search

mittwald / kubernetes-replicator

Kubernetes controller for synchronizing secrets & config maps across namespaces
Apache License 2.0
866 stars 100 forks source link

Replicatior keep track of removed secrets and loop for wildcard regex in replication-allowed-namespaces. #319

Open hetii opened 7 months ago

hetii commented 7 months ago

Hi.

Let assume I have a such code:

apiVersion: v1
kind: Namespace
metadata:
  name: srcnamespace
---
apiVersion: v1
kind: Namespace
metadata:
  name: dstnamespace
---
apiVersion: v1
data:
  secret-token: ZXN5WkNjSXpIM3diWFVyUDhDQ2ZpUFYwCg==
kind: Secret
metadata:
  annotations:
    replicator.v1.mittwald.de/replication-allowed: "true"
    replicator.v1.mittwald.de/replication-allowed-namespaces: ^[^srcnamespace$].*$
    replicator.v1.mittwald.de/strip-labels: "true"
  labels:
    foo: bar
  name: my-src-secret
  namespace: srcnamespace
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
  name: my-dst-secret
  namespace: dstnamespace
  annotations:
    replicator.v1.mittwald.de/replicate-from: srcnamespace/my-src-secret
data: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: my-dst-secret2
  namespace: dstnamespace
  annotations:
    replicator.v1.mittwald.de/replicate-from: srcnamespace/my-src-secret
data: {}

There are two issue.

  1. For src secret I need to use ^[^srcnamespace$].$ regex otherwise replicator go into loop and recreate src secret all the time. I mean here when I use ".*" regex instead "^[^srcnamespace$].*$". The odd thing is that in my real scenario I get the loop for one of the old existing namespace as soon when I change regex to " .\", but I'm not able to reproduce this by above code, even when annotation are the same. I wil try to investigate it more and isolate this condition.

  2. When I remove my-dst-secret, my-dst-secret2 and edit by kubectl for label in my-src-secret then replicator somehow still raise logs like below:

time="2024-01-04T15:50:22Z" level=info msg="updating dependent Secret srcnamespace/my-src-secret -> dstnamespace/my-dst-secret" kind=Secret source=srcnamespace/my-src-secret
time="2024-01-04T15:50:22Z" level=info msg="updating dependent Secret srcnamespace/my-src-secret -> dstnamespace/my-dst-secret2" kind=Secret source=srcnamespace/my-src-secret

What is odd as dstnamespace/my-dst-secret and dstnamespace/my-dst-secret2 are no longer in cluster.

For issue 1, replicator should never touch source secrets. For issue 2, replicator should not raise any message when destination secrets are removed for pull-base replication.

Regards.