Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7904

APIcast operator attempt to take ownership of existing adminPortalCredentialsRef secret

    XMLWordPrintable

Details

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide
      1. Create a new secret containing an AdminPortalURL key value.
      2. Output secret yaml and observe NO ownership metadata
      3. Create a new APIcast CR referencing the secret created in step 1 in adminPortalCredentialsRef 
      4. output secret yaml and observe ownership metadata has been changed to APIcast
      5. Delete APIcast CR
      6. Observe secret has also been deleted
      Show
      Create a new secret containing an AdminPortalURL key value. Output secret yaml and observe NO ownership metadata Create a new APIcast CR referencing the secret created in step 1 in adminPortalCredentialsRef  output secret yaml and observe ownership metadata has been changed to APIcast Delete APIcast CR Observe secret has also been deleted

    Description

      When deploying APIcast via the apicast operator it is sometimes required to create the adminPortalCredentialsRef secret a head of time. For example when using sealed secrets.

      Apicast operator will use the pre-existing secret, but it also attempts to take ownership of the secret. In the case of a sealed secrets operator this results in a conflict error being logged in the operator:

      {"level":"error","ts":1637155738.007716,"logger":"controller-runtime.manager.controller.apicast","msg":"Reconciler error","reconciler group":"apps.3scale.net","reconciler kind":"APIcast","name":"apicast-staging","namespace":"apicast-dev","error":"Object apicast-dev/staging-3scaleportal-secret is already owned by another SealedSecret controller staging-3scaleportal-secret","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/remote-source/deps/gomod/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:267\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:235\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:198\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.14/pkg/util/wait/wait.go:99"}

      Another concern is that even without a conflict, taking ownership of the secret means that when you delete the APIcast resource, the pre-existing secret is also deleted. This could result in unexpected data loss.

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) THREESCALE-6735 Reconcile secrets - customPolicies

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-spoole Shannon Poole
              Petr Hála Petr Hála
              Eguzki Astiz Lezaun Eguzki Astiz Lezaun
              Eguzki Astiz Lezaun Eguzki Astiz Lezaun
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: