Caching All Secrets - Followup

Question

Caching All Secrets - Followup

ralikio opened this issue 4 months ago · comments

I Created a service instance and a binding for version 0.6.3. After upgrade to 0.6.4 label managed-by has not been added. The solution proposed in #432 is not acceptable because it misses old secrets update. You should be able to reconcile correct secrets because there is a reference to them stored in a binding. For example, there is spec.secretName in my binding and the secret itself contains ownerReference:

  ownerReferences:
    - apiVersion: services.cloud.sap.com/v1
      kind: ServiceBinding
      name: test
      uid: cc992891-cbd0-4da9-bb0a-1713f89399a9
      controller: true
      blockOwnerDeletion: true

kerenlahav · Answer 1 · Tue May 28 2024 16:26:27 GMT+0800 (China Standard Time)

Hi @ralikio
The BTP operator does not reconcile secrets, please explain the issue.

Wojciech Wrzalik · Answer 2 · Tue May 28 2024 21:29:29 GMT+0800 (China Standard Time)

Hello @kerenlahav!

I was testing the limited cache feature hoping that it will automatically apply required labels to secrets that are tied to a service binding. I have created a service instance and a binding with SAP BTP Service Operator v0.6.3. Then I upgraded Sap BTP Service Operator to v0.6.4. The secret was not updated event after over 10 hours. I suspect that it lands in final state and that is. It would be helpful to check if secret by name from a service binding and verify its labels.

kerenlahav · Answer 3 · Tue May 28 2024 21:39:27 GMT+0800 (China Standard Time)

The label will not be added to existing secrets since secrets are not reconciled, only new secrets will be created with the label or update in case of credentials rotation. The operator reads these secrets only in case of cred rotation and in this case the label will be added once rotated.
Why is this an issue? do you get any errors?

Wojciech Wrzalik · Answer 4 · Tue May 28 2024 21:43:44 GMT+0800 (China Standard Time)

The issue (or maybe feature request) is that even if we turn on the limited cache it would not work without manual intervention, which is not handy. Could you add a feature that adds missing label to required secrets (only those related to btp-operator's bindings)?

kerenlahav · Answer 5 · Tue May 28 2024 21:48:55 GMT+0800 (China Standard Time)

Sorry, I still don't understand why manual intervention is required. Secrets that do not belong to a rotating binding are not used by the BTP operator.
Did something fail once you enabled the limited cache?

Wojciech Wrzalik · Answer 6 · Wed May 29 2024 22:14:05 GMT+0800 (China Standard Time)

We have clarified that once secret (no matter its size) is created it is not touched by the sap-btp-service-operator so it should not pose any additional traffic on K8S API Server. Exceptions mentioned in above comments will cause label addition and hence caching of the secrets. Thanks @kerenlahav.