Secret creation works for some resources and not for others

[asajoshi]

What happened?

Trying to create and propagate secrets for azure resource with following configuration , it creates a managed resource secret with secret keys and values but no data gets propagated to composite or claim resource from the managed resource secret.

Same configuration is tried out for Postgres, and it works but for storage account it seems to create blank secrets .

That brings me to some questions about the behaviour ,

1. what should be the ideal namespace for a composite resource secret? is it Crossplane-system or the claim namespace?
2. Is it possible to patch the writeConnectionSecretsToNamespace?
3. Is there some rule such as composite and managed secrets should be in the same ns ? or composite and claim resources should be in the same namespace?

Composition.yaml

---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: storagegroups.account.azure.bakery.volvocars.biz
  labels:
    crossplane.io/xrd: xstoragegroups.account.azure.bakery.volvocars.biz
    provider: azure
    version: "1.0.0"    
spec:
  writeConnectionSecretsToNamespace: team-a  # XRD secret ns
  compositeTypeRef:
    apiVersion: account.azure.bakery.volvocars.biz/v1alpha1 
    kind: XStorageGroup
  patchSets:
  - name: deletionPolicyPatches
    patches:
    - type: FromCompositeFieldPath
      fromFieldPath: spec.parameters.deletionPolicy
      toFieldPath: spec.deletionPolicy
  - name: providerPatches
    patches:
    - type: FromCompositeFieldPath
      fromFieldPath: spec.parameters.providerConfigRef.name
      toFieldPath: spec.providerConfigRef.name
  - name: tagPatches 
    patches:       
    - type: FromCompositeFieldPath
      fromFieldPath: spec.parameters.tags.AppID
      toFieldPath: spec.forProvider.tags.AppID 
    - type: FromCompositeFieldPath
      fromFieldPath: spec.parameters.tags.AppName
      toFieldPath: spec.forProvider.tags.AppName  
  - name: ConnectionDetailsPatches 
    patches:            
    - type: FromCompositeFieldPath          
      fromFieldPath: spec.publishConnectionDetailsTo.name
      toFieldPath: spec.publishConnectionDetailsTo.name  
  resources:
    - name: storageaccount
      base:
        apiVersion: storage.azure.upbound.io/v1beta1
        kind: Account
        spec:
          writeConnectionSecretToRef:
            namespace: crossplane-system
            name: managed-secret
          providerConfigRef:
            name:  "crossplane-provider-upjet-azure"
      connectionDetails:
      - name: primaryaccesskey
        fromConnectionSecretKey: "attribute.primary_access_key"
      - name: endpoint
        fromFieldPath: status.atProvider.endpoint
      - name: id
        fromFieldPath: status.atProvider.id
      - name: readendpoints
        fromFieldPath: status.atProvider.readEndpoints
      - name: writeendpoints
        fromFieldPath: status.atProvider.writeEndpoints
      - name: identity
        fromFieldPath: status.atProvider.identity
      - name: geolocation
        fromFieldPath: status.atProvider.geoLocation
      patches:
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.name
          toFieldPath: metadata.annotations[crossplane.io/external-name]               
        - fromFieldPath: spec.parameters.resourceGroupName
          toFieldPath: spec.forProvider.resourceGroupName
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.location
          toFieldPath: spec.forProvider.location
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.tags.AppID
          toFieldPath: spec.forProvider.tags.AppID 
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.tags.AppName
          toFieldPath: spec.forProvider.tags.AppName    
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.accountTier
          toFieldPath:  spec.forProvider.accountTier 
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.accountReplicationType
          toFieldPath:  spec.forProvider.accountReplicationType   
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.accountKind
          toFieldPath:  spec.forProvider.accountKind
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.minTlsVersion
          toFieldPath: spec.forProvider.minTlsVersion
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.nfsv3Enabled
          toFieldPath: spec.forProvider.nfsv3Enabled
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.isHnsEnabled
          toFieldPath: spec.forProvider.isHnsEnabled
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.tableEncryptionKeyType
          toFieldPath: spec.forProvider.tableEncryptionKeyType
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.enableHttpsTrafficOnly
          toFieldPath: spec.forProvider.enableHttpsTrafficOnly
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.allowNestedItemsToBePublic
          toFieldPath: spec.forProvider.allowNestedItemsToBePublic
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.resourceGroupNameSelector.matchControllerRef
          toFieldPath: spec.forProvider.resourceGroupNameSelector.matchControllerRef  
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.resourceGroupNameSelector.matchLabels
          toFieldPath: spec.forProvider.resourceGroupNameSelector.matchLabels              
        - type: FromCompositeFieldPath
          fromFieldPath: spec.parameters.resourceGroupNameRef.name
          toFieldPath: spec.forProvider.resourceGroupNameRef.name                                                                                                                

XRD.yaml

apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
  name: xstoragegroups.account.azure.bakery.volvocars.biz 
spec:
  connectionSecretKeys:
  - primaryaccesskey
  - endpoint
  - id
  - identity
  - geolocation
  - readendpoints
  - writeendpoints
  group: account.azure.bakery.volvocars.biz
  names:
    kind: XStorageGroup
    plural: xstoragegroups
  claimNames:
    kind: StorageGroup
    plural: storagegroups

  defaultCompositionRef:
    name: storagegroups.account.azure.bakery.volvocars.biz
  versions:
  - name: v1alpha1
    served: true
    referenceable: true
    # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
    schema:
      openAPIV3Schema:
        type: object
        properties:
          spec:
            type: object
            properties:
              parameters:
                type: object
                properties:
                  location:
                    type: string
                    default: "westeurope"
                    description: "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created."
                  resourceGroupName:
                    type: string
                    default: ""
                    description: "The name of the resource group in which to create the storage account. Changing this forces a new resource to be created."
                  name:
                    type: string
                    default: ""
                  accountKind:
                    type: string
                    default: "StorageV2"
                    enums: ["BlockBlobStorage","FileStorage","BlobStorage", "Storage", "StorageV2"]
                    description: "Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to Storage."
                  accountTier:
                    type: string
                    default: "Standard"
                    enums: ["Standard"]
                    description: "Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created."
                  accountReplicationType:
                    type: string
                    default: "LRS"
                    enums: ["LRS", "GRS", "RAGRS", "ZRS", "GZRS", "RAGZRS"]
                    description: "Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa."
                  allowNestedItemsToBePublic:
                    type: boolean
                    default: true
                    description: "Allow or disallow nested items within this Account to opt into being public. Defaults to true."
                  enableHttpsTrafficOnly:
                    type: boolean
                    default: true
                    description: "Boolean flag which forces HTTPS if enabled. Defaults to true."
                  isHnsEnabled:
                    type: boolean
                    default: false
                    description: "Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created."
                  largeFileShareEnabled:
                    type: boolean
                    default: false
                    description: "Is Large File Share Enabled?"
                  minTlsVersion:      
                    type: string
                    default: "TLS1_2"
                    enums: ["LS1_0", "TLS1_1", "TLS1_2"]
                    description: "The minimum supported TLS version for the storage account. Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2 for new storage accounts."
                  nfsv3Enabled:
                    type: boolean
                    default: false
                    description: "Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false."
                  staticWebsite:
                    type: array
                    items:
                      type: object
                      properties:
                        error404Document:
                          type: string
                          description: "The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file."
                        indexDocument:
                          type: string
                          description: "The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive."
                  sharedAccessKeyEnabled:
                    type: boolean
                    default: true
                    description: "Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD)."
                  tableEncryptionKeyType:
                    type: string
                    description: "The encryption type of the table service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service."
                    enums: ["Service","Account"]
                    default: "Service"
                  resourceGroupNameRef:
                    type: object
                    description: Resource Group Name Reference
                    properties:
                      name:
                        type: string
                  resourceGroupNameSelector:
                    type: object
                    description: Resource Group Name Reference
                    properties:
                      matchControllerRef:
                        type: string 
                        default: "false"
                      matchLabels:
                        type: object                         
                  tags:
                    type: object
                    properties:
                      AppID: 
                        type: string    
                      AppName: 
                        type: string
                    required:
                      - AppID
                      - AppName
                  deletionPolicy: 
                    type: string
                    default: "Orphan"
                    enum: ["Orphan","Delete"]
                    description: DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource.                                                                                                                           
                  providerConfigRef:
                    type: object                    
                    description: Crossplane provider credentials to use.
                    properties:
                      name:
                        type: string
                        default: "crossplane-provider-upjet-azure"
                required:
                  - location
                  - resourceGroupName
                  - accountReplicationType
                  - accountTier
                  - name
                  - tags

claim.yaml

apiVersion: account.azure.bakery.volvocars.biz/v1alpha1
kind: StorageGroup
metadata:
  name: storageaccbyasa
  namespace: team-a
spec:
  parameters:

    ##########################################
    # REQUIRED FIELDS
    ##########################################

    # This parameter reflects the name you want to see in the azure portal for your account.
    name: accountcompbypulsars

    # Change tags to match your App ID and App Name.
    tags:
      AppID: APP-4359
      AppName: Bakery-Pulsars

    #Specifies the supported Azure location where the resource exists.
    #Cannot be changed after creation
    location: westeurope

    #The name of the resource group in which to create the storage account.
    #Cannot be changed after creation
    resourceGroupName: rg-crossplane

    # Defines the Tier to use for this storage account. Currently, only Standard is supported
    # Cannot be changed after creation
    accountTier: Standard

    # Defines the Kind of account.
    # Valid options are BlobStorage, Storage and StorageV2.
    # Cannot be changed after creation
    accountKind: StorageV2

    # Defines the type of replication to use for this storage account.
    # Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS.
    # Types cannot be changed from LRS, GRS and RAGRS to ZRS, GZRS or RAGZRS and vice versa after account creation
    accountReplicationType: LRS

    ##########################################
    # OPTIONAL FIELDS | You do not need to change them if you simply want to deploy an account quickly
    ##########################################

    # What should happen to the actual resource when you delete it using this file?- Orphan will leave the actual resource , Delete will cleanup everything.
    # Possible values : Orphan, Delete
    deletionPolicy:  Orphan

    # "The encryption type of the table service. Possible values are Service and Account.
    # Cannot be changed after creation
    # Default value is Service.
    # Possible values: Service | Account
    tableEncryptionKeyType: "Service"

    # Boolean flag which forces HTTPS if enabled
    enableHttpsTrafficOnly: true

    # Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2
    # Cannot be changed after creation
    isHnsEnabled: false

    # The minimum supported TLS version for the storage account.
    # Possible values are TLS1_0, TLS1_1, and TLS1_2.
    minTlsVersion: TLS1_2

    # Is NFSv3 protocol enabled?
    # Cannot be changed after creation of the account
    nfsv3Enabled: false

    # Allow or disallow nested items within this Account to opt into being public.
    allowNestedItemsToBePublic: true

  writeConnectionSecretToRef:
    name: claim-secret

  #publishConnectionDetailsTo:
    #configRef:
     #name: team-a

What environment did it happen in?

• Universal Crossplane Version: 1.9.1
• Provider Version: azure upjet v0.18.1

[github-actions[bot]]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[github-actions[bot]]

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!