Secret doesn't auto add `kuma.io/mesh: default` when absent

[lahabana]

Description

I create:

echo "
apiVersion: v1
kind: Secret
metadata:
  name: my-gateway-certificate
  namespace: kuma-system
data:
  value: "$(cat tls.key tls.crt | base64)"
type: system.kuma.io/secret
" | kubectl apply -f -

Then if I retrieve it I get:

kubectl get secrets -n kuma-system my-gateway-certificate -oyaml
apiVersion: v1
data:
  value: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3JJdExvalBHS0orTFQKdElscWZZWXl4RldNRWltb3hndG0wQ3JMRTlvczBUL2lqT0VqTjY3NVlDYVlZV3J3N2NvSGNzcmlYTjF3NFhaawp0VEF1NzY1Q2VCUUc2WkNOemJFdkx2cGZ2OXNuZ0RTVTcrbDNGSi9NVG1BQkhpSUp6ZmY5N3Q4RkUvSEgrMHZyCkpRQ3VTRzdKd1NhRHRPV0dBZWVvTVREejd0eFF1V0F3MGdKTGJONThIWUJqR2pxZXVyS1dWL1Y1ZXF1NkpJUHEKMFpBbVJTdjlKZFRpcytQV0RkZTFEN0ZnbU8wY3o1ZFlQbjRnUVYrVWU4dnAraENxaTUzUTl2T2VkdDdrNUcwRQpZN1FUenFPOVhxY3lyc0NDR29tY1ZOYjMyeHR5V0xZY3JYR2pzcTVEc0pIZlkxTC9kZkhxRk5vVkU0K29IajJFCmY5eFNBWFhwQWdNQkFBRUNnZ0VBVEhLMS9LUlprZm5YWGZNY0g3SUxMTXAvM0o2UWRaQmlyMzcyWHRsemNPblkKdS85cTR5eVF3VjJ1WUF2RWxmUGplQWhUa1dNaW1MWmZDUVhYakdBTlhDdi81a2FZQ0lDR1VpbU9OdytoZXJmTwp4V21XeFZjMU96TVh0K2dhRkg4cDlRbXNIcnlXR1Z1c3dsSTVSNkdidkF6SWc3VmZnc2wvRHFkSzB1MDFCZW5OCkhXT1VuTVlKZzNKWHk0ZEZQNHUvT2EwV0JsU1NTN1l0UHd3c0FQTWFIM3VNR1pOK3lCZzB0cUhzY1psL25MeWwKU3llOGJIRDEwbTRvS3AzRG9CR01obldnSHplYW92eUYzRWhTMkE1MXlmeHEybzllZ2V1a24yKzNhU2RmZklHUQo2bUZUOWx6NzVtUkVUbWdhdGtxVFVYcEV2NTZWeEFBSWZYN1NuZUhMY1FLQmdRRHN3a0Y5YlIyVEVrdUhYanpDCjNUQ0VQRE1mbnVPdlpWTHE3eHVjdG1GTWQ5eU9vY3cyQkdlRGw3RGhPUWNWUkxuOUVaSlpIK0ZhNmZBU1ZQcHkKa3BGR21JbUMrUVQ3SmVxUmxlOTEvenA0L0g5RWJYRTJlSGxmNzQyS1R3MHFvbVdKZFZ5L2hIVS9XOS9neEIwMApZMzM2cjNjRFFjTy9RMmZVRTJxbm41YlJ5d0tCZ1FDNUMwcmNoTkJ5UXFXTzJKZUJqMStXMmpHUjNPQW5MUjE5CmcrYUsvQTE0TExWdHFjNVJNOFUwNDlnb2NSdzlBNm4raGZBS0dpMGtKcmRJdk8wR1lXS2pacmdHUE10ellESEgKV095QXJKUlRaTEFOMGJVNUJMKzEra0FvR2EvMW12TXBlSm5ITjFUSFE1ZzI4UjlhMGNta09oenRnbUU0ZjZvWQpkSjhlK0VOUW13S0JnR29aTDNIK3lRY1Vac1oyQTdLcm5zZFRsdkZ2cWNiN0dDcHlGcVNtMG5tTEtVcTkxUjdMCjRIdUhLZHYwUzJsTGtER0pnMVR2UlhVUmF1VThNYlBRWE13UEpXaU5JWjlPd1l5V2JXWXFoMUNham9uaXBaNXMKWkxBS1VScVBERzV6c2g3a2VqalZLaG5IbVU5SGMzTDd0d1AxUjljc3pJVFV0eDNCeWNUdWJvNzdBb0dCQUo4OQpkb2pheXI3cFY2dmIvRldFV2xCcEtLdExscUpnRXJiRzRZak5hNUgxZDVRTnd2emlQbDFMamVNUG82dG1FYzUwCjJLTDQ3OHZpZld2ZEdXU2FQZFk4T1RVMDhDZ3pxZUxSUllWZC9xN2RRUnhEVVY3bUZVeTNOS3JOb0QwTndSLzUKSnV6blVzKy8vYWVhVE05TkplZHNFeVRaUkd6b2dDcFhnZStXMmVidEFvR0JBTlZXckNsRWpFamRoaWdWUTd6Zgo1MFkvSGFDdzVoejNCZEJjRkZMWDFjQ3VuS0M4NmVhNDFkOE1mUjBBNDUzUEtNbzVDa3dyclhkRmNLQXlCeDExCmxqUG5jeGdJV004ZTNUb2tDb3M0NkN2S0JLN2xwU3QzOEV1cnBCSjE3L3hKZGFCNWF3ckFMOThnR25jVmhRdFUKdmJNSVVyQzZ6bEMrRlNiaVc2dlpUNTdNCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lVSWd0S0hXa210c1ZIOEZmMG94RXBaOENNaExjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNQjRYRFRJME1ESXdPVEV3TkRreE0xb1hEVEkxTURJdwpPREV3TkRreE0xb3dGREVTTUJBR0ExVUVBd3dKTVRJM0xqQXVNQzR4TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBcXlMUzZJenhpaWZpMDdTSmFuMkdNc1JWakJJcHFNWUxadEFxeXhQYUxORS8KNG96aEl6ZXUrV0FtbUdGcThPM0tCM0xLNGx6ZGNPRjJaTFV3THUrdVFuZ1VCdW1RamMyeEx5NzZYNy9iSjRBMApsTy9wZHhTZnpFNWdBUjRpQ2MzMy9lN2ZCUlB4eC90TDZ5VUFya2h1eWNFbWc3VGxoZ0hucURFdzgrN2NVTGxnCk1OSUNTMnplZkIyQVl4bzZucnF5bGxmMWVYcXJ1aVNENnRHUUprVXIvU1hVNHJQajFnM1h0USt4WUpqdEhNK1gKV0Q1K0lFRmZsSHZMNmZvUXFvdWQwUGJ6bm5iZTVPUnRCR08wRTg2anZWNm5NcTdBZ2hxSm5GVFc5OXNiY2xpMgpISzF4bzdLdVE3Q1IzMk5TLzNYeDZoVGFGUk9QcUI0OWhIL2NVZ0YxNlFJREFRQUJvMU13VVRBZEJnTlZIUTRFCkZnUVVQWkhxVG5tM0xIKysrd2RJdFU1TzJ1SmhVMzR3SHdZRFZSMGpCQmd3Rm9BVVBaSHFUbm0zTEgrKyt3ZEkKdFU1TzJ1SmhVMzR3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbDc1ZQpwVzFGODdKL1JGZmorMlFaV1BUQXQ2L3lsTmhKY2x5M2R3TDN2UEVCY2l0ZmZsVERobWdGNEkwUGtYT1E1am15CnY0UDNqamN0eGlsZVRxMkkraW1NS3VxcVRFc3E1QkNCYUhpb0xhcnY5WWxyRnZBdXFiZ3hCb1ZHeStyclJaM28KdXhiaDJhTitWdnBNMXVqMWI1TnJjWk9DMXhnQnFwNUorbTBiRTRLdlZ6VC9zUjZRNkNtaEp3NWxMbzA3MExTWQp0THVodWphdkdaZWJMMUpKVTRZL0pXRE9YTS9TMWo5ODlXdmRaOTlnZGNOMVJDNE5oU0VzOGdNbTliaDkxNklECmRJY0IvK04yR1NwWnNzYkNRTkZHOTRTc1NSZXk0R0piUEFOb2o0ZVcxcU9YUi92T0lmUGEzelJIWUorMmkyN0MKT3B5emVGTzNjb05QU1E5eDVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"value":"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3JJdExvalBHS0orTFQKdElscWZZWXl4RldNRWltb3hndG0wQ3JMRTlvczBUL2lqT0VqTjY3NVlDYVlZV3J3N2NvSGNzcmlYTjF3NFhaawp0VEF1NzY1Q2VCUUc2WkNOemJFdkx2cGZ2OXNuZ0RTVTcrbDNGSi9NVG1BQkhpSUp6ZmY5N3Q4RkUvSEgrMHZyCkpRQ3VTRzdKd1NhRHRPV0dBZWVvTVREejd0eFF1V0F3MGdKTGJONThIWUJqR2pxZXVyS1dWL1Y1ZXF1NkpJUHEKMFpBbVJTdjlKZFRpcytQV0RkZTFEN0ZnbU8wY3o1ZFlQbjRnUVYrVWU4dnAraENxaTUzUTl2T2VkdDdrNUcwRQpZN1FUenFPOVhxY3lyc0NDR29tY1ZOYjMyeHR5V0xZY3JYR2pzcTVEc0pIZlkxTC9kZkhxRk5vVkU0K29IajJFCmY5eFNBWFhwQWdNQkFBRUNnZ0VBVEhLMS9LUlprZm5YWGZNY0g3SUxMTXAvM0o2UWRaQmlyMzcyWHRsemNPblkKdS85cTR5eVF3VjJ1WUF2RWxmUGplQWhUa1dNaW1MWmZDUVhYakdBTlhDdi81a2FZQ0lDR1VpbU9OdytoZXJmTwp4V21XeFZjMU96TVh0K2dhRkg4cDlRbXNIcnlXR1Z1c3dsSTVSNkdidkF6SWc3VmZnc2wvRHFkSzB1MDFCZW5OCkhXT1VuTVlKZzNKWHk0ZEZQNHUvT2EwV0JsU1NTN1l0UHd3c0FQTWFIM3VNR1pOK3lCZzB0cUhzY1psL25MeWwKU3llOGJIRDEwbTRvS3AzRG9CR01obldnSHplYW92eUYzRWhTMkE1MXlmeHEybzllZ2V1a24yKzNhU2RmZklHUQo2bUZUOWx6NzVtUkVUbWdhdGtxVFVYcEV2NTZWeEFBSWZYN1NuZUhMY1FLQmdRRHN3a0Y5YlIyVEVrdUhYanpDCjNUQ0VQRE1mbnVPdlpWTHE3eHVjdG1GTWQ5eU9vY3cyQkdlRGw3RGhPUWNWUkxuOUVaSlpIK0ZhNmZBU1ZQcHkKa3BGR21JbUMrUVQ3SmVxUmxlOTEvenA0L0g5RWJYRTJlSGxmNzQyS1R3MHFvbVdKZFZ5L2hIVS9XOS9neEIwMApZMzM2cjNjRFFjTy9RMmZVRTJxbm41YlJ5d0tCZ1FDNUMwcmNoTkJ5UXFXTzJKZUJqMStXMmpHUjNPQW5MUjE5CmcrYUsvQTE0TExWdHFjNVJNOFUwNDlnb2NSdzlBNm4raGZBS0dpMGtKcmRJdk8wR1lXS2pacmdHUE10ellESEgKV095QXJKUlRaTEFOMGJVNUJMKzEra0FvR2EvMW12TXBlSm5ITjFUSFE1ZzI4UjlhMGNta09oenRnbUU0ZjZvWQpkSjhlK0VOUW13S0JnR29aTDNIK3lRY1Vac1oyQTdLcm5zZFRsdkZ2cWNiN0dDcHlGcVNtMG5tTEtVcTkxUjdMCjRIdUhLZHYwUzJsTGtER0pnMVR2UlhVUmF1VThNYlBRWE13UEpXaU5JWjlPd1l5V2JXWXFoMUNham9uaXBaNXMKWkxBS1VScVBERzV6c2g3a2VqalZLaG5IbVU5SGMzTDd0d1AxUjljc3pJVFV0eDNCeWNUdWJvNzdBb0dCQUo4OQpkb2pheXI3cFY2dmIvRldFV2xCcEtLdExscUpnRXJiRzRZak5hNUgxZDVRTnd2emlQbDFMamVNUG82dG1FYzUwCjJLTDQ3OHZpZld2ZEdXU2FQZFk4T1RVMDhDZ3pxZUxSUllWZC9xN2RRUnhEVVY3bUZVeTNOS3JOb0QwTndSLzUKSnV6blVzKy8vYWVhVE05TkplZHNFeVRaUkd6b2dDcFhnZStXMmVidEFvR0JBTlZXckNsRWpFamRoaWdWUTd6Zgo1MFkvSGFDdzVoejNCZEJjRkZMWDFjQ3VuS0M4NmVhNDFkOE1mUjBBNDUzUEtNbzVDa3dyclhkRmNLQXlCeDExCmxqUG5jeGdJV004ZTNUb2tDb3M0NkN2S0JLN2xwU3QzOEV1cnBCSjE3L3hKZGFCNWF3ckFMOThnR25jVmhRdFUKdmJNSVVyQzZ6bEMrRlNiaVc2dlpUNTdNCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lVSWd0S0hXa210c1ZIOEZmMG94RXBaOENNaExjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNQjRYRFRJME1ESXdPVEV3TkRreE0xb1hEVEkxTURJdwpPREV3TkRreE0xb3dGREVTTUJBR0ExVUVBd3dKTVRJM0xqQXVNQzR4TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBcXlMUzZJenhpaWZpMDdTSmFuMkdNc1JWakJJcHFNWUxadEFxeXhQYUxORS8KNG96aEl6ZXUrV0FtbUdGcThPM0tCM0xLNGx6ZGNPRjJaTFV3THUrdVFuZ1VCdW1RamMyeEx5NzZYNy9iSjRBMApsTy9wZHhTZnpFNWdBUjRpQ2MzMy9lN2ZCUlB4eC90TDZ5VUFya2h1eWNFbWc3VGxoZ0hucURFdzgrN2NVTGxnCk1OSUNTMnplZkIyQVl4bzZucnF5bGxmMWVYcXJ1aVNENnRHUUprVXIvU1hVNHJQajFnM1h0USt4WUpqdEhNK1gKV0Q1K0lFRmZsSHZMNmZvUXFvdWQwUGJ6bm5iZTVPUnRCR08wRTg2anZWNm5NcTdBZ2hxSm5GVFc5OXNiY2xpMgpISzF4bzdLdVE3Q1IzMk5TLzNYeDZoVGFGUk9QcUI0OWhIL2NVZ0YxNlFJREFRQUJvMU13VVRBZEJnTlZIUTRFCkZnUVVQWkhxVG5tM0xIKysrd2RJdFU1TzJ1SmhVMzR3SHdZRFZSMGpCQmd3Rm9BVVBaSHFUbm0zTEgrKyt3ZEkKdFU1TzJ1SmhVMzR3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbDc1ZQpwVzFGODdKL1JGZmorMlFaV1BUQXQ2L3lsTmhKY2x5M2R3TDN2UEVCY2l0ZmZsVERobWdGNEkwUGtYT1E1am15CnY0UDNqamN0eGlsZVRxMkkraW1NS3VxcVRFc3E1QkNCYUhpb0xhcnY5WWxyRnZBdXFiZ3hCb1ZHeStyclJaM28KdXhiaDJhTitWdnBNMXVqMWI1TnJjWk9DMXhnQnFwNUorbTBiRTRLdlZ6VC9zUjZRNkNtaEp3NWxMbzA3MExTWQp0THVodWphdkdaZWJMMUpKVTRZL0pXRE9YTS9TMWo5ODlXdmRaOTlnZGNOMVJDNE5oU0VzOGdNbTliaDkxNklECmRJY0IvK04yR1NwWnNzYkNRTkZHOTRTc1NSZXk0R0piUEFOb2o0ZVcxcU9YUi92T0lmUGEzelJIWUorMmkyN0MKT3B5emVGTzNjb05QU1E5eDVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="},"kind":"Secret","metadata":{"annotations":{},"name":"my-gateway-certificate","namespace":"kuma-system"},"type":"system.kuma.io/secret"}
  creationTimestamp: "2024-02-09T13:25:33Z"
  name: my-gateway-certificate
  namespace: kuma-system
  resourceVersion: "8543"
  uid: 0fc1c8bb-8239-4ac1-a215-4215161a9f7b
type: system.kuma.io/secret

