Vault-Secerts-Operator helm chart version: 1.19.1

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Yes, we've set: reconciliationTime: 30</co

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Recovering from an invalid key in Vault by vault-secrets-operator in VaultSecret object about vault-secrets-operator HOT 3 OPEN

michalgoldys commented on July 23, 2024

Recovering from an invalid key in Vault by vault-secrets-operator in VaultSecret object

from vault-secrets-operator.

Comments (3)

ricoberger commented on July 23, 2024

Hi @michalgoldys, do you have set the vault.reconciliationTime value in the Helm chart?

from vault-secrets-operator.

michalgoldys commented on July 23, 2024

Yes, we've set:

reconciliationTime: 30

from vault-secrets-operator.

ricoberger commented on July 23, 2024

Hi @michalgoldys, I think the problem might be the https://github.com/kubernetes/client-go/blob/2a5f18df73b70cb85c26a3785b06162f3d513cf5/util/workqueue/default_rate_limiters.go#L39 which has a exponential retry mechanism for failed reconciliations.

So if I create a secret with an invalid key and fix it within some seconds the secret will also be applied in the cluster very fast. If I detect the mistake after some minutes, it will also take longer after the secret is fixed in the cluster. The following times should show this:

test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                0s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                1s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                2s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                3s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                6s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                11s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                22s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                42s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                84s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                2m46s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   0s                5m30s
test                                  False       CreateFailed   Secret "test" is invalid: data[TEST_OBJECT ]: Invalid value: "TEST_OBJECT ": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')   1s                10m

Could this be the problem in your case?

I think the best way to fix it, is to always retry failed reconciliations after 1 minute or so.

from vault-secrets-operator.

Recovering from an invalid key in Vault by vault-secrets-operator in VaultSecret object about vault-secrets-operator HOT 3 OPEN

Comments (3)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent