search

nrvnrvn / secreter

⛔️ DEPRECATED Kubernetes operator and CLI tool for encrypting and managing Kubernetes secrets
Apache License 2.0
65 stars 7 forks source link

Handling secrets type changes #3

Open shamil opened 5 years ago

shamil commented 5 years ago

Hi,

When a secret type changes, let's say from Opaque to kubernetes.io/tls, secreter failing to update the secret.

I think it should handle such changes, and recreate secret if needed. Or make EncryptedSecret to honor type field as immutable same as in secret resources

2019-11-10T09:21:42.185Z    ERROR   kubebuilder.controller  Reconciler error    {"controller": "encryptedsecret-controller", "request": "default/tls-ingress", "error": "failed to update Secret: Secret \"tls-ingress\" is invalid: type: Invalid value: \"kubernetes.io/tls\": field is immutable"}
github.com/amaizfinance/secreter/vendor/github.com/go-logr/zapr.(*zapLogger).Error
    vendor/github.com/go-logr/zapr/zapr.go:128
github.com/amaizfinance/secreter/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217
github.com/amaizfinance/secreter/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
    vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
    vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil
    vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
github.com/amaizfinance/secreter/vendor/k8s.io/apimachinery/pkg/util/wait.Until
    vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88
nrvnrvn commented 5 years ago

Hi!

Thanks for reporting this.

Unfortunately API documentation does not mention that this field is immutable.

I would be happy to add some validation of EncryptedSecret in this regard and I am actually planning to do that in future.

Currently Kubernetes - Open API to be precise - is not capable of validating immutable fields for custom resource objects. Yet it is possible to do that via a validating webhook.

shamil commented 5 years ago

Maybe having an optional param in EncryptedSecret resource to force recreate the secret, this can help and let people decide what to do in such cases;