Soluto / kamus

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications
https://kamus.soluto.io
Apache License 2.0
929 stars 68 forks source link

Deleting secret is not reflected kamussecret object #451

Closed ragsonline closed 4 years ago

ragsonline commented 4 years ago

Describe the bug After deleting the secret created through CRD Object KamusSecret- Unable to re-create the secret with the same name as Kamus fails with error kamussecrets.soluto.com "secret" already exists

Versions used Kamus (API images): soluto.com/v1alpha2 Kamus CLI: 0.3.0 Chart version: kamus-0.4.6 KMS provider: AWS KMS Kubernetes flavour and version: (e.g. OpenShift Origin 3.9) Docker-for-Desktop

To Reproduce Steps to reproduce the behavior:

  1. Create secret using KamusSecret Kind
  2. Delete secret
  3. Re-creating the same secret fails as "kumasecret" already exists

Expected behavior

Should be this way that deleting kuberentes secret should also delete kumas secret.

omerlh commented 4 years ago

It's kinda expected - KamusSecret is managing the Secret, not the other way around. So, if you delete the KamusSecret the secret will be deleted - but if delete the secret the state will be invalid: Kamus think the secret exists (because KamusSecret exists).

Can you share more about the error you had? WDYM Re-creating the same secret? How?

ragsonline commented 4 years ago

Thanks for your prompt response @omerlh What I meant about that error is because the KumaSecret object is not deleted or exists.

if I do, kubectl apply or create -f kumasecret.yaml that I used to create in the first place says already exists.

which now means. we need to delete and recreate KumaSecret object if we need to reuse the manifest file

omerlh commented 4 years ago

Not following... So - you deleted the secret. Does the KamusSecret exist after deletion? Did you try to create the secret manually? Or, did you try to apply again the manifest and it failed because KamusSecret object exist, but the secret not?

If so, we can open another PR - asking that Kamus will watch Secrets managed by Kamus, and if such a secret is deleted it will recreate it. Does that makes sense?

ragsonline commented 4 years ago

Below are the steps i followed. @omerlh

  1. KamusSecret manifest to create the secret
cat kamu-secret.yaml 
apiVersion: "soluto.com/v1alpha2"
kind: KamusSecret
metadata:
  name: this-kamus-secret-v2
  namespace: test
stringData:
  key: 
serviceAccount: kamus-example-sa
  1. kubectl create -f kamu-secret.yaml kamussecret.soluto.com/this-kamus-secret-v2 created

  2. List KamusSecret and Kube Secret

kubectl get secret this-kamus-secret-v2 NAME TYPE DATA AGE this-kamus-secret-v2 Opaque 1 26s

 kubectl get kamussecret this-kamus-secret-v2 NAME AGE this-kamus-secret-v2 35s

  1. Delete Kubernetes Secret Object

kubectl delete secret this-kamus-secret-v2 secret "this-kamus-secret-v2" deleted

  1. Still KamusSecret exists ---- [ now understood this is expected ] kubectl get kamussecret NAME AGE this-kamus-secret-v2 2m49s

6.  Trying to run the same manifest file to create the secret[ failed due to above step ]

kubectl create -f kamu-secret.yaml Error from server (AlreadyExists): error when creating "kamu-secret.yaml": kamussecrets.soluto.com "this-kamus-secret-v2" already exists

omerlh commented 4 years ago

Yes, as I said earlier – this is expected. As long as the KamusSecret exists, Kamus assume that the secret exists. So to fix the state, you need first to delete the KamusSecret and then re-create it. This is just a workaround, can you please file another issue? I think that Kamus should “watch” for missing Secrets managed by KamusSecret, and we should fix that…

Also – I do hope that the key you put on GitHub is not sensitive ☺ If so – please delete it!

From: ragsonline notifications@github.com Reply-To: Soluto/kamus reply@reply.github.com Date: Thursday, 27 February 2020 at 1:17 To: Soluto/kamus kamus@noreply.github.com Cc: Omer Levi Hevroni omerl@soluto.com, Mention mention@noreply.github.com Subject: Re: [Soluto/kamus] Deleting secret is not reflected kamussecret object (#451)

Below are the steps i followed.

  1. KamusSecret manifest to create the secret

apiVersion: "soluto.com/v1alpha2"

kind: KamusSecret

metadata:

name: this-kamus-secret-v2

namespace: test

stringData:

key: env$AQIDAHj62ep3X3tHLsS0CEMtJtKUJGfkthgc0ux5ttRiB7ebLQFFPoyYt3JZ1kHXd6cuQCsWAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMxiKwIh4fRclG6AuLAgEQgDtL4hw401nSeiK/71EaUh3zom+6rZjU4TmjIleP/hDSKzWFP1YWl9oPmIUuXaUVtXnNi5fsMAHI4jQU5g==$oTZTShqWrnY9pO6l4eLlyQ==:9z9BrgdLIAJ3KPevPX2InQ==

serviceAccount: kamus-example-sa```

  1. kubectl create -f kamu-secret.yaml

kamussecret.soluto.com/this-kamus-secret-v2 created

  1. List KamusSecret and Kube Secret

kubectl get secret this-kamus-secret-v2

NAME TYPE DATA AGE

this-kamus-secret-v2 Opaque 1 26s

kubectl get kamussecret this-kamus-secret-v2

NAME AGE

this-kamus-secret-v2 35s

  1. Delete Kubernetes Secret Object

kubectl delete secret this-kamus-secret-v2

secret "this-kamus-secret-v2" deleted

  1. Still KamusSecret exists ---- [ now understood this is expected ]

kubectl get kamussecret

NAME AGE

this-kamus-secret-v2 2m49s

  1. Trying to run the same manifest file to create the secret[ failed due to above step ]

kubectl create -f kamu-secret.yaml

Error from server (AlreadyExists): error when creating "kamu-secret.yaml": kamussecrets.soluto.com "this-kamus-secret-v2" already exists

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Soluto/kamus/issues/451?email_source=notifications&email_token=ABTLGWDYNVSNXNPP6ET37E3RE32AXA5CNFSM4K23E4RKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENCIQXQ#issuecomment-591693918, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTLGWBSAWKJWX47TUGF5FLRE32AXANCNFSM4K23E4RA.

shaikatz commented 4 years ago

Closing as #457 is more accurate.