Error updating status of newly created SealedSecrets resources
tewfik-ghariani opened this issue · comments
Which component:
controller v0.24.2
Describe the bug
Hi, we have recently noticed that the operator complains about updating the status of newly created SealedSecrets resources, even though the unsealing operation is successful:
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"playground-dev",
Name:"mock-secret", UID:"d07fdf8e-2ef7-4916-b2e0-0e10a7985a77",
APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1869049268", FieldPath:""}):
type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Error updating SealedSecret playground-dev/mock-secret status:
SealedSecret.bitnami.com "mock-secret" is invalid:
status.conditions[0].lastTransitionTime: Invalid value: "null":
status.conditions[0].lastTransitionTime in body must be of type string: "null"
As a result, the corresponding secret resource is created but the SealedSecret resource doesn't have any status entry and the SYNCED field is not set to true
$ k get sealedsecrets.bitnami.com mock-secret
NAME STATUS SYNCED AGE
mock-secret 2m24s
$ k -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'
- apiVersion
- kind
- metadata
- spec
To Reproduce
Steps to reproduce the behavior:
- Generate any random secret
kubectl create secret generic mock-secret --dry-run=client --from-literal=foo=bar -o yaml > mock.secret.yml
- Seal it via
kubeseal
kubeseal --cert https://internal.operator.com/v1/cert.pem --scope strict --format yaml < mock.secret.yml > sealed.mock.secret.yml
- Apply it to k8s
kubectl apply -f sealed.mock.secret.yml
- Look for the
status
field in the SealedSecret resource
kubectl -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'
- See error in the logs of the sealed-secrets operator pod
kubectl logs sealed-secrets-controller-639n770jd6-s52lm
Expected behavior
It is expected that the status field is shown as in v0.24.0 and no warnings are emitted in the logs
$ k get sealedsecrets.bitnami.com
NAME STATUS SYNCED AGE
another-secret True 4s
$ k -o yaml get sealedsecrets.bitnami.com another-secret | tail -n7
status:
conditions:
- lastTransitionTime: "2023-10-27T18:17:32Z"
lastUpdateTime: "2023-10-27T18:17:32Z"
status: "True"
type: Synced
observedGeneration: 1
Version of Kubernetes:
Client Version: v1.28.3
Server Version: v1.26.9
Additional context
I confirm that this bug did not exist in v0.24.0 after testing it, and I have doubts that it might be due to this change: #1295 that was introduced in v0.24.2 as per the release notes
Hi,
Same here, recent sealedsecrets get stuck in fluxcd reconciliation InProgress in 0.24.2
0.24.0 unlocks reconciliation immediately
hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.
Sorry for the inconveniences
Álvaro
hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.
Sorry for the inconveniences
Álvaro
Hi Alvaro,
Check out #1355, I explained what is happening and what I think is missing for everything to work :)
Regards,
Sebastien