if a `Secret` of the same name as a `Vault` already exists, it does not fail.

Question

if a `Secret` of the same name as a `Vault` already exists, it does not fail.

Closed this issue 5 years ago · 5 comments

I created this Secret via kubectl apply

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: ajayg2
data:
  key1: ZnJvbXNlY3JldA==

I then create a Vault object that should use the same name.

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: ajayg2
spec:
  type: "KEYVALUE"
  path: "secret/infra/jayg"

In the logs I see the line Received action: ADDED for ajayg2 in namespace X
but kubectl get secret -o yaml ajayg2 shows me that it has the original secret, not the one from Vault and it does not have vault.koudingspawn.de/* annotations.
If I wait for the next Refresh from vault-crd and get the yaml again, I see that it has the secret value from Vault and it has the annotations indicating that it is controlled by the CRD.

I feel this is fairly inconsistent. I think the initial create should fail because it finds a Secret that is not controlled by the CRD.
But if it is going to be added, it needs to update the Secret with the right values immediately and not wait for the first refresh pass.

Answer 1 · 2019-03-21T17:21:10.000Z

Hi @jaywgraves,

you are right. I don't know if failing because of secret exists is a good idea, because then the secret will produce exceptions over all the time. Also for the refresh handler.
This is something where a kube-apiserver validation hook would be required.

Is it okay to simply overwrite the existing secret?

Answer 2 · 2019-03-21T17:26:13.000Z

I think you should only fail on CREATE so it should not fail if you MODIFY your Vault (to change a version or something)
If the best that can happen is that it overwrites the Secret, I think it should do that on the CREATE and not wait for the first refresh pass.

Answer 3 · 2019-03-21T20:14:58.000Z

I actually prefer the concept of vault-crd "taking over" secrets as you transition to it for existing secrets.

Answer 4 · 2019-04-04T16:24:27.000Z

I don't think this issue is a blocker for us. We can probably close.
@DaspawnW are you going to cut a new release with the recent fixes?
(it will let us use the public image rather than one we have to build and push to our internal registry.)

Answer 5 · 2019-04-05T06:01:33.000Z

Hi @jaywgraves,

a release is now available: https://github.com/DaspawnW/vault-crd/releases/tag/1.2.1

Best regards,
Björn