me know if you have better ideas. Thanks!

niqdev avatar Jul 31 '19 09:07 niqdev

I've slightly modified your code to remove id from name but i was thinking if there should be an extra option like syncPolicy in LastPass resource to controll this name.

Also in kustomize you have something like secretGenerator which will add hash after secret name. It will look like name-secrets-c7622f8d2h. Hash is changed if secret was updated. If hash will be changed pod should be restarted.

I haven't tested yet what will happen if secret will be updated. Should pod be restarted?

tomasz2101 avatar Jul 31 '19 10:07 tomasz2101

So, regarding the name, you must find a way to enforce that the secret will be unique since the API returns an array, which I'm not sure is possible from the UI or order them in a deterministic way and pick always the first for example.

I'm not familiar with kustomize unfortunately, can't help much on that.

Regarding the restart I don't think it the logic should be embedded in the operator, cos in my case I'm using ArgoCD which provides directly Automated Sync Policy. I will try to link in the readme an example with argo

niqdev avatar Jul 31 '19 10:07 niqdev

ArgoCD will not restart pod if secret was changed. Im using it and it doesnt have that option.

tomasz2101 avatar Aug 13 '19 11:08 tomasz2101

Thanks for the feedback, can you show me an example of how did you declared your resource?

niqdev avatar Aug 13 '19 20:08 niqdev