Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure KeyVault PushSecret not working if SoftDelete enabled and secret in deleted state ("ObjectIsDeletedButRecoverable") #3519

Open
patst opened this issue May 23, 2024 · 0 comments
Open

Azure KeyVault PushSecret not working if SoftDelete enabled and secret in deleted state ("ObjectIsDeletedButRecoverable") #3519

patst opened this issue May 23, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@patst
Copy link

patst commented May 23, 2024
edited
Loading

Describe the bug

Using a PushSecret together with Azure KeyVault does not work if a Secret with the name exists and is in Deleted State.
(Soft Delete is enabled for the KeyVault)

To Reproduce
Steps to reproduce the behavior:

  1. Create an Azure KeyVault with Soft Delete
  2. Create a Secret named example-secret in Keyvault
  3. Delete the secret (now it is in deleted state)
  4. Create a PushSecret which want to create a secret named example-secret in KeyVault
  5. Kubernetes 1.29, ESO v0.9.18

PushSecret definition

# the service account needs to be pushed to key vault in order to be usable be cluster
# which should be linked to this one
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: example-secret
spec:
  updatePolicy: Replace
  deletionPolicy: Delete 
  refreshInterval: 10m 
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: secret-store
      kind: SecretStore
  selector:
    secret:
      name: example-secret
  data:
    - match:
        secretKey: val # Source Kubernetes secret key containing the secret
        remoteRef:
          remoteKey: example-secret

Error message:

set secret failed: could not write remote ref kubeconfig to target secretstore secret-store: could not set secret example-secret: keyvault.BaseClient#SetSecret: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Secret example-secret is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the secret can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

Expected behavior
Secret is created in Azure KeyVault.

Additional context
If a secret with the name exists in deleted state it must first be recovered and then can be set.

The ServicePrincipal for the Secret store has the "recover" permission.
Purge Protection is enabled for the KeyVault
@patst patst added the kind/bug Categorizes issue or PR as related to a bug. label May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@patst