Error updating status of newly created SealedSecrets resources

Question

Error updating status of newly created SealedSecrets resources

tewfik-ghariani opened this issue 7 months ago · comments

Which component:
controller v0.24.2

Describe the bug

Hi, we have recently noticed that the operator complains about updating the status of newly created SealedSecrets resources, even though the unsealing operation is successful:

Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"playground-dev", 
Name:"mock-secret", UID:"d07fdf8e-2ef7-4916-b2e0-0e10a7985a77", 
APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1869049268", FieldPath:""}): 
type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully

Error updating SealedSecret playground-dev/mock-secret status:
SealedSecret.bitnami.com "mock-secret" is invalid:
status.conditions[0].lastTransitionTime: Invalid value: "null": 
status.conditions[0].lastTransitionTime in body must be of type string: "null"

As a result, the corresponding secret resource is created but the SealedSecret resource doesn't have any status entry and the SYNCED field is not set to true

 $ k get sealedsecrets.bitnami.com mock-secret
NAME          STATUS   SYNCED   AGE
mock-secret                     2m24s

 $ k -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'
- apiVersion
- kind
- metadata
- spec

To Reproduce
Steps to reproduce the behavior:

Generate any random secret

kubectl create secret generic mock-secret --dry-run=client --from-literal=foo=bar -o yaml > mock.secret.yml

Seal it via kubeseal

kubeseal --cert https://internal.operator.com/v1/cert.pem --scope strict --format yaml < mock.secret.yml > sealed.mock.secret.yml

Apply it to k8s

kubectl apply -f sealed.mock.secret.yml

Look for the status field in the SealedSecret resource

kubectl -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'

See error in the logs of the sealed-secrets operator pod

kubectl logs sealed-secrets-controller-639n770jd6-s52lm

Expected behavior
It is expected that the status field is shown as in v0.24.0 and no warnings are emitted in the logs

 $ k get sealedsecrets.bitnami.com
NAME             STATUS   SYNCED   AGE
another-secret            True     4s

 $ k -o yaml get sealedsecrets.bitnami.com another-secret | tail -n7
status:
  conditions:
  - lastTransitionTime: "2023-10-27T18:17:32Z"
    lastUpdateTime: "2023-10-27T18:17:32Z"
    status: "True"
    type: Synced
  observedGeneration: 1

Version of Kubernetes:

Client Version: v1.28.3
Server Version: v1.26.9

Additional context
I confirm that this bug did not exist in v0.24.0 after testing it, and I have doubts that it might be due to this change: #1295 that was introduced in v0.24.2 as per the release notes

Fabien Culpo · Answer 1 · Mon Oct 30 2023 17:04:34 GMT+0800 (China Standard Time)

Hi,

Same here, recent sealedsecrets get stuck in fluxcd reconciliation InProgress in 0.24.2
0.24.0 unlocks reconciliation immediately

Alvaro Neira Ayuso · Answer 2 · Tue Oct 31 2023 16:24:12 GMT+0800 (China Standard Time)

hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.

Sorry for the inconveniences

Álvaro

Sebastien Coutu · Answer 3 · Tue Oct 31 2023 20:02:15 GMT+0800 (China Standard Time)

hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.

Sorry for the inconveniences

Álvaro

Hi Alvaro,

Check out #1355, I explained what is happening and what I think is missing for everything to work :)

Regards,

Sebastien