Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tuf-secret-copy-job couldn't patch already existing secrets #728

Closed
xoanmi opened this issue Mar 21, 2024 · 3 comments · Fixed by #729
Closed

tuf-secret-copy-job couldn't patch already existing secrets #728

xoanmi opened this issue Mar 21, 2024 · 3 comments · Fixed by #729
Labels
bug Something isn't working

Comments

@xoanmi
Copy link
Contributor

xoanmi commented Mar 21, 2024

Description

The tuf-secret-copy-job could not patch the secrets that already exist.

Chart version: v0.6.46

Warning: resource secrets/fulcio-server-secret is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.Error from server (Forbidden): error when applying patch:{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"cert\":\"<MY_CERT>\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"creationTimestamp\":\"2024-03-21T15:14:02Z\",\"name\":\"fulcio-server-secret\",\"namespace\":\"sigstore\",\"resourceVersion\":\"18957114\",\"uid\":\"e7c113b3-9365-4b3f-aea0-046726ed52f3\"},\"type\":\"Opaque\"}\n"}}}to:Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"Name: "fulcio-server-secret", Namespace: "sigstore"for: "STDIN": secrets "fulcio-server-secret" is forbidden: User "system:serviceaccount:sigstore:tuf-secret-copy-job" cannot patch resource "secrets" in API group "" in the namespace "sigstore"
@xoanmi xoanmi added the bug Something isn't working label Mar 21, 2024
@xoanmi xoanmi closed this as not planned Won't fix, can't repro, duplicate, stale Mar 21, 2024
@xoanmi xoanmi reopened this Mar 21, 2024
@vipulagarwal
Copy link
Contributor

@xoanmi thanks for bringing this up. The scaffold secrets copy job can probably get rid of existing secrets via a check. This has definitely caused me a sheer amount of pain when re-deploy scaffold on existing namespaces.

There is also an expectation that if you are creating certain namespaces via scaffold helm release then an uninstall and re-install shall get rid of the secrets anyway.

I am assuming that has been the case in your situation?

@xoanmi xoanmi mentioned this issue Mar 21, 2024
Merged
4 tasks
@xoanmi
Copy link
Contributor Author

xoanmi commented Mar 21, 2024

thanks for bringing this up. The scaffold secrets copy job can probably get rid of existing secrets via a check. This has definitely caused me a sheer amount of pain when re-deploy scaffold on existing namespaces.

There is also an expectation that if you are creating certain namespaces via scaffold helm release then an uninstall and re-install shall get rid of the secrets anyway.

I am assuming that has been the case in your situation?

Not really. Our is a cosmetic issue. When redeploying the same helm with slightly different parameters, the job is recreated and tries to patch some of the secrets. As it can't, the job fails even if the secret is already present and the services are running correctly.

I've opened a PR to add the needed permissions on the cluster role --> #729

@vipulagarwal
Copy link
Contributor

It all makes sense, thanks for the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add patch permissions on secrets xoanmi/helm-charts
2 participants
@vipulagarwal @xoanmi