search

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets
Apache License 2.0
7.75k stars 687 forks source link

Unseal updated secret: Precondition failed #898

Open simonszu opened 2 years ago

simonszu commented 2 years ago

Which component: Controller

Describe the bug I have a sealed secret successfully injected into the cluster, which was encrypted. I wanted to add another key to it, so i edited the cleartext YAML, generated another sealed secret from it, and injected it into the cluster. The controller was unable to decrypt it:

2022/08/01 11:27:52 Error updating SealedSecret dls-backend-test/arangodb status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "arangodb": StorageError: invalid object, Code: 4, Key: /registry/bitnami.com/sealedse
crets/dls-backend-test/arangodb, ResourceVersion: 0, AdditionalErrorMsg: Precondition failed: UID in precondition: 5ae127fc-d895-4c93-82c6-979aae7d00a8, UID in object meta:

To Reproduce Steps to reproduce the behavior:

  1. Create a sealed secret
  2. Inject it to the cluster, verify that it gets decrypted correctly
  3. Edit the underlying cleartext yaml, add another key
  4. Create a sealed secret from the modified YAML - same name, same namespace
  5. Inject the new sealed secret to the cluster, effectively overwriting the old manifest

Expected behavior The newly injected sealed secret gets decrypted

Version of Kubernetes:

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.10-r0-CCE21.11.1.B005-21.11.1.B005", GitCommit:"aa6aaf3c00ad28e5fe57be8e1b553a7f9ccb439d", GitTreeState:"clean", BuildDate:"2021-11-19T07:05:59Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

I know that the kubernetes is a bit outdated. It is a managed k8s by an inhouse openstack provider, and they do not offer a newer version yet.

DanielCastronovo commented 1 year ago

Same here :)

it seems to be related to the replace object : https://forum.linuxfoundation.org/discussion/856389/lab-3-4-15-kubectl-replace-error

DanielCastronovo commented 1 year ago

Any news ? because theSealedSecretsUnsealErrorHigh alert (mixin) generate lot of false positive.