ACK SecretsManager doesn't adopt secret #2489
Description
Describe the bug
I'm trying to use ACK SecretsManager to adopt an existing secret via annotations and "adopt-or-create", but it doesn't work.
Steps to reproduce
-
aws secretsmanager create-secret --name adopt-test -
Create this resource
apiVersion: secretsmanager.services.k8s.aws/v1alpha1
kind: Secret
metadata:
name: "adopt-test"
namespace: "default"
annotations:
services.k8s.aws/adoption-policy: adopt-or-create
services.k8s.aws/adoption-fields: |
{
"name": "adopt-test"
}
spec:
name: "adopt-test"
- Error on Secret resource when it tried to create it
- message: 'ResourceExistsException: The operation failed because the secret adopt-test
already exists.'
status: "True"
type: ACK.Recoverable
- lastTransitionTime: "2025-05-19T06:07:45Z"
logs:
{"level":"debug","ts":"2025-05-19T06:08:35.990Z","logger":"ackrt","msg":"patched resource status","kind":"Secret","namespace":"default","name":"adopt-test","account":"123","role":"","region":"eu-central-1","is_adopted":false,"generation":1,"json":"{\"metadata\":{\"resourceVersion\":\"15728\"},\"spec\":{\"tags\":null},\"status\":{\"conditions\":[{\"message\":\"ResourceExistsException: The operation failed because the secret adopt-test already exists.\",\"status\":\"True\",\"type\":\"ACK.Recoverable\"},{\"lastTransitionTime\":\"2025-05-19T06:08:35Z\",\"message\":\"Unable to determine if desired resource state matches latest observed state\",\"reason\":\"operation error Secrets Manager: CreateSecret, https response error StatusCode: 400, RequestID: 59c8a6f1-89ce-4106-baab-63620f277239, ResourceExistsException: The operation failed because the secret adopt-test already exists.\",\"status\":\"Unknown\",\"type\":\"ACK.ResourceSynced\"}]}}"}
{"level":"debug","ts":"2025-05-19T06:08:35.990Z","logger":"ackrt","msg":"<< kc.Patch (status)","kind":"Secret","namespace":"default","name":"adopt-test","account":"123","role":"","region":"eu-central-1","is_adopted":false,"generation":1}
{"level":"debug","ts":"2025-05-19T06:08:35.990Z","logger":"ackrt","msg":"< r.patchResourceStatus","kind":"Secret","namespace":"default","name":"adopt-test","account":"123","role":"","region":"eu-central-1","is_adopted":false,"generation":1}
{"level":"error","ts":"2025-05-19T06:08:35.990Z","msg":"Reconciler error","controller":"secret","controllerGroup":"secretsmanager.services.k8s.aws","controllerKind":"Secret","Secret":{"name":"adopt-test","namespace":"default"},"namespace":"default","name":"adopt-test","reconcileID":"8bf7b0e7-4732-4265-8c1a-d1af28476844","error":"operation error Secrets Manager: CreateSecret, https response error StatusCode: 400, RequestID: 59c8a6f1-89ce-4106-baab-63620f277239, ResourceExistsException: The operation failed because the secret adopt-test already exists.","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
Expected outcome
I expected the existing secret to be adopted.
It looks like this may be occurring because when populating the resource from an annotation, the status.id is not set. https://github.com/aws-controllers-k8s/secretsmanager-controller/blob/main/pkg/resource/secret/resource.go#L112-L115 . I've tested by including the "id" in adoption-fields with the ARN, and it works. However, it's not feasible for me to know all the ARNs, ideally the controller would do it for me.
Environment
- kind v1.32.2
- SecretsManager controller version v1.0.7