Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Omni overrides secret objects when included in extraManifests #719

Open
1 task done
tman5 opened this issue Oct 31, 2024 · 3 comments
Open
1 task done

[bug] Omni overrides secret objects when included in extraManifests #719

tman5 opened this issue Oct 31, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@tman5
Copy link

tman5 commented Oct 31, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When using the extraManifests config object on the omni cluster, to apply secret objects to the cluster, everytime we bootstrap the cluster, the secrets change. Here is an example manifest:

apiVersion: v1
kind: Secret
metadata:
  name: secret
  namespace: "kube-system"
  annotations:
    kubernetes.io/service-account.name: secret
type: kubernetes.io/service-account-token

I've also seen this for certain CNI manifests

Expected Behavior

No changes to the secret tokens. What is happening is that omni sees the secret objects have changes by the cluster, but it wants to override when the cluster changes the manifest

Steps To Reproduce

  1. Create an extraManifest configuration in the cluster config that includes a secret
  2. Apply the cluster config
  3. Notice that Omni will apply it, but then will always mark it as a change in the bootstrap manifest section because the kubernetes cluster has attached a token to that secret and Omni wants to override it

What browsers are you seeing the problem on?

Firefox, Chrome

Anything else?

No response
@tman5 tman5 added the bug Something isn't working label Oct 31, 2024
@Unix4ever
Copy link
Member

Unix4ever commented Nov 1, 2024
edited
Loading

I don't think it has anything to do with Omni to be honest.
I think that's Kubernetes internals doing that.
@smira should know that better.

But actually it feels like you're trying to do something weird. What's your usecase for this scenario?

@tman5
Copy link
Author

tman5 commented Nov 1, 2024

This extraManifest that it is applying is 2 objects for service accounts. The issue is the Secret object since when the bootstrap runs again after applying it the first time it will change the secret data

---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-system
  name: testadmin
---
apiVersion: v1
kind: Secret
metadata:
  name: test-admin-token
  namespace: "kube-system"
  annotations:
    kubernetes.io/service-account.name: test
type: kubernetes.io/service-account-token

@smira
Copy link
Member

smira commented Nov 4, 2024

I don't know, the only thing we can do is to skip/filter out such updates.

Bootstrap manifests have limited support for rersources to be created, you can also remove that Secret from the config patch after the bootstrap as a workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smira @Unix4ever @tman5