Hi,
As described in #405 (which is somewhat related, but different enough to be its own issue), we've been using this configuration with version 1.23.0 of the operator:
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
spec:
credentials:
datastoreURI:
secretName: {{ .Values.secrets.dbCredentialsSecret }}
key: connection-string
presharedKey:
secretName: {{ .Values.secrets.presharedKeySecret }}
key: preshared-key
Both of the secrets are created by other kubernetes operators. While #405 described conflicts with those other operators, there's an additional problem where having more than one secret causes confusion among the adoption handlers in the spicedb-operator itself. Each adoption handler is responsible for one secret, and considers the other to be extra, which causes the other secret's annotation and label to be removed: https://github.com/authzed/controller-idioms/blob/v0.13.0/adopt/adopt.go#L258-L303.
This causes the adoption handlers to get stuck in a loop of reapplying the label + annotation to their own secret, while removing it from the other's. We see this logging in a loop: I0409 00:29:36.822817 1 event.go:389] "Event occurred" object="$namespace/$secret" fieldPath="" kind="Secret" apiVersion="v1" type="Normal" reason="SecretAdoptedBySpiceDB" message="Secret was referenced as the secret source for SpiceDBCluster $namespace/$secret; it has been labelled to mark it as part of the configuration for that controller."
Hi,
As described in #405 (which is somewhat related, but different enough to be its own issue), we've been using this configuration with version 1.23.0 of the operator:
Both of the secrets are created by other kubernetes operators. While #405 described conflicts with those other operators, there's an additional problem where having more than one secret causes confusion among the adoption handlers in the spicedb-operator itself. Each adoption handler is responsible for one secret, and considers the other to be extra, which causes the other secret's annotation and label to be removed: https://github.com/authzed/controller-idioms/blob/v0.13.0/adopt/adopt.go#L258-L303.
This causes the adoption handlers to get stuck in a loop of reapplying the label + annotation to their own secret, while removing it from the other's. We see this logging in a loop:
I0409 00:29:36.822817 1 event.go:389] "Event occurred" object="$namespace/$secret" fieldPath="" kind="Secret" apiVersion="v1" type="Normal" reason="SecretAdoptedBySpiceDB" message="Secret was referenced as the secret source for SpiceDBCluster $namespace/$secret; it has been labelled to mark it as part of the configuration for that controller."