Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Unseal updated secret: Precondition failed #898

Open
simonszu opened this issue Aug 1, 2022 · 2 comments
Open

Unseal updated secret: Precondition failed #898

simonszu opened this issue Aug 1, 2022 · 2 comments
Assignees
@josvazg
Labels
backlog Issues/PRs that will be included in the project roadmap

Comments

@simonszu
Copy link

simonszu commented Aug 1, 2022
edited
Loading

Which component:
Controller

Describe the bug
I have a sealed secret successfully injected into the cluster, which was encrypted. I wanted to add another key to it, so i edited the cleartext YAML, generated another sealed secret from it, and injected it into the cluster. The controller was unable to decrypt it:

2022/08/01 11:27:52 Error updating SealedSecret dls-backend-test/arangodb status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "arangodb": StorageError: invalid object, Code: 4, Key: /registry/bitnami.com/sealedse
crets/dls-backend-test/arangodb, ResourceVersion: 0, AdditionalErrorMsg: Precondition failed: UID in precondition: 5ae127fc-d895-4c93-82c6-979aae7d00a8, UID in object meta:

To Reproduce
Steps to reproduce the behavior:

  1. Create a sealed secret
  2. Inject it to the cluster, verify that it gets decrypted correctly
  3. Edit the underlying cleartext yaml, add another key
  4. Create a sealed secret from the modified YAML - same name, same namespace
  5. Inject the new sealed secret to the cluster, effectively overwriting the old manifest

Expected behavior
The newly injected sealed secret gets decrypted

Version of Kubernetes:

  • Output of kubectl version:
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.10-r0-CCE21.11.1.B005-21.11.1.B005", GitCommit:"aa6aaf3c00ad28e5fe57be8e1b553a7f9ccb439d", GitTreeState:"clean", BuildDate:"2021-11-19T07:05:59Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

I know that the kubernetes is a bit outdated. It is a managed k8s by an inhouse openstack provider, and they do not offer a newer version yet.
@github-actions github-actions bot added the triage Issues/PRs that need to be reviewed label Aug 1, 2022
@alemorcuq alemorcuq added backlog Issues/PRs that will be included in the project roadmap and removed triage Issues/PRs that need to be reviewed labels Aug 25, 2022
@josvazg josvazg self-assigned this Aug 25, 2022
@DanielCastronovo
Copy link

DanielCastronovo commented Dec 6, 2022
edited
Loading

Same here :)

it seems to be related to the replace object :
https://forum.linuxfoundation.org/discussion/856389/lab-3-4-15-kubectl-replace-error

@DanielCastronovo
Copy link

Any news ? because theSealedSecretsUnsealErrorHigh alert (mixin) generate lot of false positive.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@josvazg josvazg

Labels
backlog Issues/PRs that will be included in the project roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@josvazg @simonszu @alemorcuq @DanielCastronovo