Open GrahamDumpleton opened 1 month ago
This is a actually a race condition in the operator between two rule applications triggered by different resources. For example:
DEBUG:educates:Triggering secretcopier reconcilation for secret educates-registry-credentials in namespace educates-cli-w04-s010-hub.
DEBUG:educates:Triggering secretinjector reconcilation for secret educates-registry-credentials in namespace educates-cli-w04-s010-hub.
DEBUG:educates:Triggering secretinjector reconcilation for service account default in namespace educates-cli-w04-s010.
DEBUG:educates:Triggering secretcopier reconcilation for namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Triggering secretinjector reconcilation for service account default in namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Triggering secretcopier reconcilation for secret educates-registry-credentials in namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Triggering secretinjector reconcilation for secret educates-registry-credentials in namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Processing rule 1 from secretinjector/educates-registry-credentials against namespace educates-cli-w04-s010-hub.
DEBUG:educates:Processing rule 1 from secretinjector/educates-registry-credentials against namespace educates-cli-w04-s010-hub.
DEBUG:educates:Processing rule 1 from secretinjector/educates-registry-credentials against namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Processing rule 1 from secretinjector/educates-registry-credentials against namespace educates-cli-w04-s010-cluster-1.
DEBUG:educates:Processing rule 1 from secretinjector/educates-registry-credentials against namespace educates-cli-w04-s010.
IOW, secretinjector rules were applied due to changes in service account and secret at the same time and since are different resource types they run in parallel, which you can see by duplicates for rule application later.
So the secret is being injected okay, just getting some noise in the logs with the full exception showing, from the reconciler function which looses out.
Not sure right now the best course of action, whether to check error status for 409 and ignoring it, or at least not log exception and instead just a warning that resource was updated.
Describe the bug
When a registry pull secret (or other secret), is being injected into a service account using SecretInjector, if the service account was still in the process of being configured, then injection can fail as the service account may have changed in the interim.
A subsequent reconciliation triggered by updates to the service account should still see the secret injected, but need to verify this is occurring.
Additional information
No response