-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource claim reconciler only propagates connection secrets at binding time #35
Comments
One thing to note here is that we currently only invoke the resource claim reconcile loop when the managed resource or its resource claim changes. We might need to either:
|
I like that idea. We can filter the secrets by label like BTW, there is a nice function for that which we can use in claim controller setup for managed resource watch call as well https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/builder/controller.go#L78 |
I'm a little hesitant about the additional complexity of having resource claim controllers (which already watch resource claims and managed resources) also watch and propagate secrets. The micro-design I have in mind goes something like:
One concern with this design is that it would mean the Crossplane binary would need to be running in order for secrets to stay in sync. Currently from an infrastructure stack perspective the only functionality we lose the Crossplane pods are offline is non-portable resource class defaulting, which is a lot less mission critical than being able to authenticate to your infrastructure. |
This could be alleviated by instantiating a "secret propagation controller" per managed resource kind, which would use a predicate to filter out any secret whose controller reference wasn't the |
Actually the diff to the current logic wouldn't be so bad. It would pretty much only involve moving the |
Reopening to track documenting this. |
What happened?
https://github.com/crossplaneio/crossplane-runtime/blob/d805043/pkg/resource/claim_reconciler.go#L401
The resource claim reconciler currently propagates connection secrets from a managed resource to the resource claim it is bound once, at binding time. This is insufficient for some managed resource kinds, including at least EKS clusters, that constantly refresh and update their connection secrets. Crossplane must notice changes to the managed resource's connection secret (even if the managed resource itself does not change), and propagate those changes to the resource claim.
This is a must-fix bug for the next stack-aws release. Currently we expect we are not able to deploy workloads to EKS clusters more than 60 minutes after their creation time.
How can we reproduce it?
You should find that the Kubernetes bearer token stored in the EKS cluster connection secret has been refreshed, but the KubernetesCluster claim's connection secret's bearer token has not.
What environment did it happen in?
Crossplane version:
The text was updated successfully, but these errors were encountered: