Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to disable secret auto-recreation #1118

Merged
merged 6 commits into from
Mar 6, 2023
Merged

Allow to disable secret auto-recreation #1118

merged 6 commits into from
Mar 6, 2023

Conversation

josvazg
Copy link
Collaborator

@josvazg josvazg commented Mar 2, 2023

Description of the change

Add a new recreate flag, on by default, that when switched off allows to opt in for lost backward compatibility after the introduction of automatic secret recreation by PR #963.

Benefits

Some low privilege environment do not allow users to watch secrets, so this will allow them to still install sealed secrets just by using the new recreate flag set to false.

Possible drawbacks

It is still a manual fix, as we want it to be a explicit opt in. Also the error about lack of permissions for watching secrets will not point you to this flag. But still this flag should help as it skips secrets watching completely.

Applicable issues

Additional information

Reported at #1064

@josvazg josvazg self-assigned this Mar 2, 2023
@josvazg josvazg had a problem deploying to vmware-image-builder March 2, 2023 15:03 — with GitHub Actions Failure
@josvazg josvazg had a problem deploying to vmware-image-builder March 2, 2023 15:21 — with GitHub Actions Failure
@josvazg josvazg had a problem deploying to vmware-image-builder March 2, 2023 15:21 — with GitHub Actions Failure
Allow to disable secret auto-recreation
ac73912 
Signed-off-by: Jose Luis Vazquez Gonzalez <[email protected]>
Invert flag logic
b866e6a 
Signed-off-by: Jose Luis Vazquez Gonzalez <[email protected]>
Simplify as unit tests
5325e94 
Signed-off-by: Jose Luis Vazquez Gonzalez <[email protected]>
alemorcuq
alemorcuq suggested changes Mar 3, 2023
View reviewed changes
helm/sealed-secrets/templates/deployment.yaml Outdated Show resolved Hide resolved
helm/sealed-secrets/values.yaml Outdated Show resolved Hide resolved
pkg/controller/controller_test.go Outdated Show resolved Hide resolved
pkg/controller/controller_test.go Outdated Show resolved Hide resolved
josvazg
josvazg commented Mar 6, 2023
View reviewed changes
helm/sealed-secrets/README.md Outdated Show resolved Hide resolved
josvazg
josvazg commented Mar 6, 2023
View reviewed changes
carvel/package.yaml Outdated Show resolved Hide resolved
@alemorcuq
Apply suggestions from code review
a0344ee 
Co-authored-by: Alejandro Moreno <[email protected]>
Signed-off-by: josvaz <[email protected]>
@josvazg
Copy link
Collaborator Author

josvazg commented Mar 6, 2023 

$ helm template helm/sealed-secrets/ --set skipRecreate=true |grep args -A 5
          args:
            - --update-status
            - --skip-recreate
            - --key-prefix
            - "sealed-secrets-key"
          image: docker.io/bitnami/sealed-secrets-controller:v0.19.5

alemorcuq
alemorcuq suggested changes Mar 6, 2023
View reviewed changes
pkg/controller/main.go Outdated Show resolved Hide resolved
alvneiayu
alvneiayu previously approved these changes Mar 6, 2023
View reviewed changes
Copy link
Collaborator

@alvneiayu alvneiayu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Change all controller setups
3cebdeb 
Signed-off-by: Jose Luis Vazquez Gonzalez <[email protected]>
alemorcuq
alemorcuq suggested changes Mar 6, 2023
View reviewed changes
helm/sealed-secrets/values.yaml Outdated Show resolved Hide resolved
pkg/controller/controller_test.go Outdated Show resolved Hide resolved
pkg/controller/controller_test.go Outdated Show resolved Hide resolved
@alemorcuq
Apply suggestions from code review
1e03569 
Co-authored-by: Alejandro Moreno <[email protected]>
Signed-off-by: josvaz <[email protected]>
Signed-off-by: Jose Luis Vazquez Gonzalez <[email protected]>
@josvazg josvazg merged commit fc66939 into bitnami-labs:main Mar 6, 2023
@josvazg josvazg mentioned this pull request Mar 6, 2023
Closed
tewfik-ghariani
tewfik-ghariani reviewed Mar 15, 2023
View reviewed changes
helm/sealed-secrets/values.yaml
@@ -56,6 +56,12 @@ secretName: "sealed-secrets-key"
## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource
##
updateStatus: true
## @param skipRecreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets
## Setting it to false allows to optionally restore backward compatibility in low priviledge
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed this small typo ^^
This message is talking about the case in which skipRecreate is actually set to true

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed per #1371

@tewfik-ghariani tewfik-ghariani mentioned this pull request Mar 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tewfik-ghariani tewfik-ghariani tewfik-ghariani left review comments

@alemorcuq alemorcuq alemorcuq approved these changes

@alvneiayu alvneiayu alvneiayu left review comments

@agarcia-oss agarcia-oss Awaiting requested review from agarcia-oss agarcia-oss is a code owner

Assignees

@josvazg josvazg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PR #963 unintentional backwards compatibility break
4 participants
@josvazg @alvneiayu @tewfik-ghariani @alemorcuq