Replace existing secret?
larsks opened this issue Β· comments
I originally asked this over in kubernetes-sigs/kustomize#3078, but they tell me this behavior needs to be implemented by the individual generator plugins, so I am asking here!
I am trying to replace a secretGenerator
-generated resource in a base with a plugin generated (ksops-encrypted) secret, and it's failing because:
Error: merging from generator &{0xc0002a76a0 0xc00012d680 [./certificate.yml ./deploykeys.yml ./bitlbee_config.yml]}: id resid.ResId{Gvk:resid.Gvk{Group:"", Version:"v1", K
ind:"Secret"}, Name:"bitlbee-config", Namespace:""} exists; behavior must be merge or replace
In ../base/kustomization.yml
, I have:
secretGenerator:
- name: bitlbee-config
files:
- bitlbee.conf
In my local directory, I have:
bases:
- ../base
generators:
- secret-generator.yml
In secret-generator.yml
I have:
---
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: secret-generator
files:
- ./bitlbee_config.yml
And in bitlbee_config.yml
I have:
apiVersion: v1
kind: Secret
metadata:
name: bitlbee-config
annotations:
kustomize.config.k8s.io/needs-hash: "true"
stringData:
bitlbee.conf: |
...content goes here...
I want the secret created from the sops-encrypted file to replace the static secret in the base directory. I see that e.g. for configMapGenerator
and secretGenerator
I can set a behavior
key to control create vs replace, but I don't see a similar option for generators
, which is a list rather than a map and doesn't appear to support anything other than a list of files.
Is it possible to add a similar option to the ksops plugin?
@larsks Thanks for making an issue! Yes it is possible, KSOPS use exec plugin annotations to control the generator behavior
. You can see an example in the README. You'll just need to update your secret with the following annotation:
apiVersion: v1
kind: Secret
metadata:
name: bitlbee-config
annotations:
kustomize.config.k8s.io/needs-hash: "true"
kustomize.config.k8s.io/behavior: replace
stringData:
bitlbee.conf: |
...content goes here...
Let me know if this solves your issue! If so, feel free to close the issue
@devstein thanks, that's exactly what I was looking for! Sorry for missing the bit in the README; I was looking all over for how to solve this from the kustomize
side of things.
Commenting here because I am trying to do this with the exact use case you call out in the README about the base ArgoCD secret. I've tried both with replace and merge as I'm just adding keys for SSO configuration, and it's not taking on my end. ArgoCD continues to complain about there already being a resource with that secret name, so it can't create another resource with the same name.
Hey, @streetmapp π would you mind sharing your kustomize directory structure and Argo CD secret overlay manifest and I can help debug?
Also, what version of ksops/kustomize
are you using?
I'm presently using the kustomize patch to install ksops. Right now I am using image version ksops:v2.1.1-go-1.14
. When I was running the latest version out there, I was getting Go version conflicts which was confusing to me since kustomize and ksops appeared to be built using the same versions of Go. I had moved to this version and things started working.
βββ argocd-cm.yaml
βββ argocd-ingress.yaml
βββ argocd-rbac-cm.yaml
βββ argocd-repo-ksops.yaml
βββ enc.argocd-secret.yaml
βββ enc.repo-config.yaml
βββ kustomization.yaml
βββ secret-generator.yaml
kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argo
resources:
- ../../bases/argo-cd
- argocd-ingress.yaml
patchesStrategicMerge:
- argocd-cm.yaml
- argocd-rbac-cm.yaml
- argocd-repo-ksops.yaml
generators:
- secret-generator.yaml
enc.argocd-secret.yaml
apiVersion: v1
kind: Secret
metadata:
annotations:
kustomize.config.k8s.io/behavior: replace
labels:
app.kubernetes.io/instance: internal-argocd
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
type: Opaque
data:
secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: argocd-secret-generator
files:
- ./enc.repo-config.yaml
- ./enc.argocd-secret.yaml
@streetmapp At a glance, your setup looks correct. Can you share the exact error in Argo CD? I can try reproduce with the same docker image
Only FYI is that I had changed my setup to be a merge
instead of the replace
rpc error: code = Unknown desc = `kustomize build /tmp/git@github.com:gitops/internal/argo --enable_alpha_plugins`
failed exit status 1: Error: merging from generator &{0xc00047ee80 0xc0000baae0
[./enc.repo-config.yaml ./enc.argocd-secret.yaml]}: may not add resource with an already
registered id: ~G_v1_Secret|~X|argocd-secret
@streetmapp Unfortunately, I'm unable to reproduce on v2.1.1
, but I know there is some tricky behavior in the ordering of evaluation for merging/replacing and the namespace
transformer. Would you mind trying to add the argo
namespace to your secret and retry?
apiVersion: v1
kind: Secret
metadata:
annotations:
kustomize.config.k8s.io/behavior: replace
labels:
app.kubernetes.io/instance: internal-argocd
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: argo
type: Opaque
data:
Also, if you build the manifests locally do you still see this error? Or only in Argo CD?
@devstein so that changes the error to the following
rpc error: code = Unknown desc = `kustomize build /tmp/git@github.com:gitops/internal/argo --enable_alpha_plugins`
failed exit status 1: Error: namespace tranformation produces ID conflict: []*resource.Resource{(*resource.Resource)
(0xc00046ee60), (*resource.Resource)(0xc000640140)}
I'll have to get back to you on the local building. Thanks for your assistance on this.
@streetmapp Were you able to reproduce locally?
@devstein thanks for checking in. This is working now. The issue ended up being on my end, as I'm in the process of upgrading and was testing in parallel. And I ultimately had my versions crossed. So my initial tests were from the older version which not surprsingly had issues. Once I moved to test with the new version, the issues went away. Thanks again for the support.
@streetmapp Glad to hear!
@devstein Any guidance on the mimimum kustomize/ksops versions where the above works? We are currently locked to kustomize 3.x.
@karlschriek Yes, if you are stuck on kustomize 3.x, you'll want to use KSOPS v2.4.0