Kapp should allow easily retrieving latest version of versioned Secret

[jkbschmid]

When creating a Secret that has the kapp.k14s.io/versioned annotation, the a suffix is added to the name of the Secret. This makes it hard for non-kapp applications to retrieve this secret (its latest version).

Proposal:
Add labels that make it easy to retrieve a versioned secret with kubectl, e.g. original-name and latest, so
kubectl get secret -l original-name=<name-without-suffix> -l latest=true works.

[phil9909]

Alternatively, kapp could create the secret also under it's original name.

[cppforlife]

Add labels that make it easy to retrieve a versioned secret with kubectl

yeah i could see that being added. this might also help supporting cases where other resource use labels to select on versioned resources. since versioned resources could be other resources aside from Secret/ConfigMap, label referencing would be more common.

kapp could create the secret also under it's original name.

i dont recall context but we wanted to add this feature before to support this type of "hybrid" approach.

^ @jkbschmid does this alt option work for you? (easier to implement)

[jkbschmid]

@cppforlife Thanks for the reply.

kapp could create the secret also under it's original name.

Also works for me 👍.

[jessehu]

We also have a use case that current 'ver-1' suffix doesn't work. We added versioned annotation for both the following configmap/secret, but the secret-name = "cloud-provider-vsphere-credentials" in the configmap still refer to the original secret name, not with the ver-1 suffix, so hit not found error. It would be great if kapp could create the secret/configmap under its original name (in addition to the new ver-N name), or even automatically detect the secret/configmap change and rollout the related Deployment/DS/STS without the need of versioned annotation.

apiVersion: v1
kind: Secret
metadata:
  name: cloud-provider-vsphere-credentials
  namespace: kube-system
stringData:
  ${VSPHERE_SERVER}.password: ${VSPHERE_PASSWORD}
  ${VSPHERE_SERVER}.username: ${VSPHERE_USERNAME}
type: Opaque

apiVersion: v1
kind: ConfigMap
metadata:
  name: vsphere-cloud-config
  namespace: kube-system
data:
  vsphere.conf: |+
    [Global]
    secret-name = "cloud-provider-vsphere-credentials"

[jessehu]

Could we prioritize this bug? It's causing issues in our product.

[aaronshurley]

@jessehu Thank you for providing your use case. We're going to explore this a bit further to see when we could fit this into our backlog. I'm hoping we get some clarity on this within the next day or so.

[renuy]

if we add a new annotation: versioned-keep-original, following are the test paths. this is not an exhaustive list. however, feel free to add more if missing some critical ones.

<style> </style>

steps		annotation	orginal	versioned	scenario
1	create	versioned-keep-orginal	create	create ver-1	1
2	update	versioned	delete	delete ver-1/create ver-2
3	update	non-versioed	create	delete
1	create	non-versioned	create	no-op	2
2	update	versioned	delete	create ver-1
3	update	versioned-keep-original	create	delete ver-1/create ver-2
1	create	non-versioned	create	no-op	3
2	update	versioned-keep-original	update	create ver-1
3	update	versioned	delete	delete ver-1/create ver-2
1	create	versioned	no-op	create ver-1	4
2	update	versioned-keep-orginal	create	delete ver-1/create ver-2
3	update	non-versioned	no-op	delete
1	create	non-versioned	create	no-op	5
2	update	versioned	delete	create ver-1
3	update	versioned	no-op	delete ver-1/create ver-2
4	update	non-versioned	create	delete
1	create	non-versioned	create	no-op	6
2	update	versioned-keep-original	update	create ver-1
3	update	versioned-keep-original	update	delete ver-1/create ver-2
4	update	non-versioned	create	delete
1	create	non-versioned	create	no-op	7
2	update	versioned-keep-original	update	create ver-1
3	update	versioned-keep-original	update	delete ver-1/create ver-2
4	update	non-versioned	update	delete

[chenliu1993]

Is it possitble we just remove the ver-{N} suffix by using versioned-keep-original annotation?

[renuy]

@chenliu1993 ,this new annotation will be used in conjunction with "versioned" annotation. That is, it will keep the original resource, as well as create a resource with version suffix.

[chenliu1993]

Thanks for the information, @renuy. So my understanding is both 'only-versioned-annotation' and 'both-versioned-with-versioned-keep-original-annotations' are going to change the resource name? Even keep-original is used, the name is also kept to adding suffix ver-1. Is my understanding from scenario 1 right?

[renuy]

if only "versioned" annotation is used, it will add the version suffix (ver-x) to the name.
If "versioned-keep-original" annotation is added, will have resource with original name, as well as resource with name having version suffix. If the scenarios are confusing, I will re-work on those.

[chenliu1993]

Thanks @renuy, I am just trying to understand the usage of versioned-keep-original.
So from the table above, there will be two resources existing, one with ver-x and other without.

1. Which one is taking effect? ver-x one? or original name one? Which one should I modify when I want to update the content the resource?
2. Will they both keep the same content when I update any of them?

[renuy]

available in release v0.38.0

[sethiyash]

Example:
Taking @jessehu use case. Here we have ConfigMap and Secret where ConfigMap is referring to Secret and Secret is a versioned resource.

apiVersion: v1
kind: Secret
metadata:
  name: cloud-provider-vsphere-credentials
  namespace: kube-system
  annotations:
    kapp.k14s.io/versioned: ""
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vsphere-cloud-config
  namespace: kube-system
data:
  vsphere.conf: |+
    [Global]
    secret-name = "cloud-provider-vsphere-credentials"

Now to make kapp create Secret under the same name in addition to ver-N name (cloud-provider-vsphere-credentials-ver-1 for this example) user is supposed to add a new annotation kapp.k14s.io/versioned-keep-original: "" along with kapp.k14s.io/versioned: "". Now it will look like -

apiVersion: v1
kind: Secret
metadata:
  name: cloud-provider-vsphere-credentials
  namespace: kube-system
  annotations:
    kapp.k14s.io/versioned: ""
    kapp.k14s.io/versioned-keep-original: ""
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vsphere-cloud-config
  namespace: kube-system
data:
  vsphere.conf: |+
    [Global]
    secret-name = "cloud-provider-vsphere-credentials"

[jessehu]

kapp.k14s.io/versioned-keep-original works great