Replies: 8 comments
-
|
The same also applies to secrets of type tls, they are getting type "Opaque"... |
Beta Was this translation helpful? Give feedback.
-
|
Just noticed this, I've had the same issue with Based on the lack of responses on this and my other issue, I'm starting to fear this project is abandoned. |
Beta Was this translation helpful? Give feedback.
-
|
@Findaa @mateuszdrab can you provide a sample of the source secret? |
Beta Was this translation helpful? Give feedback.
-
I think any secret other than opaque will do. The issue is that you can't create an empty tls secret or an empty dockerjsonconfig secret so if you create an opaque one as a placeholder and add the necessary annotation to make reflector act on it, reflector will copy the data but won't be able to change the type of the secret as that is blocked by the api server. A workaround could be to have reflector recreate the secret instead with the right type. The workaround from my previous comment is not a good one since solutions like flux will constantly reconcile the secret to the initial value removing whatever reflector put in - that is if you apply the secret with the right type and some empty data in the tls/dockerjsonconfig. |
Beta Was this translation helpful? Give feedback.
-
|
This shouldn't be a problem with auto-mirrors (copies created automatically) but it will be a problem with annotated reflections since validation will kick in. |
Beta Was this translation helpful? Give feedback.
-
That is exactly the problem... |
Beta Was this translation helpful? Give feedback.
-
|
I can confirm the auto-mirrors work as expected for the Here is a source secret with a pseudo TLS certificate (content of the keys is not relevant for the issue reproduction): apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: test-tls-secret-source
namespace: kong
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # all namespaces
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "myapp1"
data:
tls.crt: YWJjY3J0
tls.key: YWJjMTIzHere is corresponding mirror secret: apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: test-tls-secret-mirror
namespace: myapp1
annotations:
reflector.v1.k8s.emberstack.com/reflects: "kong/test-tls-secret-source"
data:The source secret is successfully auto-mirrored into namespace At first I thought I'm supposed to include explicit keys with empty placeholders: but this does not help - secret is created but it is not reflected really, values are empty in created secret resource. AFAIS, this is not considered as a bug - label has been removed - this is not a convenient behaviour, not documented for sure. |
Beta Was this translation helpful? Give feedback.
-
|
Reflector cannot create or operate secrets that fail k8s type validations. The source secret HAS to be valid, otherwise mirrors will fail to be created (since they will not pass validation). Reflector copies the type and data when creating the mirror and submits to the API server, either resulting in a success and the mirror is created or a failure due to validation errors or collisions. These cannot be handled by the reflector logic. |
Beta Was this translation helpful? Give feedback.
-
Hello. When working on reflector secrets I wanted to reflect
type: kubernetes.io/dockerconfigjsontype of key.
The whole key is getting reflected properly, but the type is set to Opaque. I can't find any previous issue about that one. Also deploying an empty key (to be reflected) is impossible without providing a proper data. We either get an error
The Secret "name" is invalid: data[.dockerconfigjson]: Required valueor different parser errors when providing any random strings in dockerconfigjson.
Beta Was this translation helpful? Give feedback.
All reactions