alemorcuq
commented
1 year ago Could you double check the CRD installed in your cluster is up to date? It's possible that installing the chart did not update an already existing CRD.
Closed BWagenerGenerali closed 1 year ago
alemorcuq
commented
1 year ago Could you double check the CRD installed in your cluster is up to date? It's possible that installing the chart did not update an already existing CRD.
BWagenerGenerali
commented
1 year ago Thanks for looking into this so quickly. I've just double checked and am under the impression the CRD is in the latest version. I've diffed it with the one here https://github.com/bitnami-labs/sealed-secrets/blob/helm-v2.6.7/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml and the one installed in the OpenShift 4.10 cluster, all of which look are the same aside from generated fields such as .metadata.resourceVersion or .metadata.creationTimestamp
Here is the CRD taken from the OpenShift 4.6 cluster (I removed the generated fields) kubectl get crd sealedsecrets.bitnami.com -o yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
name: sealedsecrets.bitnami.com
spec:
conversion:
strategy: None
group: bitnami.com
names:
kind: SealedSecret
listKind: SealedSecretList
plural: sealedsecrets
singular: sealedsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: SealedSecret is the K8s representation of a "sealed Secret" -
a regular k8s Secret that has been sealed (encrypted) using the controller's
key.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SealedSecretSpec is the specification of a SealedSecret
properties:
data:
description: Data is deprecated and will be removed eventually. Use
per-value EncryptedData instead.
format: byte
type: string
encryptedData:
additionalProperties:
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
template:
description: Template defines the structure of the Secret that will
be created from this sealed secret.
properties:
data:
additionalProperties:
type: string
description: Keys that should be templated using decrypted data
nullable: true
type: object
metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Used to facilitate programmatic handling of secret
data.
type: string
type: object
required:
- encryptedData
type: object
status:
description: SealedSecretStatus is the most recently observed status of
the SealedSecret.
properties:
conditions:
description: Represents the latest available observations of a sealed
secret's current state.
items:
description: SealedSecretCondition describes the state of a sealed
secret at a certain point.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
lastUpdateTime:
description: The last time this condition was updated.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: 'Status of the condition for a sealed secret. Valid
values for "Synced": "True", "False", or "Unknown".'
type: string
type:
description: 'Type of condition for a sealed secret. Valid value:
"Synced"'
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description: ObservedGeneration reflects the generation most recently
observed by the sealed-secrets controller.
format: int64
type: integer
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}Initially reported for chart v2.6.7, also reproducible with chart v2.6.8. I also want to add that we are not facing this issue with chart v2.6.2 and operator v18.0.0.
alemorcuq
commented
1 year ago I was able to reproduce locally on Kubernetes 1.19 on Minikube. The changes in #979 fixed it for me.
Which component: Initially reported for chart v2.6.7, also reproducible with chart v2.6.8. I also want to add that we are not facing this issue with chart v2.6.2 and operator v18.0.0. controller v18.0.4 kubeseal v18.0.4 chart v2.6.8
Describe the bug Secrets sealed with latest kubeseal version fail schema validation when applied to an OpenShift 4.6 (Kubernetes 1.19) cluster.
To Reproduce
error validating data: unknown object type "nil" in SealedSecret.spec.template.metadata.creationTimestampExpected behavior SealedSecret passes valildation
Version of Kubernetes:
kubectl version:Additional context We install the same chart with the same configuration to an OpenShift 4.10 (Kubernetes 1.22) cluster. SealedSecrets created there pass schema validation without issue.