Support docker-registry secret type #86
Comments
|
@brantb You are able to seal docker-registry type secrets with v0.5.1. Haven't checked v0.6.0. |
|
Oh! I bet this is a bug in the new 0.6.0 per-key encryption code, since now we look deeper inside the Secret object. I suggest using Hrm. Clearly, the integration test also needs to include a wider variety of Secrets now too... |
|
Any chance we can get a release cut with the fix for this one? We are running off |
This is stuck behind #92 - since the fix for that involves evolving the API type again from what was used to fix this issue (#88). I want to avoid releasing a version with just #88 since that will mean 2 transitions for affected users :/ I agree it's been a long time without a release that fixes this issue however :( |
|
This bug still affects version 0.7.0 so I would suggest to re-open this issue. Status closed, a merged PR and the fact that this is many months old is just wasting everyone's time. Make it clear that this is broken. A workaround is to seal a |
|
@pst is perfectly correct. Reopening until a new release is made. (If only github supported some sort of "Fixes" feature across more of the release cycle workflow...) |
|
Confirmed the solution of reverting kubeseal to 0.5.1 to seal a docker secret works. We also ran into this issue. Would be great if it could be addressed in the next release :) |
|
Yes i am using the latest controller and the kubeseal only works with v0.5.1 for docker registry config |
135: Add a note about the secret type bug r=anguslees a=johnraz I just got bitten by the bug in #86 and #92 and lost quite a bit of time finding out what was happening. This will hopefully help other people figure it out faster until the proper fix is released. Co-authored-by: Jonathan Liuti <liuti.john@gmail.com>
|
Hmmmm, is there any way to find out which version of |
|
@spommerening - current master has |
|
are you guys planning to resolve this soon in a future release? |
|
The suggested workaround does not work for me, with a 0.7.0 controller . I get this error in the logs: Secret "artifactory-docker-secret" is invalid: type: Invalid value: "kubernetes.io/dockerconfigjson": field is immutable |
|
Never mind, deleting the sealedsecret and recreating it resolved the issue. (As compared to updating it.) |
|
@kraney is it changing the type to Opaque or keeping the type to kubernetes.io/dockerconfigjson |
|
So with 0.7.0 secrets were transmuted from docker to Opaque. After reading the workaround above I recreated the sealedsecret using 0.5.1. I’m using flux so I checked this in. Flux then applied the change as an update. This resulted in the error you see above. Seemingly, sealedsecrets attempted to make the change as an update but since the ‘type’ field is immutable, this failed. I then manually deleted the sealedsecret. A few minutes later flux put it back, this time as a create. Sealedsecrets did a corresponding create and everything started working. It’s conceivably a separate bug that sealedsecrets attempts to apply a type change as an update. I don’t know if that’s something you’d hit, though, in absence of this bug. I supposed you might if a user made a mistake and then tried to correct it. |
|
One other thing I’d like to add is that IMO this bug should be considered higher priority than it seems to be getting. Even though there’s a workaround, it causes some pretty obtuse failures that can be quite hard to debug. In my case, diagnosis was from an error message that a particular docker image wasn’t found. Not that there was a login failure with the registry, certainly not that the imagePullSecret was invalid. So this launched a long diagnosis. It took a long time to notice that the secret that was correctly there and had the right data had the wrong type. The user experience of it is pretty bad. |
|
Same thing, I reseal the secret with 0.5.1 and it works again, but the structure is really different. |
|
+1 for higher priority for this bug. I keep hitting it for almost every use of sealed secrets |
|
Yep it's been over a year :( |
|
Ugh, also just ran into this but I see it's been a long time. Is this project still active? |
|
Just found the discussion in #165 that may be of interest to everyone on this issue. |
|
According to #170 (comment) this is now solved by #180 |
|
It is indeed fixed on latest image: sealed-secrets-controller:latestto image: quay.io/bitnami/sealed-secrets-controller:latestso it doesn't try to pull the image from the Docker Hub. Is there a way to do generate |
|
The CI run (see |
|
Closing as the issue is now fixed; will make a new release soon |
Our CI system pushes the latest build to the `:latest` tag on quay. It seems natural for users to desire that the controller.yaml file that gets built in master points to such a build (see #86 (comment))
186: Use official docker image in main Makefile r=mkmik a=mkmik Our CI system pushes the latest build to the `:latest` tag on quay. It seems natural for users to desire that the controller.yaml file that gets built in master points to such a build (see #86 (comment)) Co-authored-by: Marko Mikulicic <mkm@bitnami.com>
|
@mkmik Is there any way to install the latest master with the Helm chart? I'd like to deploy the fix to our cluster before the new release is published. Thank you very much. |
|
The helm chart is community supported.
Sealed-secrets can be deployed with a simple yaml or with kubecfg. Do you have any specific features from the helm chart that you depend on?
On Thu, Jul 18, 2019, 18:00 Dmitri Moore <notifications@github.com<mailto:notifications@github.com>> wrote:
@mkmik<https://github.com/mkmik> Is there any way to install the latest master with the Helm chart? I'd like to deploy the fix to our cluster before the new release is published. Thank you very much.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#86?email_source=notifications&email_token=AAAM3QNETRHBZG3C6IAZ6CDQACHTTA5CNFSM4EZU3PT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2I6VYA#issuecomment-512879328>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAAM3QLBREJGJPSYDN552ILQACHTTANCNFSM4EZU3PTQ>.
|
|
I'd just like to be able to bootstrap the cluster consistently using helm charts. I see there is one here for sealed secrets, but it currently points to v0.7 by default. I need to install what's the latest on master, because it fixes this bug. Is it just a matter of setting the image tag to helm install \
--namespace kube-system \
--name sealedsecrets \
--set image.tag=latest \
stable/sealed-secrets Sorry, if this is a dumb question - I am just starting to learn helm: |
|
FYI, when I tried it with Is setting the |
|
The new controller.yaml file has changed quite a bit. I assume the helm chart maintainer cannot update the chart until we cut a new release. |
|
@mkmik Thank you. That would be awesome! Many are so desperately waiting for |
|
@demisx FWIW the helm chart for v0.8.0 has been released (helm/charts#15800) |
|
I have tried using the chart including RBAC and received a startup error that the serviceaccount is not allowed to list secrets in the namespace the controller is deployed. Is this an error in the helm chart RBAC with missing list permissions or an issue with the controller? |
|
@muhlba91 The helm chart hasn't been updated with the new yaml |
I'm trying to seal a docker registry secret, but when the controller unseals the secret it is always of
type: Opaque.Sample:
Expected result: The secret's
typeiskubernetes.io/dockerconfigjson.Actual result: The secret type is
Opaque.The text was updated successfully, but these errors were encountered: