Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

another key secret is getting created after restoring from backup #1588

Open
jenneron opened this issue Aug 27, 2024 · 3 comments
Open

another key secret is getting created after restoring from backup #1588

jenneron opened this issue Aug 27, 2024 · 3 comments
Labels
triage Issues/PRs that need to be reviewed

Comments

@jenneron
Copy link

Which component:
controller

Describe the bug
After restoring from backup there are 2 secrets instead of 1, and it gets re-created after removing it

To Reproduce

  1. Get a secret backup:
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key
  1. Provision a new cluster and restore secret:
kubectl apply -f main.key
kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets

  1. Remove old secret created before restoring backup

  2. Restart pod

  3. See another secret getting created

jenneron@pc:~$ k get secret -n kube-system | grep sealed
sealed-secrets-keyqzkq8                kubernetes.io/tls    2      3d18h
sealed-secrets-keywhg68                kubernetes.io/tls    2      39d
sh.helm.release.v1.sealed-secrets.v1   helm.sh/release.v1   1      39d

You can delete it, but it gets re-created after restarting pod

Expected behavior

Possibility to properly back up and restore key used for encrypting secrets without introducing more keys as it makes further backups more complicated

Version of Kubernetes:

  • Output of kubectl version:
Client Version: v1.29.7
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6+k3s2

Additional context

The main problem with this is that each backup/restore cycle requires +1 key to backup, and it is not possible to use older backup after restoring second time
@jenneron jenneron added the triage Issues/PRs that need to be reviewed label Aug 27, 2024
@alemorcuq
Copy link
Collaborator

What are the logs of your new controller? These are mine:

$ kubectl logs -n kube-system deploy/sealed-secrets-controller
time=2024-08-28T08:36:41.988Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-28T08:36:41.989Z level=INFO msg="Searching for existing private keys"
time=2024-08-28T08:36:42.013Z level=INFO msg="registered private key" secretname=sealed-secrets-keylc67s
time=2024-08-28T08:36:42.014Z level=INFO msg="HTTP server serving" addr=:8080
time=2024-08-28T08:36:42.014Z level=INFO msg="HTTP metrics server serving" addr=:8081

It detects an existing key and it doesn't create a new one. So in your case it should not be creating a new secret.

@jenneron
Copy link
Author

with second secret created:

$ k logs -n kube-system deploy/sealed-secrets-controller | head -5
time=2024-08-27T11:22:43.664Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-27T11:22:43.664Z level=INFO msg="Searching for existing private keys"
time=2024-08-27T11:22:43.675Z level=INFO msg="registered private key" secretname=sealed-secrets-keywhg68
time=2024-08-27T11:22:43.675Z level=INFO msg="registered private key" secretname=sealed-secrets-keypnttw
time=2024-08-27T11:22:43.676Z level=INFO msg="HTTP server serving" addr=:8080

after removing sealed-secrets-keypnttw and restarting controller:

$ k logs -n kube-system deploy/sealed-secrets-controller | head -5
time=2024-08-28T10:04:19.620Z level=INFO msg="Starting sealed-secrets controller" version=v0.27.1
time=2024-08-28T10:04:19.627Z level=INFO msg="Searching for existing private keys"
time=2024-08-28T10:04:19.643Z level=INFO msg="registered private key" secretname=sealed-secrets-keywhg68
time=2024-08-28T10:04:19.670Z level=INFO msg="HTTP server serving" addr=:8080
time=2024-08-28T10:04:19.670Z level=INFO msg="HTTP metrics server serving" addr=:8081

it got one secret but it also created a new one:

$ k get secret -n kube-system | grep sealed
sealed-secrets-keyjzhnv                kubernetes.io/tls    2      50s
sealed-secrets-keywhg68                kubernetes.io/tls    2      40d
sh.helm.release.v1.sealed-secrets.v1   helm.sh/release.v1   1      40d

$ k logs -n kube-system deploy/sealed-secrets-controller | grep sealed-secrets-keyjzhnv
time=2024-08-28T10:04:21.655Z level=INFO msg="New key written" namespace=kube-system name=sealed-secrets-keyjzhnv

@jenneron
Copy link
Author

jenneron commented Aug 28, 2024
edited
Loading

actually, I made a backup to test removing it in the previous message, and after restoring this backup and restarting controller i have 3 secrets :P

$ k get secret -n kube-system | grep sealed
sealed-secrets-keyjzhnv                kubernetes.io/tls    2      3m30s
sealed-secrets-keypnttw                kubernetes.io/tls    2      62s
sealed-secrets-keywhg68                kubernetes.io/tls    2      40d
sh.helm.release.v1.sealed-secrets.v1   helm.sh/release.v1   1      40d

@jenneron jenneron changed the title another secret is getting created after restoring from backup another key secret is getting created after restoring from backup Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Issues/PRs that need to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jenneron @alemorcuq