Open hoegaarden opened 2 years ago
thanks @hoegaarden -- per the discussion in slack it sounds like this work is pre-approved but not yet scheduled:
i do agree that's not a nice behaviour. i would recommend filing a single issue for generators to regenerate if they see k8s Secret missing.
What steps did you take:
I created a
Password
with some labels. Then I wanted to add another label and was hoping that this change gets pushed down to theSecret
. Because this did not happen, I deleted theSecret
in the hopes that thesecretgen-controller
would reconcile and recreate theSecret
, now with the updated set of labels from thePassword
:Steps taken:
inspect the labels on the
Password
and theSecret
:change labels on the
Password
:inspect the labels again:
see, that the secret is gone:
see, that there are no reconcile errors or something:
What happened:
"Nothing". First the
Password
did not update the labels on theSecret
it created. And then, after theSecret
was deleted, the controller made not attempts to recreate theSecret
again.What did you expect:
I expected
Secret
's metadata when I update thePassword
's metadataSecret
or give me an error and tell me it cannot recreate the secret (Because it does not know the original password, which cloud be a valid failure case IMHO)Anything else you would like to add:
I could see that there are reasons to not reconcile the
Secret
, because the controller has no knowledge of the original password, and for some cases it might be better to not reconcile than to reconcile with a changed password. However, if that's the case I think we should at least call that out in the docs or, ideally, have the controller tell users about that in its status subresource. I think it is "surprising" that the controller seems to be doing nothing at all once the secret is created.This bug report outlines two different issues. Technically, I guess, they need to address different things (watching updates/deletion of secrets vs. watching updated of passwords). I am happy to split the issue. However, from a user's point of view, I think they are "the same" in the sense that the controller does not seem to reconcile at all.
There was a short discussion about this in #carvel.
Environment:
secretgen-controller version
kubectl version
)Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.