Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7904

APIcast operator attempt to take ownership of existing adminPortalCredentialsRef secret

XMLWordPrintable

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide
      1. Create a new secret containing an AdminPortalURL key value.
      2. Output secret yaml and observe NO ownership metadata
      3. Create a new APIcast CR referencing the secret created in step 1 in adminPortalCredentialsRef 
      4. output secret yaml and observe ownership metadata has been changed to APIcast
      5. Delete APIcast CR
      6. Observe secret has also been deleted
      Show
      Create a new secret containing an AdminPortalURL key value. Output secret yaml and observe NO ownership metadata Create a new APIcast CR referencing the secret created in step 1 in adminPortalCredentialsRef  output secret yaml and observe ownership metadata has been changed to APIcast Delete APIcast CR Observe secret has also been deleted

      When deploying APIcast via the apicast operator it is sometimes required to create the adminPortalCredentialsRef secret a head of time. For example when using sealed secrets.

      Apicast operator will use the pre-existing secret, but it also attempts to take ownership of the secret. In the case of a sealed secrets operator this results in a conflict error being logged in the operator:

      {"level":"error","ts":1637155738.007716,"logger":"controller-runtime.manager.controller.apicast","msg":"Reconciler error","reconciler group":"apps.3scale.net","reconciler kind":"APIcast","name":"apicast-staging","namespace":"apicast-dev","error":"Object apicast-dev/staging-3scaleportal-secret is already owned by another SealedSecret controller staging-3scaleportal-secret","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/remote-source/deps/gomod/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:267\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:235\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:198\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:99"}

      Another concern is that even without a conflict, taking ownership of the secret means that when you delete the APIcast resource, the pre-existing secret is also deleted. This could result in unexpected data loss.

              Unassigned Unassigned
              rhn-support-spoole Shannon Poole
              Petr Hála Petr Hála (Inactive)
              Eguzki Astiz Lezaun Eguzki Astiz Lezaun
              Eguzki Astiz Lezaun Eguzki Astiz Lezaun
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: