Closed hmehta closed 5 months ago
Hello @hmehta! I'm Dosu, your friendly neighborhood bot here to lend a hand with bugs, answer your questions, or guide you on your journey to becoming a contributor, all while you're waiting for one of our human maintainers to jump in. I just wanted to drop in and say hi, introduce myself, and let you know I'm diving into your issue to give you a full answer shortly. Hang tight!
This also seems to work as expected if I set the namespace in the OVERLAY kustomization.yaml, so I am somehow leaning towards this actually being either expected behavior from Kustomize side, or an issue there. As I went through the code, the whole metadata is used in the generated Secret without any modifications, so it should contain the modified metadata with the content hashed name when targeting succeeds (name + namespace matches).
Feel free to close this ticket. Maybe this will at least generate useful history for someone else trying to resolve the same problem.
Hello @hmehta,
Thank you for your detailed follow-up and for sharing your findings with the community. It's great to see you've identified a workaround by specifying the namespace in the overlay's kustomization.yaml
and also considered the behavior when setting the namespace directly in the ksops-secret-generator.yaml
.
Your observation about the namespace being correctly applied when specified in the overlay, and your insight into the handling of metadata in the generated Secret, are valuable. It seems that this behavior, while initially unexpected, can indeed be managed through the configurations you've mentioned.
Given your analysis and the workaround you've discovered, it appears this issue might be more related to how Kustomize handles namespace propagation and metadata processing in conjunction with KSOPS, rather than a direct issue with KSOPS itself. Your willingness to share this information will undoubtedly help others who might encounter similar situations.
If you believe this behavior should be more clearly documented, or if there are improvements to be made in how KSOPS handles such scenarios, I encourage you to share these suggestions. Your input could lead to enhancements that benefit the broader community.
For now, since you've found a solution that works for your case and suggested that this ticket can be closed, we'll proceed accordingly. However, should you have any more questions, insights, or if you encounter other challenges, please don't hesitate to reach out again.
Your contributions and proactive approach to solving this issue are greatly appreciated!
Best regards, Dosu
I noticed that KSOPS generator doesn't honor the namespace set in kustomization.yaml. See my example project for details:
Simple Kustomize project with one base, one overlay:
base/kustomization.yaml
:base/deployment.yaml
:overlays/test/kustomization.yaml
:overlays/test/ksops-secret-generator.yaml
:overlays/test/configs/example.conf.json
:overlays/test/secrets/example.creds.enc.json
(encrypted with the sops test keys):Then building this using
kustomize build --enable-alpha-plugins --enable-exec .
I get what I expect:The
spec.template.spec.containers.volumes[1].secret.secretName
is what is expected since the Secret is also created to the namespace that is selected in the current context. But now when I set the namespace for everything inbase/kustomization.yaml
:Now building this results into situation where the Secret doesn't have a namespace and even the content hash in the name gets dropped due to targeting failing (added few notes as comments to point it out better):
This issue can be worked around by setting the same namespace explicitly in the
overlays/test/ksop-secret-generator.yaml
.secretFrom[0].metadata.namespace
, but that's a bit clumsy and works quite differently than the Kustomize provided ConfigMap and Secrets Generators.I hope you could fix this, but if it is intended behaviour, then I think documenting this better in the section where you give examples on providing Secrets using the secretFrom would help.