You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using a PushSecret together with Azure KeyVault does not work if a Secret with the name exists and is in Deleted State.
(Soft Delete is enabled for the KeyVault)
To Reproduce
Steps to reproduce the behavior:
Create an Azure KeyVault with Soft Delete
Create a Secret named example-secret in Keyvault
Delete the secret (now it is in deleted state)
Create a PushSecret which want to create a secret named example-secret in KeyVault
Kubernetes 1.29, ESO v0.9.18
PushSecret definition
# the service account needs to be pushed to key vault in order to be usable be cluster# which should be linked to this oneapiVersion: external-secrets.io/v1alpha1kind: PushSecretmetadata:
name: example-secretspec:
updatePolicy: ReplacedeletionPolicy: Delete refreshInterval: 10msecretStoreRefs: # A list of secret stores to push secrets to
- name: secret-storekind: SecretStoreselector:
secret:
name: example-secretdata:
- match:
secretKey: val # Source Kubernetes secret key containing the secretremoteRef:
remoteKey: example-secret
Error message:
set secret failed: could not write remote ref kubeconfig to target secretstore secret-store: could not set secret example-secret: keyvault.BaseClient#SetSecret: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Secret example-secret is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the secret can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}
Expected behavior
Secret is created in Azure KeyVault.
Additional context
If a secret with the name exists in deleted state it must first be recovered and then can be set.
The ServicePrincipal for the Secret store has the "recover" permission.
Purge Protection is enabled for the KeyVault
The text was updated successfully, but these errors were encountered:
Describe the bug
Using a PushSecret together with Azure KeyVault does not work if a Secret with the name exists and is in Deleted State.
(Soft Delete is enabled for the KeyVault)
To Reproduce
Steps to reproduce the behavior:
example-secret
in Keyvaultexample-secret
in KeyVaultPushSecret definition
Error message:
set secret failed: could not write remote ref kubeconfig to target secretstore secret-store: could not set secret example-secret: keyvault.BaseClient#SetSecret: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Secret example-secret is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the secret can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}
Expected behavior
Secret is created in Azure KeyVault.
Additional context
If a secret with the name exists in deleted state it must first be recovered and then can be set.
The ServicePrincipal for the Secret store has the "recover" permission.
Purge Protection is enabled for the KeyVault
The text was updated successfully, but these errors were encountered: