Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Secretsmanager): If the K8s do not exist, the secret is not created with the data from AWS #2076

Open
haooliveira84 opened this issue Jul 11, 2024 · 10 comments
Open

(Secretsmanager): If the K8s do not exist, the secret is not created with the data from AWS #2076

haooliveira84 opened this issue Jul 11, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@haooliveira84
Copy link
Contributor

haooliveira84 commented Jul 11, 2024
edited
Loading

What happened?

If the K8s do not exist, the secret is not created with the data from AWS.
Exist part of the code says it is possible, but don't work.
https://github.com/crossplane-contrib/provider-aws/blob/master/pkg/controller/secretsmanager/secret/setup.go#L169C2-L169C64

How can we reproduce it?

Create a secretManager object with this exemple above:

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h20
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h20
      namespace: test-secret
    tags:
    - key: Name
      value: example-secret-h20

What environment did it happen in?

Crossplane version: 1.14.7
Crossplane Contrib Provider Version: v0.48.1
@haooliveira84 haooliveira84 added the bug Something isn't working label Jul 11, 2024
@stevendborrelli
Copy link
Contributor

I did some testing with v0.48.1 with your manifest and was not able to duplicate the results with a basic key/value secret. What type of secret are you creating?

Are there any event logs or debugging logs available?

  • Secret does not exist in AWS, stringSecretRef does not exist in K8s: error
    pre-create failed: Secret "example-secret-manager-h20" not found

  • Secret exists in AWS, stringSecretRef does not exist in K8s: K8s secret is created successfully:

kubectl get secret -n test-secret example-secret-manager-h20 -o yaml
apiVersion: v1
data:
  key: c2VjcmV0
kind: Secret
metadata:
  creationTimestamp: "2024-07-12T07:25:42Z"
  name: example-secret-manager-h20
  namespace: test-secret
  resourceVersion: "579306"
  uid: 64f1120b-d628-4ae6-95e1-691a0a14d5a2
type: Opaque
  • Secret does not exist in AWS, stringSecretRef exists in K8S: secret is created in AWS:
image

@davirezendegb
Copy link

davirezendegb commented Jul 12, 2024
edited
Loading

When I try to create the following problem, the secret does not build in Kubernetes

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h21
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h21
      namespace: test-secret
    tags:
    - key: Name
      value: example-secret-h21

k get secrets.secretsmanager.aws.crossplane.io | grep -i example

example-secret-h21                                                                                  False   False    example-secret-h21

k describe secrets.secretsmanager.aws.crossplane.io example-secret-h21

Name:         example-secret-h21
Namespace:    
Labels:       <none>
Annotations:  crossplane.io/external-create-failed: 2024-07-12T15:22:59Z
              crossplane.io/external-create-pending: 2024-07-12T15:22:59Z
              crossplane.io/external-name: example-secret-h21
API Version:  secretsmanager.aws.crossplane.io/v1beta1
Kind:         Secret
Metadata:
  Creation Timestamp:  2024-07-12T13:22:32Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generation:  1
  Managed Fields:
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:deletionPolicy:
        f:forProvider:
          .:
          f:description:
          f:forceDeleteWithoutRecovery:
          f:region:
          f:stringSecretRef:
            .:
            f:name:
            f:namespace:
          f:tags:
        f:managementPolicies:
        f:providerConfigRef:
          .:
          f:name:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-07-12T13:22:32Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:atProvider:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:reason:
            f:status:
            f:type:
          k:{"type":"Synced"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
    Manager:      crossplane-aws-provider
    Operation:    Update
    Subresource:  status
    Time:         2024-07-12T13:33:58Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-create-failed:
          f:crossplane.io/external-create-pending:
          f:crossplane.io/external-name:
        f:finalizers:
          .:
          v:"finalizer.managedresource.crossplane.io":
    Manager:         crossplane-aws-provider
    Operation:       Update
    Time:            2024-07-12T15:22:59Z
  Resource Version:  1118267071
  UID:               001f4e88-8498-4c00-98d6-19fdf8ddbc70
Spec:
  Deletion Policy:  Delete
  For Provider:
    Description:                    test
    Force Delete Without Recovery:  true
    Region:                         us-east-1
    String Secret Ref:
      Name:       example-secret-manager-h21
      Namespace:  test-secret
    Tags:
      Key:    Name
      Value:  example-secret-h21
  Management Policies:
    *
  Provider Config Ref:
    Name:  awsconfig
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2024-07-12T13:33:58Z
    Message:               create failed: pre-create failed: Secret "example-secret-manager-h21" not found
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
    Last Transition Time:  2024-07-12T13:33:58Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                        Age                     From                                             Message
  ----     ------                        ----                    ----                                             -------
  Warning  CannotCreateExternalResource  2m26s (x110 over 109m)  managed/secret.secretsmanager.aws.crossplane.io  pre-create failed: Secret "example-secret-manager-h21" not found

kubectl get secret -n test-secret example-secret-manager-h21 -o yaml

Error from server (NotFound): namespaces "test-secret" not found

@stevendborrelli
Copy link
Contributor

stevendborrelli commented Jul 12, 2024
edited
Loading

@davirezendegb can you ensure that namespace test-secret exists? The provider will not create a namespace.

@davirezendegb
Copy link

I really had the namespace wrong:

apiVersion: secretsmanager.aws.crossplane.io/v1beta1
kind: Secret
metadata:
  name: example-secret-h21
spec:
  forProvider:
    region: us-east-1
    description: "test"
    forceDeleteWithoutRecovery: true
    stringSecretRef:
      name: example-secret-manager-h21
      namespace: teste-secret
    tags:
    - key: Name
      value: example-secret-h21

k describe secrets.secretsmanager.aws.crossplane.io example-secret-h21

Name:         example-secret-h21
Namespace:    
Labels:       <none>
Annotations:  crossplane.io/external-create-failed: 2024-07-12T17:10:17Z
              crossplane.io/external-create-pending: 2024-07-12T17:10:17Z
              crossplane.io/external-name: example-secret-h21
API Version:  secretsmanager.aws.crossplane.io/v1beta1
Kind:         Secret
Metadata:
  Creation Timestamp:  2024-07-12T17:10:12Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generation:  1
  Managed Fields:
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:atProvider:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:reason:
            f:status:
            f:type:
          k:{"type":"Synced"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
    Manager:      crossplane-aws-provider
    Operation:    Update
    Subresource:  status
    Time:         2024-07-12T17:10:12Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:deletionPolicy:
        f:forProvider:
          .:
          f:description:
          f:forceDeleteWithoutRecovery:
          f:region:
          f:stringSecretRef:
            .:
            f:name:
            f:namespace:
          f:tags:
        f:managementPolicies:
        f:providerConfigRef:
          .:
          f:name:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-07-12T17:10:12Z
    API Version:  secretsmanager.aws.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-create-failed:
          f:crossplane.io/external-create-pending:
          f:crossplane.io/external-name:
        f:finalizers:
          .:
          v:"finalizer.managedresource.crossplane.io":
    Manager:         crossplane-aws-provider
    Operation:       Update
    Time:            2024-07-12T17:10:17Z
  Resource Version:  1118370696
  UID:               81edbeea-0331-4d5d-a58b-73be00f64d3f
Spec:
  Deletion Policy:  Delete
  For Provider:
    Description:                    test
    Force Delete Without Recovery:  true
    Region:                         us-east-1
    String Secret Ref:
      Name:       example-secret-manager-h21
      Namespace:  teste-secret
    Tags:
      Key:    Name
      Value:  example-secret-h21
  Management Policies:
    *
  Provider Config Ref:
    Name:  awsconfig
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2024-07-12T17:10:12Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2024-07-12T17:10:12Z
    Message:               create failed: pre-create failed: Secret "example-secret-manager-h21" not found
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
Events:
  Type     Reason                        Age               From                                             Message
  ----     ------                        ----              ----                                             -------
  Warning  CannotCreateExternalResource  1s (x5 over 14s)  managed/secret.secretsmanager.aws.crossplane.io  pre-create failed: Secret "example-secret-manager-h21" not found

k get secrets.secretsmanager.aws.crossplane.io | grep -i example
example-secret-h21 False False example-secret-h21

k get ns | grep -i teste-secret
teste-secret Active 27d

k get secret -n teste-secret example-secret-manager-h21 -o yaml
Error from server (NotFound): secrets "example-secret-manager-h21" not found

@stevendborrelli
Copy link
Contributor

@davirezendegb does the secret exist already in AWS?

In my testing:

  • if the secret doesn't exist either in AWS,
  • and the k8s stringSecretRef secret does not exist

You will get an error like the pre-create failed: Secret "example-secret-manager-h21" not found error.

@davirezendegb
Copy link

it really worked when I created it in AWS.
Shouldn't it create automatically in AWS or do I need to have one created in AWS to then reference it?

@stevendborrelli
Copy link
Contributor

@davirezendegb the secret data needs to exist somewhere. Usually when using Crossplane you are creating a secret in AWS, so having it defined in the stringSecretRef on the Crossplane cluster is the usual practice.

However, if there is an existing secret already there, this provider can take over management it and will create the secret in K8s for you from the data in AWS.

@davirezendegb
Copy link

@stevendborrelli I carried out some tests, however, I noticed that when I try to insert new values ​​in AWS they are not replicated to the Kubernetes secret.
but when you enter the values ​​in the kubernetes secret they are replicated to aws

@davirezendegb
Copy link

Isn't it possible to create an exception so that when it doesn't exist in AWS or Kubernetes, it would preferably create one automatically in AWS?

@davirezendegb does the secret exist already in AWS?

In my testing:

  • if the secret doesn't exist either in AWS,
  • and the k8s stringSecretRef secret does not exist

You will get an error like the pre-create failed: Secret "example-secret-manager-h21" not found error.

@stevendborrelli
Copy link
Contributor

@davirezendegb

@stevendborrelli I carried out some tests, however, I noticed that when I try to insert new values ​​in AWS they are not replicated to the Kubernetes secret.
but when you enter the values ​​in the kubernetes secret they are replicated to aws

The providers work on desired state, so the k8s values should always override what is in AWS. The initial empty k8s secret is a corner case, similar to taking over an existing resource.

Q2:

Isn't it possible to create an exception so that when it doesn't exist in AWS or Kubernetes, it would preferably create one automatically in AWS?

A secret manager secret cannot be created without secret data. See https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#CreateSecretInput

// Either SecretString or SecretBinary must have a value, but not both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevendborrelli @haooliveira84 @davirezendegb