Notes that there's no label. This causes issues down the road as we don't find the secret:

2024-02-09T13:36:50.755Z    ERROR   xds-server.dataplane-sync-watchdog  OnTick() failed {"dataplaneKey": {"Mesh":"default","Name":"edge-gateway-79b4654bcf-5tx6t.kuma-demo"}, "error": "could not reconcile: failed to generate a snapshot: imports[0]{name=\"gateway-proxy\"}: generator.generator failed: could not apply policy plugin meshhttproute: failed to generate TLS certificate: could not load data: Resource not found: type=\"Secret\" name=\"my-gateway-certificate\" mesh=\"default\"", "errorVerbose": "imports[0]{name=\"gateway-proxy\"}: generator.generator failed: could not apply policy plugin meshhttproute: failed to generate TLS certificate: could not load data: Resource not found: type=\"Secret\" name=\"my-gateway-certificate\" mesh=\"default\"\nfailed to generate a snapshot\ngithub.com/kumahq/kuma/pkg/xds/server/v3.(*reconciler).Reconcile\n\tgithub.com/kumahq/kuma/pkg/xds/server/v3/reconcile.go:57\ngithub.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).syncDataplane\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog.go:148\ngithub.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).Sync\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog.go:79\ngithub.com/kumahq/kuma/pkg/xds/sync.(*dataplaneWatchdogFactory).New.func2\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog_factory.go:43\ngithub.com/kumahq/kuma/pkg/util/watchdog.(*SimpleWatchdog).onTick\n\tgithub.com/kumahq/kuma/pkg/util/watchdog/watchdog.go:70\ngithub.com/kumahq/kuma/pkg/util/watchdog.(*SimpleWatchdog).Start\n\tgithub.com/kumahq/kuma/pkg/util/watchdog/watchdog.go:40\nruntime.goexit\n\truntime/asm_arm64.s:1197\ncould not reconcile\ngithub.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).syncDataplane\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog.go:150\ngithub.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).Sync\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog.go:79\ngithub.com/kumahq/kuma/pkg/xds/sync.(*dataplaneWatchdogFactory).New.func2\n\tgithub.com/kumahq/kuma/pkg/xds/sync/dataplane_watchdog_factory.go:43\ngithub.com/kumahq/kuma/pkg/util/watchdog.(*SimpleWatchdog).onTick\n\tgithub.com/kumahq/kuma/pkg/util/watchdog/watchdog.go:70\ngithub.com/kumahq/kuma/pkg/util/watchdog.(*SimpleWatchdog).Start\n\tgithub.com/kumahq/kuma/pkg/util/watchdog/watchdog.go:40\nruntime.goexit\n\truntime/asm_arm64.s:1197"}

This gets fixed if I label my secret: kubectl label secrets -n kuma-system my-gateway-certificate kuma.io/mesh=default

[jakubdyszkiewicz]

Triage: let's do the same what we do for policies

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.