Error updating status of newly created SealedSecrets resources

[tewfik-ghariani]

Which component:
controller v0.24.2

Describe the bug

Hi, we have recently noticed that the operator complains about updating the status of newly created SealedSecrets resources, even though the unsealing operation is successful:

Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"playground-dev", 
Name:"mock-secret", UID:"d07fdf8e-2ef7-4916-b2e0-0e10a7985a77", 
APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1869049268", FieldPath:""}): 
type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully

Error updating SealedSecret playground-dev/mock-secret status:
SealedSecret.bitnami.com "mock-secret" is invalid:
status.conditions[0].lastTransitionTime: Invalid value: "null": 
status.conditions[0].lastTransitionTime in body must be of type string: "null"

As a result, the corresponding secret resource is created but the SealedSecret resource doesn't have any status entry and the SYNCED field is not set to true

 $ k get sealedsecrets.bitnami.com mock-secret
NAME          STATUS   SYNCED   AGE
mock-secret                     2m24s

 $ k -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'
- apiVersion
- kind
- metadata
- spec

To Reproduce
Steps to reproduce the behavior:

1. Generate any random secret

kubectl create secret generic mock-secret --dry-run=client --from-literal=foo=bar -o yaml > mock.secret.yml

2. Seal it via kubeseal

kubeseal --cert https://internal.operator.com/v1/cert.pem --scope strict --format yaml < mock.secret.yml > sealed.mock.secret.yml

3. Apply it to k8s

kubectl apply -f sealed.mock.secret.yml

4. Look for the status field in the SealedSecret resource

kubectl -o yaml get sealedsecrets.bitnami.com mock-secret | yq 'keys'

5. See error in the logs of the sealed-secrets operator pod

kubectl logs sealed-secrets-controller-639n770jd6-s52lm

Expected behavior
It is expected that the status field is shown as in v0.24.0 and no warnings are emitted in the logs

 $ k get sealedsecrets.bitnami.com
NAME             STATUS   SYNCED   AGE
another-secret            True     4s

 $ k -o yaml get sealedsecrets.bitnami.com another-secret | tail -n7
status:
  conditions:
  - lastTransitionTime: "2023-10-27T18:17:32Z"
    lastUpdateTime: "2023-10-27T18:17:32Z"
    status: "True"
    type: Synced
  observedGeneration: 1

Version of Kubernetes:

Client Version: v1.28.3
Server Version: v1.26.9

Additional context
I confirm that this bug did not exist in v0.24.0 after testing it, and I have doubts that it might be due to this change: #1295 that was introduced in v0.24.2 as per the release notes

[fculpo]

Hi,

Same here, recent sealedsecrets get stuck in fluxcd reconciliation InProgress in 0.24.2
0.24.0 unlocks reconciliation immediately

[alvneiayu]

hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.

Sorry for the inconveniences

Álvaro

[seb-metacommerce]

hi everyone, we are investigating this bug. We will come back as soon as possible with fix/information about it.

Sorry for the inconveniences

Álvaro

Hi Alvaro,

Check out #1355, I explained what is happening and what I think is missing for everything to work :)

Regards,

Sebastien

[tewfik-ghariani]

Unfortunately, I am still observing the same behavior :(

controller version: 0.24.3
2023/11/08 08:54:33 Starting sealed-secrets controller version: 0.24.3

Error updating SealedSecret namespace/mock-secret status: 
SealedSecret.bitnami.com "rnamespace/mock-secret" is invalid: 
status.conditions[0].lastTransitionTime: Invalid value: "null": 
status.conditions[0].lastTransitionTime in body must be of type string: "null"

NAME                                    STATUS   SYNCED   AGE
mock-secret                                              4h14m

[alvneiayu]

hi @tewfik-ghariani, let me check it. Thanks for notifying it

[tewfik-ghariani]

It is fixed with v0.24.4 release, thanks a lot!