Don't set an ownerRef on secrets users are susceptible to copy around #3992
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A k8s bug (kubernetes/kubernetes#65200) may cause the k8s garbage collection to delete undesired resources in case users manually copy an operator-managed secret to another namespace. To avoid that situation, this commit ensures no ownerRef is set on a subset of managed secrets users are susceptible to copy around: - the elastic user password secret - elasticsearch public transport certs - elasticsearch, kibana, enterprise search, apm server public http certs Existing ownerReferences set with earlier ECK versions will be removed when reconciled. Since they do not have an ownerRef anymore, those secrets are not automatically deleted when the Elasticsearch resource is deleted. To work around that situation, the secret reconciliation logic adds an additional set of labels to the reconciled secrets that don't have an ownerRef specified. These labels reference the "soft" owner ("soft" as in handled through some custom code and not through k8s builtin garbage collection logic). Once a controller receives a deletion event for the resource it manages, it will automatically remove the soft-owned secrets. This is done as best-effort. Secrets will remain orphan if: - the operator is not running when the owner is deleted - an error happens while deleting the soft-owned secrets
sebgl
changed the title
barkbay
reviewed
Dec 1, 2020
| // - we remove the existing owner | ||
| // - we set additional labels to perform garbage collection on owner deletion (best-effort) | ||
| expected.Labels[SoftOwnerNamespaceLabel] = theoreticalOwner.GetNamespace() | ||
| expected.Labels[SoftOwnerNameLabel] = theoreticalOwner.GetName() |
There was a problem hiding this comment.
I'm wondering if it makes sense to rely on the owner's UID, and not on the object name, to be consistent with what is done by the K8S GC ? It would require for the object to have been stored first but I think it is a fair assumption ?
Suggested change
| expected.Labels[SoftOwnerNameLabel] = theoreticalOwner.GetName() | |
| expected.Labels[SoftOwnerUID] = string(theoreticalOwner.GetUID()) |
There was a problem hiding this comment.
Hm I think the problem is that the garbage collection part of the code only knows about the deleted resource name + namespace (as part of the reconcile.Request). We don't know anything about the parent ID since it doesn't exist anymore? (Maybe I'm misunderstanding what you mean).
|
sebgl
commented
Dec 1, 2020
|
Current status: this PR is missing unit tests, but otherwise I don't expect any code change. |
sebgl
changed the title
pebrc
approved these changes
Dec 2, 2020
There was a problem hiding this comment.
LGTM, did a few simple tests that all seemed to work. Quirk: If you delete your es cluster while the operator is not running and recreate another cluster with the same name it adopts the left over resources from the previous incarnation which means password stays the same etc.
|
run full pr build |
|
We're missing a watch on soft-owned secrets to automatically trigger reconciliations on any change (e.g. deleting the elastic user secret). |
Good catch! I totally forgot that we are basing our watches on the owner reference :-( |
pebrc
approved these changes
Dec 3, 2020
|
Jenkins test this please My bad still not fixed #3617 |
|
run full pr build |
sebgl
added a commit
to sebgl/cloud-on-k8s
that referenced
this pull request
Dec 4, 2020
…elastic#3992) * Don't set an ownerRef on secrets users are susceptible to copy around A k8s bug (kubernetes/kubernetes#65200) may cause the k8s garbage collection to delete undesired resources in case users manually copy an operator-managed secret to another namespace. To avoid that situation, this commit ensures no ownerRef is set on a subset of managed secrets users are susceptible to copy around: - the elastic user password secret - elasticsearch public transport certs - elasticsearch, kibana, enterprise search, apm server public http certs Existing ownerReferences set with earlier ECK versions will be removed when reconciled. Since they do not have an ownerRef anymore, those secrets are not automatically deleted when the Elasticsearch resource is deleted. To work around that situation, the secret reconciliation logic adds an additional set of labels to the reconciled secrets that don't have an ownerRef specified. These labels reference the "soft" owner ("soft" as in handled through some custom code and not through k8s builtin garbage collection logic). Once a controller receives a deletion event for the resource it manages, it will automatically remove the soft-owned secrets. This is done as best-effort. Secrets will remain orphan if: - the operator is not running when the owner is deleted - an error happens while deleting the soft-owned secrets * Error out the reconciliation on garbage collection errors * Improvements from PR review * Label soft-owned secrets with the owner Kind * Reuse Kind constants instead of hardcoded string * Fix existing unit tests * Garbage collect orphan soft-owned secrets on operator startup * Fix linter warnings * Add unit tests * Cover soft owned secrets gc in e2e tests * Fix linter warning (typo) * Improvements from PR review * Trigger reconciliations on soft-owned secrets events * Fix linter stuff
sebgl
added a commit
that referenced
this pull request
Dec 4, 2020
…#3992) (#4008) * Don't set an ownerRef on secrets users are susceptible to copy around A k8s bug (kubernetes/kubernetes#65200) may cause the k8s garbage collection to delete undesired resources in case users manually copy an operator-managed secret to another namespace. To avoid that situation, this commit ensures no ownerRef is set on a subset of managed secrets users are susceptible to copy around: - the elastic user password secret - elasticsearch public transport certs - elasticsearch, kibana, enterprise search, apm server public http certs Existing ownerReferences set with earlier ECK versions will be removed when reconciled. Since they do not have an ownerRef anymore, those secrets are not automatically deleted when the Elasticsearch resource is deleted. To work around that situation, the secret reconciliation logic adds an additional set of labels to the reconciled secrets that don't have an ownerRef specified. These labels reference the "soft" owner ("soft" as in handled through some custom code and not through k8s builtin garbage collection logic). Once a controller receives a deletion event for the resource it manages, it will automatically remove the soft-owned secrets. This is done as best-effort. Secrets will remain orphan if: - the operator is not running when the owner is deleted - an error happens while deleting the soft-owned secrets * Error out the reconciliation on garbage collection errors * Improvements from PR review * Label soft-owned secrets with the owner Kind * Reuse Kind constants instead of hardcoded string * Fix existing unit tests * Garbage collect orphan soft-owned secrets on operator startup * Fix linter warnings * Add unit tests * Cover soft owned secrets gc in e2e tests * Fix linter warning (typo) * Improvements from PR review * Trigger reconciliations on soft-owned secrets events * Fix linter stuff
|
I guess I understand why this is done however it does mean that those generated resources do not show up in tools like Argo. When lots of resources are generated being visible from tooling is helpful so as to understand what has even been generated. Would there be any appetite to revisit this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A k8s bug (kubernetes/kubernetes#65200) may cause the
k8s garbage collection to delete undesired resources in case users manually
copy an operator-managed secret to another namespace.
To avoid that situation, this commit ensures no ownerRef is set on a subset of
managed secrets users are susceptible to copy around:
Existing ownerReferences set with earlier ECK versions will be removed when
reconciled.
Since they do not have an ownerRef anymore, those secrets are not automatically
deleted when the Elasticsearch resource is deleted. To work around that situation,
the secret reconciliation logic adds an additional set of labels to the reconciled
secrets that don't have an ownerRef specified. These labels reference the "soft"
owner ("soft" as in handled through some custom code and not through k8s builtin
garbage collection logic).
Once a controller receives a deletion event for the resource it manages, it will
automatically remove the soft-owned secrets.
Additionally, garbage collection runs at operator startup to cover the case where
owners were deleted while the operator was down.
TODO:
Fixes #3986.