secreter icon indicating copy to clipboard operation
secreter copied to clipboard

Published 20 hours ago verified publisher icon nrvnrvn

Handling secrets type changes

Open shamil opened this issue 4 years ago • 2 comments

Hi,

When a secret type changes, let's say from Opaque to kubernetes.io/tls, secreter failing to update the secret.

I think it should handle such changes, and recreate secret if needed. Or make EncryptedSecret to honor type field as immutable same as in secret resources

2019-11-10T09:21:42.185Z	ERROR	kubebuilder.controller	Reconciler error	{"controller": "encryptedsecret-controller", "request": "default/tls-ingress", "error": "failed to update Secret: Secret \"tls-ingress\" is invalid: type: Invalid value: \"kubernetes.io/tls\": field is immutable"}
github.com/amaizfinance/secreter/vendor/github.com/go-logr/zapr.(*zapLogger).Error
	vendor/github.com/go-logr/zapr/zapr.go:128
github.com/amaizfinance/secreter/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217
github.com/amaizfinance/secreter/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
	vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
	vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil
	vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.Until
	vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88

shamil avatar Nov 11 '19 08:11 shamil

Hi!

Thanks for reporting this.

Unfortunately API documentation does not mention that this field is immutable.

I would be happy to add some validation of EncryptedSecret in this regard and I am actually planning to do that in future.

Currently Kubernetes - Open API to be precise - is not capable of validating immutable fields for custom resource objects. Yet it is possible to do that via a validating webhook.

nrvnrvn avatar Nov 12 '19 17:11 nrvnrvn

Maybe having an optional param in EncryptedSecret resource to force recreate the secret, this can help and let people decide what to do in such cases;

shamil avatar Nov 12 '19 19:11 shamil