Skip to content
This repository has been archived by the owner on Dec 15, 2022. It is now read-only.

Altering a secret does not trigger an update on secretversions.secretmanager.gcp.jet.crossplane.io #46

Open
AaronME opened this issue Mar 5, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@AaronME
Copy link

AaronME commented Mar 5, 2022

What happened?

We are passing secret to secretmanager using the SecretVersion resource. When we updated the underlying secret, this did not trigger the subscribed SecretVersion to create a new version in secretmanager.

The expected behavior would be that new secret data would automatically be pushed up as a new version.

How can we reproduce it?

  1. Create a kubernetes Secret.
apiVersion: v1
kind: Secret
metadata:
  name: bug-kubernetes-secret
  namespace: crossplane-system
stringData:
  key: "I am a secret"
  1. Create a Secret and Secret Version with the above Kubernetes Secret as the source:
---
apiVersion: secretmanager.gcp.jet.crossplane.io/v1alpha1
kind: Secret
metadata:
  name: bug-gcp-secret
spec:
  forProvider:
    replication:
      - automatic: true
    secretId: bug-gcp-secret
  providerConfigRef:
    name: gcp

---
apiVersion: secretmanager.gcp.jet.crossplane.io/v1alpha1
kind: SecretVersion
metadata:
  name: bug-gcp-secret-version
spec:
  forProvider:
    secret: projects/your-project/secrets/bug-gcp-secret
    secretDataSecretRef:
      name: bug-kubernetes-secret
      key: privateKey
      namespace: crossplane-system
  providerConfigRef:
    name: gcp
  1. Update the Secret
apiVersion: v1
kind: Secret
metadata:
  name: bug-kubernetes-secret
  namespace: crossplane-system
stringData:
  key: "I am more of a secret"
  1. Note that the SecretVersion in GCP SecretManager does not have a new version and the old data is still present.

What environment did it happen in?

Crossplane version: uxp 1.6.1-up.1
Provider version: preview-v0.2.0
Cloud Provider: gcp
Kubernetes version: 1.22.4-gke.1501
Kubernetes distro: GKE

@AaronME AaronME added the bug Something isn't working label Mar 5, 2022
@bitgandtter
Copy link

any update on this? we are experiencing the same issue, real blocking for us at this point

@muvaf
Copy link
Member

muvaf commented Mar 11, 2022

@AaronME The reconciler gets event only for the object itself, i.e. changes on SecretVersion instance, but not the Secret itself. So, any change you do would be picked up in the next reconcile which would happen at the poll interval. In order to validate this, could you trigger a change on SecretVersion by adding/removing a label to SecretVersion after updating the Secret it references?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants