Giters

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets

Home Page:https://sealed-secrets.netlify.app/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ObservedGeneration in status does not get updated when the SealedSecret is updated without errors

seb-metacommerce opened this issue · comments

commented

Hi everyone,

Recently, after the changes to that file were made for the update logic, FluxCD isn't able to clear the health-check on the sealedsecret object. The code is here:

sealed-secrets/pkg/controller/controller.go

Line 418 in 83b15d2

_, err := c.ssclient.SealedSecrets(ssecret.GetObjectMeta().GetNamespace()).UpdateStatus(context.Background(), ssecret, metav1.UpdateOptions{})

In the updateSealedSecretsStatusConditions function, I think it should take into account the ObservedGeneration versus the current object Generation. When the status hasn't changed (but the generation has), the status will not get updated and thus the observed generation will stay as it was.

In order to reproduce, you need to create a sealedsecret, then, in a second operation, add a value to the sealedsecret. You should end up with a Kubernetes object that looks like this:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: "2023-10-30T13:49:28Z"
  generation: 3
  labels:
    kustomize.toolkit.fluxcd.io/name: apps
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: seb-test-sealed-secret
  namespace: workloads
  resourceVersion: "111335696"
  uid: 2592d78f-167c-4775-8533-d9860ed0dd0a
spec:
  encryptedData:
    SECRET_1: AgDEHJmv2BY/XEpyVZBspIFQ7V8cxomIwSFvAS6B0TEJlvmrJamWf7j1guzV97j2o/dEhD3l+uDSu4Hu3BxFmBoMyp0P1Rl3T5Tzfaw3YuX1mXksKMwhLsNk23vYKkb2mk/SGx137y0FmLanAIVBo+cO+8XWJJxSxrczxtWwhIXgY3FTodvERWX7iMTpVcyYdRJpMCfk3H9BfFRKowSUx+ifBO11IrbYXrXhou3Z8MK/gX31N36BJKh0QWKEF3iElBJEGo9SZ4p9Wn6xHFX4wLdRpCb/3sjhbUicmDqm3Xk1KgnPxdnsFxUA9SsCrS6qIuOJPY8hBvnp0a7+2AArqCoEbEgvdnlhZZ19tjso+x6blXX2tn+voKLG1BXoJC6zhaJCX44SXpIJlMLLG+Oez6QqaZHlbbpQsefW4jfTJMciA22OteBwYX/q2i1WZiT+U4qwsCeosO2Z0pateQitUPL3YO6icIlOB/nGjOmCQ3I/MuC3c3anNDhansGbciA+oOv2KFIImVTv9oFzlpTqOxWl1O04QuKgIiY5Pc+X/oVqx0Ae/Ugk4Vhad+tdgAb/dhybzREfL4GQj6KZjAcPVhPgtKf9ER7WKVbG7/Y7JSp+DFm4MfdE4QYHNxPIkw8YnagFAqveGSxdbvnp5c+CVrnRXkSfLOhNvlUNCiMrVBaywiW4Z2nFsoxgP1ve7FFMa6xyFmn8Qjwm
    SECRET_2: AgAkFFoXcmEsKLFaWnfNSNeWK0WsviV5tXH7bRRGg9zlbiH7NscRVJ3URpgEEoEt7qtYvTsrF3EfHSd362V5bEh9ZjJwEfyyk2qq850bi1FB6J1YjFb/PgQl0xCHQKZuNHcCCUEFSkv8TJOv+bFi12eSwF9p2Sk5sBmfcsfmRIJBD8VXc2ZhCucZu0TR7gfCHiTmnnGHSe9VJiO7P6CWkIHy+soBcFeQn4yHYFHVI0eOW99uFCXSzssNsFjWbQB33DbAYNvZOigwsPcb8Ib+xuvZ+c2LEEdfEPO/Wb6Dl73C6jiHIWfEWLbYp7/sWCqXQZJNxrvw2YnPCHncc4v7kg6F2wXnSfebu1W5R5KAJjViIUngCnvHI3KB0K6LfaHxHSSQZPHGcTiMWXC8GGDextVpL78I5Ldg0jpyGG4fv6gEDpx0n4UaypOfu3KSx9/mhRQtohae84fbgSyVZP0SjB9weDcEh6rIOEMtde7alORsAlXO2lP3dtA12hPabce5uRHOPl4dBPqXX15Bpew+/WPh8dPnb+oiZzcCy2lOgB64EFofWXhvcU2S3/oxUhbmkRoVBI0qR2UUlg+IqHuOsOVyanh2/jgvYHUawOCieIDVPeLuqCmLMqE8Llzedx/aF22k+N0qduMlWSFE+H339orlCNch95TQcmTQT46Ga7sR6sQWLmDHH4lMPR/w1axbp17vx/7w9VpM
    SECRET_3: AgBz6/xjUwZrM6zl41mHEj69UTuS7gqpbkbmEnVVydc+5ofDHaI7UTJbPVyB+Ov91RM1HMAC+xPu3zHu+TY8dEYXQQ5RZ/uj2Sgz8Md/Jl8vO8CAVCBoaThnEyoUe4imGlDHiVhx4Q21RLsnNIDL6Goh+AKhoL4HR3t9qquTRYU0GSL4DwTYKxTNJzL38PiPXJagEO6K5cgRCz0vNmtatiSHBYT1YDAFNJnZ/e+leUAR4Ol/vv2KK7/5oc+jk3N4v488KigrfO19R/ppGDDfg8t6gadAnqQxt4eA5IEqzIK//pl7I1zQLje48JU868gJ9L4z8SP68LmNuIFNHWHKd7tsgyBs88nEiNaUOThEsI6xA8KtiPf5Zi3OercMlk5IhYCgKWLbnfh0qp9Ii8TdxRMA2WIkzf967Z15bkQLO+ab8S1eP4IsGJan41BGMvuQP7ECXRUtUU7r505uju+LPWJB5wVVzsZoBUQnMT8VBG9h0Oyiv4e2Pk5VfDlDTtXVd2JDrniOyiiPV9SMtf/OV795gx090KAvnYalwJm51KAOcr2OTbbfugGJVSRdao+o6STXLytdqoOEIY7QlLWn/m5b/PlI8GqdKNseBJR0EWy2dhSUTWcnRMEm05bPxo7odfF1e8/Ewz/ARlXad6aoD8DZcL0luPq/zbM3OvnUa6KqEhMol214dltTllQMt658Ws5ex6Clx+Ak
  template:
    metadata:
      name: seb-test-sealed-secret
      namespace: workloads
    type: Opaque
status:
  conditions:
  - lastUpdateTime: "2023-10-30T13:49:28Z"
    status: "True"
    type: Synced
  observedGeneration: 1

I reverted my Helm Chart from 2.13.1 to 2.13.0 and now everything updates as it did before:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: "2023-10-30T13:49:28Z"
  generation: 4
  labels:
    kustomize.toolkit.fluxcd.io/name: apps
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: seb-test-sealed-secret
  namespace: workloads
  resourceVersion: "111362418"
  uid: 2592d78f-167c-4775-8533-d9860ed0dd0a
spec:
  encryptedData:
    SECRET_1: AgAX8rEnXtAC3f5shwJPwwDqOalABnrQ2QePt0wERGfrj5yMNHXFYfXHwFJwWck3wQTNrO4PyAz0pIBwmQpvZP3A4O+xdO3JBXF3xyr1nutFAs6iB3fXRARHn6Ult/6NxF+ZcszNuvBJGOfbFDucNBE6OT28wHuO9YGYbjKf4dab4lFrmVv4lspZO5o+yxrgjBj+NhHt/ZXKquI/U9XqXzNGHeFD4cxAHkHnNRFjt7xTPFLcPnNSxwe2rcxiGkbzVwZGmKxJLPwstF4UG9TEEQlE13FyYToVwD+tDx1B0oxs3Jq9HKf70Y5iBv9WQLTslGB6MFraD8MFyaolaGdySL7kzk9V96WEDZm+XYwe/4GMo9EHIJCpclGuhsYML2SufgrLSSV2NqIVB5p+UinPMZN1qORjU8np5SuhzRCa/tf7aWFy6fukUxVo+nhsXRgp5t6KDfOtC9kWayFgokq7UyMz4BsgwtR3jM4b+7PI7HnlBt1nc1FAOqCVS8m5S/Bd7NY5Uwsj9bDPJTC3dzoPgkCmkTtH2fbNplNVpBO1kjsSIaqBfsMyDpECACkRcKQiXNBSlwtrp4ohsKOnhlt9t+2O7zxr8KnV34S9kNhkdzoD2cmEl4Z7GWOl79YVtzXMvNYZQhqU+ifYJzbg4nFhtRTp92Jg87nJJFJBhDF5FpI/19zGKDOAX16anQTDFn2Tl9azJgyVp68n
    SECRET_2: AgCmXw1y4Tr+aVlGe3iBcT+pfO6MNbgSYuZk9t8BN6bjw10RS9coG5JL6LV/RT4eHynFtzNc86+MZDlVueRWQpaZwbBVZ97dsrgZH+NXDhdJg2oLCMU1T4BpUTTss2JQo+LK24cI8m+MKoEAwbGwqt1Dxqm5k0aN4u675gY86aTRb06dBo6o1ICtG2hvG733gclxO/+RQwAWibozYuDaOHzrTk7/YRk0L5E5XDuOXtpSqlZYS5dzlZYfBJbpsbaLJkBuvN1joiuz0KI7uM2kU121NyV46wbAY57oCB8Uv+2MFM+brAU88Ntx9wl1VhnpPhZ/dYRub/zmDjLWaZzgowfnKU9BSQzpYjVlLehXD13zaPf0mxLMjVWWVztoMajjhoUaBwCa0vyREEFwC+apC5kUKRvu8NuaLizVfg9+kMJPFrvtRgfY950OqrogwfMgPgK+dl0J/rrk2YmqsE2oh+MfUTaw8HA/FjdKGHfhQbanJeQJFIAD00JDOUgEhRd+IsRYD/wmQgNgPI55WIw6b+8dq49x3DmwgYE0dq9yQonmNQBNjpHYuZF1Ndi+1cDWTLF0LSnlBSiKKKudDaS7MFj12F5ohTiSx2HF+3IM9DSKkEitv8w+pkZUyacHa87PoR0cERMP8py1geOjMyLarIQ2u6VWrm9gW50vq0EeHN+mOcDHMKrLR+IiXeyQ4Fv5abgOCWbYoohY
