Open viv-4 opened 3 years ago
This actually is not an issue with secret generation but rather with the ansible/helm uninstall not removing persistent volumes (known issue, https://github.com/place-labs/k8s-helm/blob/master/ansible/README.md#limitations). Secrets are designed to be preserved over upgrades: https://github.com/place-labs/k8s-helm/tree/master/charts#design-notes
Reopening as the issue is present when running current ansible playbook: https://github.com/place-labs/k8s-helm/commit/a04174010ff07942edc1f8e1362bbe6bdd1ed504
Requires further investigation
Due to the rethinkdbPassword release var not being found:
TASK [placeos.helm.releasevars : get the existing release var] *******************************************
task path: ~/k8s-helm/ansible/roles/placeos.helm.releasevars/tasks/lookup.yaml:15
skipping: [k8s] => (item=rethinkdbPassword) => {
"ansible_loop_var": "item",
"changed": false,
"item": "rethinkdbPassword",
"skip_reason": "Conditional result was False"
}
Previous step TASK [placeos.helm.releasevars : check release current state]
does not include a rethinkdbPassword
in it's returned status.values
The release name is rethinkdb
and not placeos
as defined the above task.
The release names were changed when the release namespace was set to placeos for all charts.
Changing this line to name: "rethinkdb"
resolves this specific issue, as this is the only release var value actually being used: https://github.com/place-labs/k8s-helm/blob/ddab78eb53055193725a8fd289b4c7b8cdb83e91/ansible/roles/placeos.helm.releasevars/tasks/lookup.yaml#L5
However the same issue is present for postgresql, and all services should ideally also be using existing values (configMap/secret) when running helm upgrade
unless intentionally being changed.
Will look into potentially running the check release current state
and get the existing release var
task before running each chart with that charts release name.
If the pod (and stateful set) are removed, eg. uninstalled via ansible, then a subsequent ansible install will regenerate and overwrite the password secret. The uninstall does not remove the rethinkdb volume however so it is still configured with the old password unless manually removed before install.