search

ansible-collections / kubernetes.core

The collection includes a variety of Ansible content to help automate the management of applications in Kubernetes and OpenShift clusters, as well as the provisioning and maintenance of clusters themselves.
Other
215 stars 135 forks source link

Replace of immutable secret fails #781

Open sebhoss opened 2 weeks ago

sebhoss commented 2 weeks ago
SUMMARY

I have a secret that sets its immutable field to true and thus cannot be changed through a normal apply operation but requires a replacement in case its data does change. According to https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html#parameter-force a replacement should have happened but it fails instead

ISSUE TYPE
COMPONENT NAME

kubernetes.core.k8s

ANSIBLE VERSION
ansible [core 2.17.4]
  config file = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
  configured module search path = ['/home/seb/.config/ansible/home/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/lib/python3.12/site-packages/ansible
  ansible collection location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible
  executable location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/ansible
  python version = 3.12.6 (main, Sep  9 2024, 22:11:19) [Clang 18.1.8 ] (/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/python)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
# /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible/ansible_collections
Collection      Version
--------------- -------
kubernetes.core 5.0.0
CONFIGURATION
ANSIBLE_HOME(env: ANSIBLE_HOME) = /home/seb/.config/ansible/home
COLLECTIONS_PATHS(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = ['/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible']
CONFIG_FILE() = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
DEFAULT_STDOUT_CALLBACK(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = yaml
DEFAULT_VAULT_PASSWORD_FILE(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.VAULT_PASSWORD
EDITOR(env: EDITOR) = /var/home/seb/.local/bin/hx
GALAXY_CACHE_DIR(env: ANSIBLE_GALAXY_CACHE_DIR) = /home/seb/.cache/ansible/galaxy
INTERPRETER_PYTHON(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = auto_silent
MAX_FILE_SIZE_FOR_DIFF(env: ANSIBLE_MAX_DIFF_SIZE) = 104857600
PAGER(env: PAGER) = less
OS / ENVIRONMENT

Fedora 40

STEPS TO REPRODUCE
- name: Create secret
  delegate_to: localhost
  kubernetes.core.k8s:
    template: some-secret.yaml
    state: present
    force: true

Use the following secret (or any other that sets immutable: true ):

apiVersion: v1
kind: Secret
metadata:
  name: some-secret
  namespace: "{{ some_namespace }}"
stringData:
  token: "{{ some_token }}"
immutable: true
EXPECTED RESULTS

My expectation was that this changing the data of an immutable secret with force: true does work

ACTUAL RESULTS
fatal: [test-cluster -> localhost]: FAILED! => changed=false 
  msg: 'Failed to replace object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Secret \\"some-secret\\" is invalid: data: Forbidden: field is immutable when `immutable` is set","reason":"Invalid","details":{"name":"some-secret","kind":"Secret","causes":[{"reason":"FieldValueForbidden","message":"Forbidden: field is immutable when `immutable` is set","field":"data"}]},"code":422}\n'''
  reason: Unprocessable Entity
abikouo commented 2 weeks ago

@sebhoss this is a server-side issue. The force=true option replaces the resource whether it exists or not. A post request is issued to the server, however, it fails because you have set immutable=true. The only way to fix that is to delete and re-create the secret

sebhoss commented 2 weeks ago

@abikouo thanks - I guess I was looking for something like kubectl replace but with Ansible doing the replacement only if there is a difference and thus avoid to delete/create the secret on every execution.