    SECRET_3: AgA7JsagdJI/jkJ8l0YaZMLCvWl+LTYlsNkiyxU+EXGyVxAbVUvF9r/B8B8OXPB4wtbbz9gBnsIz6DdBmaloSJYfe9oIGLYQqZM7et8//OQe0tJxsydlECWVdRg5FTM6bQ6iVJGi+RNmoQOP4BskJ6OT7MvY5EwAzGEhSCOyF2wIO7+0LotmJVW8n9zjhWCLoYewKfNaOywCpJWN+9Ba4nZNjvHx4yhicO3meoouhC6u9RTosmDDChqf+P7uLn8x6CkZXnmOREy7Nz3qTrnYmmzBPYiCyl6T4DBrTkc+bLb9UYMpmzH3NEBXBexYUSMSnV0qvaLbJi1uL0AndjjEpta5y/wA1WxWzRIJeOSidZHFvniKxKIUmejZG/OyBMtTUYA8og59o42Rp5IUJ33wh/sh2RDMuKHvX5U2nTPFN2yydBrR1rSV54SBZ04pWoACR/FGvpY+G/YTF+W5Gvhuj7TO2yr/SM0PJV659RaT5d3kzt9OmPWcVwM8OeKUtsFlUsbaiJd4TUJpngEpu8jxl5zWgUEotk4vt7SAEISoGZQXI1FviNAjrv4JIcuwWTLB7ObJWrR8SnHGqfnX4j4qw22VTttUsIRMgyfWgngRAncSrreiA+f02k8TJBDtrTj5PF897KXfVUMsYuJW3/azunb1qABYVPVJ60GcMfYZ1DQDA+OmdW3hpU906MOSzQ3TSOcR3wLV55A9
    SECRET_4: AgB90XcHSCbFAqfjxFTa9EnlcRi2giDzkwnbQ+r9XvCiYiz66pYPJknG+edZywTANGlrQpwOaLvqmT21MMCxREU//bEzf3hkqxMNU5XHsP5TGdGgg30Y3U5Tw6UkQIuAkHUZdvMGJzeOiVXcwf2L7DfN6ptqpA8rjNYTa4DOBneGLqYFb0EEcTHpHKRD3tm/ZXpjVo2N4IsdtlxtHvfWrhv0ulaX+eOUkVymPMj+iG2AjyJ7WdXrhAP7591oyv2x8iB9NyzasBNifdBymVtj1jFyMJrv6cHc3cP1ISq1NcTql7s597STlG2LMWN1ylwJaqa17tKPxOjr1OpFQTqgLoZsZpwxf0ZjuwXQOF35/jqB/H3ubvznxI9verSX2dEbtThp6q1QNHmd8pltLD8cbm5JMjSbaPJZ6rSdKIoY4oefbBzvn6kEo9/MMDiJpd0ZJ6HX8iqhFzvjk4SEdXkUZZGoeUAx/wq6MPACpLNQAOAU1JFDNok/DKpC+C/lCgr7O1IfUVzJKNWGPwU89Kbn++iC1JjP/AcVO08Drp7lw1wma4pauUVRo14jv4e1iB3167bO3JFgyxZPReCF2lowqs+wdmGtuH0Tdcp+DXWPAg82wIKysLRGoLA7veNezga3GKLlglYR273dVd5lOFr0IyBDIX6xzCJiEAuUWI8koGWypAH5a0DQ6XDnfW1Ed/ms4yy1ke+FRjJf
  template:
    metadata:
      creationTimestamp: null
      name: seb-test-sealed-secret
      namespace: workloads
    type: Opaque
status:
  conditions:
  - lastUpdateTime: "2023-10-30T15:33:02Z"
    status: "True"
    type: Synced
  observedGeneration: 4

PS: The code in FluxCD that triggered me to dig for this issue:
https://github.com/fluxcd/flux2/blob/e3605acc132153b6ebe4013447dbe3a36f5b8f9f/cmd/flux/status.go#L67

commented

Hi, I think it is the same issue reported here: #1354 ^^

commented

Hi, I think it is the same issue reported here: #1354 ^^

Yes, it's the same issue! This is the root cause though :)

commented

Thanks for the fix!