(Secretsmanager): If the K8s do not exist, the secret is not created with the data from AWS

haooliveira84 commented 1 month ago

What happened?

If the K8s do not exist, the secret is not created with the data from AWS. Exist part of the code says it is possible, but don't work. https://github.com/crossplane-contrib/provider-aws/blob/master/pkg/controller/secretsmanager/secret/setup.go#L169C2-L169C64

How can we reproduce it?

Create a secretManager object with this exemple above:

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h20
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h20
      namespace: test-secret
    tags:
    - key: Name
      value: example-secret-h20

What environment did it happen in?

Crossplane version: 1.14.7 Crossplane Contrib Provider Version: v0.48.1

stevendborrelli commented 1 month ago

I did some testing with v0.48.1 with your manifest and was not able to duplicate the results with a basic key/value secret. What type of secret are you creating?

Are there any event logs or debugging logs available?

Secret does not exist in AWS, stringSecretRef does not exist in K8s: error pre-create failed: Secret "example-secret-manager-h20" not found

Secret exists in AWS, stringSecretRef does not exist in K8s: K8s secret is created successfully:

kubectl get secret -n test-secret example-secret-manager-h20 -o yaml
apiVersion: v1
data:
key: c2VjcmV0
kind: Secret
metadata:
creationTimestamp: "2024-07-12T07:25:42Z"
name: example-secret-manager-h20
namespace: test-secret
resourceVersion: "579306"
uid: 64f1120b-d628-4ae6-95e1-691a0a14d5a2
type: Opaque

Secret does not exist in AWS, stringSecretRef exists in K8S: secret is created in AWS:

davirezendegb commented 1 month ago

When I try to create the following problem, the secret does not build in Kubernetes

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h21
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h21
      namespace: test-secret
    tags:
    - key: Name
      value: example-secret-h21

k get secrets.secretsmanager.aws.crossplane.io | grep -i example

example-secret-h21                                                                                  False   False    example-secret-h21

k describe secrets.secretsmanager.aws.crossplane.io example-secret-h21

Name:         example-secret-h21
Namespace:    
Labels:       <none>
Annotations:  crossplane.io/external-create-failed: 2024-07-12T15:22:59Z
              crossplane.io/external-create-pending: 2024-07-12T15:22:59Z
              crossplane.io/external-name: example-secret-h21
API Version:  secretsmanager.aws.crossplane.io/v1beta1
Kind:         Secret
Metadata:
  Creation Timestamp:  2024-07-12T13:22:32Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generation:  1
  Managed Fields:
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:deletionPolicy:
        f:forProvider:
          .:
          f:description:
          f:forceDeleteWithoutRecovery:
          f:region:
          f:stringSecretRef:
            .:
            f:name:
            f:namespace:
          f:tags:
        f:managementPolicies:
        f:providerConfigRef:
          .:
          f:name:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-07-12T13:22:32Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:atProvider:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:reason:
            f:status:
            f:type:
          k:{"type":"Synced"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
    Manager:      crossplane-aws-provider
    Operation:    Update
    Subresource:  status
    Time:         2024-07-12T13:33:58Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-create-failed:
          f:crossplane.io/external-create-pending:
          f:crossplane.io/external-name:
        f:finalizers:
          .:
          v:"finalizer.managedresource.crossplane.io":
    Manager:         crossplane-aws-provider
    Operation:       Update
    Time:            2024-07-12T15:22:59Z
  Resource Version:  1118267071
  UID:               001f4e88-8498-4c00-98d6-19fdf8ddbc70
Spec:
  Deletion Policy:  Delete
  For Provider:
    Description:                    test
    Force Delete Without Recovery:  true
    Region:                         us-east-1
    String Secret Ref:
      Name:       example-secret-manager-h21
      Namespace:  test-secret
    Tags:
      Key:    Name
      Value:  example-secret-h21
  Management Policies:
    *
  Provider Config Ref:
    Name:  awsconfig
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2024-07-12T13:33:58Z
    Message:               create failed: pre-create failed: Secret "example-secret-manager-h21" not found
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
    Last Transition Time:  2024-07-12T13:33:58Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                        Age                     From                                             Message
  ----     ------                        ----                    ----                                             -------
  Warning  CannotCreateExternalResource  2m26s (x110 over 109m)  managed/secret.secretsmanager.aws.crossplane.io  pre-create failed: Secret "example-secret-manager-h21" not found

kubectl get secret -n test-secret example-secret-manager-h21 -o yaml

Error from server (NotFound): namespaces "test-secret" not found

stevendborrelli commented 1 month ago

@davirezendegb can you ensure that namespace test-secret exists? The provider will not create a namespace.

davirezendegb commented 1 month ago

I really had the namespace wrong:

