Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeseal outputs spec.template.metadata.name{,space} but is ignored #499

Closed
snuggie12 opened this issue Dec 29, 2020 · 7 comments
Closed

Comments

@snuggie12
Copy link

kubeseal version v0.12.6 and sealed-secrets-controller version v0.12.5

If I run the following you'll see the name and namespace for the Secret is printed under spec.template.metadata. However, this implies that the fields could be changed and if for some reason you wanted a different name it could work:

# Note my controller is not in the default namespace and so you might need to remove the option
$ kubectl create secret generic -n default -o yaml --dry-run=client test --from-literal foo=bar | kubeseal --controller-namespace sealed-secrets -o yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: test
  namespace: default
spec:
  encryptedData:
    foo: AgCFHWVh+MeREwfLu9FZtRo+VcZya2zXiQD0p8+RsKHxsEgZKIB0HPhLorrc4eqD3gWFB/Nxjv6yjbNASkj+RAzDdookKUbrJPmNGRotwh6WS84+L8WbKacpC1utemCWgWjVm4bv//jfCPamP1p95Fq3jKaSiR0VhTAV/ZAKsI/HVXKl+apKApuqC+oSvtvKCZiKfKCTtWIZ9VKyUv2LjOHHKJqGHGK2Yj7aXX9hZaGlUjfvYu5NuON4Yu4vH+dXe5CZ06ymcyikCeCYQM6SKk7GdEWiOLJPmLRIq7HrV2WzGCFxRpp1d3SwEpzSDxxCyQ9JWnhsZaP/KdEIll0a0kn3MMbj4OILscSyclZS+CBoIq+mIe4dLo/xp3cCth6J+EX1iQlzFohxkPTno+5WIMEHekXBDYIDzkk2zRCRbr7j5/KvySSq/zuSbGFe/HjOSY3J1EOt8ne521u4AyTB7oonA73J7kHu+feHxNQbsZuuG7joLf16arO1ui6tcKfbLqcSPdSpQI0fa5jZwvW7Uqj0qYNSy6Q68LYM5Czd5Cs6mGaY5roQp3RsxiwVji2fPRkpf3U/VKPjJD6BcLl7wobS1aqdvytdSg+BO/fy2svXSyXxPe811urecZh7IdI2hOSkEZ1qFTpDO9KkGc8ZcRyMOizluj7xauSg1PQOWSsnLIP3Bw3f3t2/iFGn3B3nTTIsnBA=
  template:
    metadata:
      creationTimestamp: null
      name: test
      namespace: default

I'm actually fine with not enabling this feature but it's confusing. I'm wondering if this could be removed from the output of kubeseal??

Pretty sure the logic is here:

objName := fmt.Sprintf("%s/%s", ssecret.GetObjectMeta().GetNamespace(), ssecret.GetObjectMeta().GetName())
log.Printf("Updating %s", objName)
secret, err := attemptUnseal(ssecret, keyRegistry)
if err != nil {
// TODO: Add error event
return err
}
_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Create(secret)
if err != nil && errors.IsAlreadyExists(err) {
_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Update(secret)

@github-actions
Copy link
Contributor

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the Stale label Jan 28, 2022
@juan131
Copy link
Collaborator

juan131 commented Feb 3, 2022

I'm sorry but I don't understand what's the issue here. What's the problem with spec.template.metadata? That's what the SealedController uses to create the associated secret's metadata.

@github-actions github-actions bot removed the Stale label Feb 4, 2022
@snuggie12
Copy link
Author

The implication from "template" is that whatever you fill in will appear on the dependent secret resource. However it doesn't matter what is filled in for name or namespace. No matter what it keeps the same name as the owner reference.

This could be useful with tickets like a kustomize plugin (sorry on mobile so can't link) where the sealed secret is named one thing but the actual secret is named with a hash.

@github-actions
Copy link
Contributor

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the Stale label Feb 20, 2022
@mkmik
Copy link
Collaborator

mkmik commented Feb 20, 2022

Yeah. It's confusing. It shouldn't be there. We need to be careful with backward compat when fixing this though

@github-actions github-actions bot removed the Stale label Feb 21, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2022

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the Stale label Mar 8, 2022
@github-actions
Copy link
Contributor

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants