Comments (3)
Hi @michalgoldys, do you have set the vault.reconciliationTime
value in the Helm chart?
from vault-secrets-operator.
Yes, we've set:
reconciliationTime: 30
from vault-secrets-operator.
Hi @michalgoldys, I think the problem might be the https://github.com/kubernetes/client-go/blob/2a5f18df73b70cb85c26a3785b06162f3d513cf5/util/workqueue/default_rate_limiters.go#L39 which has a exponential retry mechanism for failed reconciliations.
So if I create a secret with an invalid key and fix it within some seconds the secret will also be applied in the cluster very fast. If I detect the mistake after some minutes, it will also take longer after the secret is fixed in the cluster. The following times should show this:
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 0s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 1s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 2s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 3s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 6s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 11s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 22s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 42s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 84s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 2m46s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 0s 5m30s
test False CreateFailed Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+') 1s 10m
Could this be the problem in your case?
I think the best way to fix it, is to always retry failed reconciliations after 1 minute or so.
from vault-secrets-operator.
Related Issues (20)
- Use custom email for GCP IAM auth HOT 3
- [Feature] Creating multiple Kubernetes Secrets by list secrets from Vault. HOT 1
- Adding support for more `SecretEngine`s? HOT 1
- Add multi-cluster k8s support? HOT 1
- Install via GitOps way (FluxCD)? HOT 2
- Vault operator init command error with new vault image 1.12.1 HOT 1
- kubernetes auth not working HOT 8
- Future of the project HOT 2
- Image/Release version mismatch HOT 2
- Error in time start pod 'unsupported protocol scheme' HOT 1
- no azure identity found for request clientID HOT 4
- Throw the error that could not update status when delete VaultSecret via foreground cascading deletion HOT 1
- Add support for RabbitMQ secret engine HOT 1
- Security question - bind vaultRole to k8s namespace HOT 1
- Exclude given VaultSecrets HOT 9
- How to force update the generated Secret when the value is changed in Vault? HOT 2
- Metrics not cleaned up after secret removal HOT 1
- error: leader election lost HOT 4
- TLS failed to verify certificate HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-secrets-operator.