-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade from v0.17.2 to v0.18.0 causes changes on each reconcile cycle #450
Comments
If you have (If you have the sops.yaml config set up as in the tutorial and sops in PGP mode, with read-write access to the secrets in your keychain, you can re-encrypt the secret with I thought we resolved all of these issues before 0.18.0 was released, but apparently/unfortunately there are still a few things like this. I had this issue in pre-release testing and it went away for me when I removed the unnecessary creationTimestamp setting from my secrets. Please note that if your secrets are encrypted, the data is the encrypted part, but I'm pretty sure the whole secret is hashed and signed. So you may get errors from SOPS if you try to edit the secret by hand, rather than re-encrypting it with the SOPS cli. I do not think Flux will currently balk at secrets with incorrect hashes or signatures though, I believe it only cares about the encrypted parts (and whether or not the expected keys are available to decrypt them.) |
there's no creationTimestamp in it. |
this resource seems to cause "loops" also:
(yes it's empty) |
@davidkarlsen I can't reproduce the empty ConfigMap issue I tried it on Kubernetes 1.20.2 and 1.21.2. Can you please post here |
@kingdonb kustomize-controller v0.15 does not take this field into consideration when detecting drift, are you sure you're using 0.15? |
I can confirm that secrets with Events each cycle before removal:
Events each cycle after removal:
This example's interval is Edit: |
@bergemalm thanks for the report! Can you please say which Kubernetes versions are you using? Is that secret sops encrypted ? Where was the |
@stefanprodan kubernetes GKE version
|
@stefanprodan I'm still seeing this on my sops secrets:
with
cleartext structure:
|
I assume there's a special case for Secret, but like fluxcd/flux2#1934, there's no top-level "spec" field here. |
This is really strange as I can't reproduce the SOPS spam on my cluster nor in CI, I've added tests to make sure this doesn't happen, the tests are run on Kubernetes 1.20 and 1.21. |
@stefanprodan - sorry - false alarm - the kustomize hadn't rolled out yet - that one is gone now. But I still struggle with this one:
causing endless reconcile. |
This one too (checked into git vs get from cluster separated by
I'll try to drop the |
@davidkarlsen thanks for posting both manifests, going to work on the fix tomorrow that should cover all CRs that don't have PS. Please post here you Kubernetes version, I have added tests for empty ConfigMap and I have no way to replicate it. |
Removing the
which is openshift 4.8.11, but it should really be vanilla k8s for this resource (configmap) |
@davidkarlsen can you please do a test for me, can you set |
Yes, that seems to work. |
Naaah, to soon to conclude, same:
|
Ok please try to remove |
Before the upgrade we only got events on slack when there was in fact changes checked into git, after the upgrade we get events on every 10mins:
The slack-url is a sops encrypted secret
The text was updated successfully, but these errors were encountered: