[Bug]: Bootstrap run error due to sops encrypted secret when updating to v1.3.0

Question

[Bug]: Bootstrap run error due to sops encrypted secret when updating to v1.3.0

tmyhu opened this issue 4 months ago · 4 comments

Describe the bug

I'm updating to provider v1.3.0 and flux v2.3.0 and when terraform apply runs it commits the changes as expected to my git repository, however terraform errors out with:

flux_bootstrap_git.data: Still modifying... [id=flux-system, 10s elapsed]
╷
│ Error: Bootstrap run error
│ 
│   with flux_bootstrap_git.data,
│   on main.tf line [47](https://gitlab.com/predicthq/platform/flux-terraform/-/jobs/7607900112#L47), in resource "flux_bootstrap_git" "data":
│   47: resource "flux_bootstrap_git" "data" {
│ 
│ Secret/flux-system/gitlab-data dry-run failed: failed to create typed patch
│ object (flux-system/gitlab-data; /v1, Kind=Secret): .sops: field not
│ declared in schema

Steps to reproduce

To reproduce, disable secret creation and reference a sops encrypted secret for gitlab credentials in a custom kustomization file:

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - gotk-components.yaml
  - gotk-sync.yaml
  - gitlab-data.secret.yaml

Expected behavior

I expect there to be no terraform error like in the previous provider version 1.2.3

Screenshots and recordings

No response

Terraform and provider versions

Terraform v1.4.6 on amd64 + provider fluxcd/flux 1.3.0

Terraform provider configurations

provider "flux" {
  kubernetes = {
    host     = "https://kubernetes.default.svc" # Using internal DNS name since CI job not allowed to access NLB for API
    insecure = true
    token    = var.k8s_token
  }
  git = {
    url                     = "https://gitlab.com/....."
    branch                  = "master"
    commit_message_appendix = "to ${local.flux_version}"
    http = {
      username = "oauth2"
      password = var.gitlab_token
    }
  }
}

flux_bootstrap_git resource

resource "flux_bootstrap_git" "data" {
  path                    = "."
  disable_secret_creation = true
  secret_name             = "gitlab-data"
  kustomization_override  = file("${path.module}/kustomization.yaml")
  version                 = local.flux_version
}

Flux version

v.2.3.0

Additional context

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Would you like to implement a fix?

No

Answer 1 · 2024-08-19T07:04:44.000Z

@tmyhu this looks like an issue with your flux secret configuration rather than an issue with the provider itself.

Answer 2 · 2024-08-19T07:40:25.000Z

@swade1987 can you elaborate on that? My configuration did not change and was working perfectly fine with previous versions of the provider up to and including 1.2.3.

It seems to me like for some reason the new version of the provider is trying to apply the secret file stored in git and referenced in the kustomization when previously only flux itself would do this (and flux is perfectly happy with the sops encrypted secret).

Answer 3 · 2024-08-19T08:30:10.000Z

The provider now does the initial reconciliation, as with the Flux CLI, you can't have decryption setup in the root Flux Kustomization.

Answer 4 · 2024-08-19T22:28:40.000Z

Thanks for the clarification @stefanprodan , I'll change how we do things then.