another key secret is getting created after restoring from backup
jenneron opened this issue · comments
Which component:
controller
Describe the bug
After restoring from backup there are 2 secrets instead of 1, and it gets re-created after removing it
To Reproduce
- Get a secret backup:
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key
- Provision a new cluster and restore secret:
kubectl apply -f main.key
kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets
-
Remove old secret created before restoring backup
-
Restart pod
-
See another secret getting created
jenneron@pc:~$ k get secret -n kube-system | grep sealed
sealed-secrets-keyqzkq8 kubernetes.io/tls 2 3d18h
sealed-secrets-keywhg68 kubernetes.io/tls 2 39d
sh.helm.release.v1.sealed-secrets.v1 helm.sh/release.v1 1 39d
You can delete it, but it gets re-created after restarting pod
Expected behavior
Possibility to properly back up and restore key used for encrypting secrets without introducing more keys as it makes further backups more complicated
Version of Kubernetes:
- Output of
kubectl version:
Client Version: v1.29.7
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6+k3s2
Additional context
The main problem with this is that each backup/restore cycle requires +1 key to backup, and it is not possible to use older backup after restoring second time
What are the logs of your new controller? These are mine:
$ kubectl logs -n kube-system deploy/sealed-secrets-controller
time=2024-08-28T08:36:41.988Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-28T08:36:41.989Z level=INFO msg="Searching for existing private keys"
time=2024-08-28T08:36:42.013Z level=INFO msg="registered private key" secretname=sealed-secrets-keylc67s
time=2024-08-28T08:36:42.014Z level=INFO msg="HTTP server serving" addr=:8080
time=2024-08-28T08:36:42.014Z level=INFO msg="HTTP metrics server serving" addr=:8081
It detects an existing key and it doesn't create a new one. So in your case it should not be creating a new secret.
with second secret created:
$ k logs -n kube-system deploy/sealed-secrets-controller | head -5
time=2024-08-27T11:22:43.664Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-27T11:22:43.664Z level=INFO msg="Searching for existing private keys"
time=2024-08-27T11:22:43.675Z level=INFO msg="registered private key" secretname=sealed-secrets-keywhg68
time=2024-08-27T11:22:43.675Z level=INFO msg="registered private key" secretname=sealed-secrets-keypnttw
time=2024-08-27T11:22:43.676Z level=INFO msg="HTTP server serving" addr=:8080
after removing sealed-secrets-keypnttw and restarting controller:
$ k logs -n kube-system deploy/sealed-secrets-controller | head -5
time=2024-08-28T10:04:19.620Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-28T10:04:19.627Z level=INFO msg="Searching for existing private keys"
time=2024-08-28T10:04:19.643Z level=INFO msg="registered private key" secretname=sealed-secrets-keywhg68
time=2024-08-28T10:04:19.670Z level=INFO msg="HTTP server serving" addr=:8080
time=2024-08-28T10:04:19.670Z level=INFO msg="HTTP metrics server serving" addr=:8081
it got one secret but it also created a new one:
$ k get secret -n kube-system | grep sealed
sealed-secrets-keyjzhnv kubernetes.io/tls 2 50s
sealed-secrets-keywhg68 kubernetes.io/tls 2 40d
sh.helm.release.v1.sealed-secrets.v1 helm.sh/release.v1 1 40d
$ k logs -n kube-system deploy/sealed-secrets-controller | grep sealed-secrets-keyjzhnv
time=2024-08-28T10:04:21.655Z level=INFO msg="New key written" namespace=kube-system name=sealed-secrets-keyjzhnv
actually, I made a backup to test removing it in the previous message, and after restoring this backup and restarting controller i have 3 secrets :P
$ k get secret -n kube-system | grep sealed
sealed-secrets-keyjzhnv kubernetes.io/tls 2 3m30s
sealed-secrets-keypnttw kubernetes.io/tls 2 62s
sealed-secrets-keywhg68 kubernetes.io/tls 2 40d
sh.helm.release.v1.sealed-secrets.v1 helm.sh/release.v1 1 40d