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h21
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h21
      namespace: teste-secret
    tags:
    - key: Name
      value: example-secret-h21

k describe secrets.secretsmanager.aws.crossplane.io example-secret-h21

Name:         example-secret-h21
Namespace:    
Labels:       <none>
Annotations:  crossplane.io/external-create-failed: 2024-07-12T17:10:17Z
              crossplane.io/external-create-pending: 2024-07-12T17:10:17Z
              crossplane.io/external-name: example-secret-h21
API Version:  secretsmanager.aws.crossplane.io/v1beta1
Kind:         Secret
Metadata:
  Creation Timestamp:  2024-07-12T17:10:12Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generation:  1
  Managed Fields:
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:atProvider:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:reason:
            f:status:
            f:type:
          k:{"type":"Synced"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
    Manager:      crossplane-aws-provider
    Operation:    Update
    Subresource:  status
    Time:         2024-07-12T17:10:12Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:deletionPolicy:
        f:forProvider:
          .:
          f:description:
          f:forceDeleteWithoutRecovery:
          f:region:
          f:stringSecretRef:
            .:
            f:name:
            f:namespace:
          f:tags:
        f:managementPolicies:
        f:providerConfigRef:
          .:
          f:name:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-07-12T17:10:12Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-create-failed:
          f:crossplane.io/external-create-pending:
          f:crossplane.io/external-name:
        f:finalizers:
          .:
          v:"finalizer.managedresource.crossplane.io":
    Manager:         crossplane-aws-provider
    Operation:       Update
    Time:            2024-07-12T17:10:17Z
  Resource Version:  1118370696
  UID:               81edbeea-0331-4d5d-a58b-73be00f64d3f
Spec:
  Deletion Policy:  Delete
  For Provider:
    Description:                    test
    Force Delete Without Recovery:  true
    Region:                         us-east-1
    String Secret Ref:
      Name:       example-secret-manager-h21
      Namespace:  teste-secret
    Tags:
      Key:    Name
      Value:  example-secret-h21
  Management Policies:
    *
  Provider Config Ref:
    Name:  awsconfig
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2024-07-12T17:10:12Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2024-07-12T17:10:12Z
    Message:               create failed: pre-create failed: Secret "example-secret-manager-h21" not found
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
Events:
  Type     Reason                        Age               From                                             Message
  ----     ------                        ----              ----                                             -------
  Warning  CannotCreateExternalResource  1s (x5 over 14s)  managed/secret.secretsmanager.aws.crossplane.io  pre-create failed: Secret "example-secret-manager-h21" not found

k get secrets.secretsmanager.aws.crossplane.io | grep -i example
example-secret-h21 False False example-secret-h21

k get ns | grep -i teste-secret
teste-secret Active 27d

k get secret -n teste-secret example-secret-manager-h21 -o yaml Error from server (NotFound): secrets "example-secret-manager-h21" not found

stevendborrelli commented 1 month ago

@davirezendegb does the secret exist already in AWS?

In my testing:

if the secret doesn't exist either in AWS,
and the k8s stringSecretRef secret does not exist

You will get an error like the pre-create failed: Secret "example-secret-manager-h21" not found error.

davirezendegb commented 1 month ago

it really worked when I created it in AWS. Shouldn't it create automatically in AWS or do I need to have one created in AWS to then reference it?

stevendborrelli commented 1 month ago

@davirezendegb the secret data needs to exist somewhere. Usually when using Crossplane you are creating a secret in AWS, so having it defined in the stringSecretRef on the Crossplane cluster is the usual practice.

However, if there is an existing secret already there, this provider can take over management it and will create the secret in K8s for you from the data in AWS.

davirezendegb commented 1 month ago

@stevendborrelli I carried out some tests, however, I noticed that when I try to insert new values in AWS they are not replicated to the Kubernetes secret. but when you enter the values in the kubernetes secret they are replicated to aws

davirezendegb commented 1 month ago

Isn't it possible to create an exception so that when it doesn't exist in AWS or Kubernetes, it would preferably create one automatically in AWS?

@davirezendegb does the secret exist already in AWS?

In my testing:

if the secret doesn't exist either in AWS,

and the k8s stringSecretRef secret does not exist

You will get an error like the pre-create failed: Secret "example-secret-manager-h21" not found error.

stevendborrelli commented 1 month ago

@davirezendegb

@stevendborrelli I carried out some tests, however, I noticed that when I try to insert new values in AWS they are not replicated to the Kubernetes secret. but when you enter the values in the kubernetes secret they are replicated to aws

The providers work on desired state, so the k8s values should always override what is in AWS. The initial empty k8s secret is a corner case, similar to taking over an existing resource.

Q2:

Isn't it possible to create an exception so that when it doesn't exist in AWS or Kubernetes, it would preferably create one automatically in AWS?

A secret manager secret cannot be created without secret data. See https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#CreateSecretInput

// Either SecretString or SecretBinary must have a value, but not both.

crossplane-contrib / provider-aws