Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unseal updated secret: Precondition failed #898

Open
simonszu opened this issue Aug 1, 2022 · 2 comments
Open

Unseal updated secret: Precondition failed #898

simonszu opened this issue Aug 1, 2022 · 2 comments
Assignees
@josvazg
Labels
backlog Issues/PRs that will be included in the project roadmap

Comments

@simonszu
Copy link

simonszu commented Aug 1, 2022
edited
Loading

Which component:
Controller

Describe the bug
I have a sealed secret successfully injected into the cluster, which was encrypted. I wanted to add another key to it, so i edited the cleartext YAML, generated another sealed secret from it, and injected it into the cluster. The controller was unable to decrypt it:

2022/08/01 11:27:52 Error updating SealedSecret dls-backend-test/arangodb status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "arangodb": StorageError: invalid object, Code: 4, Key: /registry/bitnami.com/sealedse
crets/dls-backend-test/arangodb, ResourceVersion: 0, AdditionalErrorMsg: Precondition failed: UID in precondition: 5ae127fc-d895-4c93-82c6-979aae7d00a8, UID in object meta:

To Reproduce
Steps to reproduce the behavior:

  1. Create a sealed secret
  2. Inject it to the cluster, verify that it gets decrypted correctly
  3. Edit the underlying cleartext yaml, add another key
  4. Create a sealed secret from the modified YAML - same name, same namespace
  5. Inject the new sealed secret to the cluster, effectively overwriting the old manifest

Expected behavior
The newly injected sealed secret gets decrypted

Version of Kubernetes:

  • Output of kubectl version:
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.10-r0-CCE21.11.1.B005-21.11.1.B005", GitCommit:"aa6aaf3c00ad28e5fe57be8e1b553a7f9ccb439d", GitTreeState:"clean", BuildDate:"2021-11-19T07:05:59Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

I know that the kubernetes is a bit outdated. It is a managed k8s by an inhouse openstack provider, and they do not offer a newer version yet.
@github-actions github-actions bot added the triage Issues/PRs that need to be reviewed label Aug 1, 2022
@alemorcuq alemorcuq added backlog Issues/PRs that will be included in the project roadmap and removed triage Issues/PRs that need to be reviewed labels Aug 25, 2022
@josvazg josvazg self-assigned this Aug 25, 2022
@DanielCastronovo
Copy link

DanielCastronovo commented Dec 6, 2022
edited
Loading

Same here :)

it seems to be related to the replace object :
https://forum.linuxfoundation.org/discussion/856389/lab-3-4-15-kubectl-replace-error

@DanielCastronovo
Copy link

Any news ? because theSealedSecretsUnsealErrorHigh alert (mixin) generate lot of false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josvazg josvazg

Labels
backlog Issues/PRs that will be included in the project roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@josvazg @simonszu @alemorcuq @DanielCastronovo