ExternalSecret without target field creates a Secret and deletes it

[cod-r]

Hi,

Creating a new ExternalSecret without the target field creates the Kubernetes secret and deletes it immediately and no errors are shown.

This is my yaml:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-postgres
  namespace: test
spec:
  secretStoreRef:
    name: vault-test-backend
    kind: ClusterSecretStore
  refreshInterval: "1h"
  dataFrom:
    - extract:
        key: kv/test/test-secret

Using --watch I can see the k8s Secret being created and deleted immediately.

The workaround is to add an empty target: {} object like:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-postgres
  namespace: test
spec:
  secretStoreRef:
    name: vault-test-backend
    kind: ClusterSecretStore
  refreshInterval: "1h"
  target: {}
  dataFrom:
    - extract:
        key: kv/test/test-secret

Tested with version 0.5.3 and 0.5.6

[moolen]

hey @cod-r, i can not reproduce this issue. The secret is created and doesn't get deleted. I noticed one small thing tho: when target is not defined it will not set the ownerReference and the secret will not be garbage collected when the ExternalSecret gets deleted.

Do you have any other controllers running that watch/change secrets?

[bcha]

I can confirm that I'm seeing the exact same behavior as @cod-r , secrets are created & then deleted a couple second later. I can also confirm that the target: {} workaround works for me too.

I was testing this with 3x replicas & redeployed the whole namespace with my app + the externalsecrets a couple of times. Sometimes all pods managed to get the secrets, sometimes some of them get CreateContainerConfigError, sometimes all of them.

➜ kgp
NAME                                        READY   STATUS                       RESTARTS   AGE
authentication-deployment-cb87f4877-c99cr   1/1     Running                      0          84s
authentication-deployment-cb87f4877-hpsqx   0/1     CreateContainerConfigError   0          84s
authentication-deployment-cb87f4877-qv6lt   1/1     Running                      0          84s

➜ kdp authentication-deployment-cb87f4877-hpsqx
Name:         authentication-deployment-cb87f4877-hpsqx
blablabla...
Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
blablabla...
  Warning  Failed     5m40s (x8 over 7m3s)  kubelet            Error: secret "my-secret" not found

My configuration:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  labels:
    blablabla
  name: my-secret
spec:
  dataFrom:
  - extract:
      key: <param-store-key>
  secretStoreRef:
    kind: ClusterSecretStore
    name: cluster-param-store

eso deployed with helm, v0.5.6.

[dacamposol]

I don't see the aforementioned behaviour with v0.5.8, I'm using as well a ClusterSecretStore connected to a Vault provider, and it works as expected:

My ClusterSecretStore:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  creationTimestamp: "2022-07-22T14:36:47Z"
  generation: 2
  name: common-store
  resourceVersion: "70741970"
  uid: e46afa24-0dbc-4b73-a33a-70dcd1f047c4
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: kv
          role: sa-role
          serviceAccountRef:
            name: vault-secrets
      namespace: dev/clusters
      path: common
      server: https://vault.dacamposol.dev
      version: v2
status:
  conditions:
  - lastTransitionTime: "2022-07-25T07:32:24Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

My ExternalSecret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  creationTimestamp: "2022-07-29T13:00:02Z"
  generation: 1
  name: dacamposol-demo-2
  namespace: secrets-system
  resourceVersion: "75421808"
  uid: 0520b391-e057-464e-9609-aabc7cc247dc
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: artifactory
    secretKey: registry
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: common-store
status:
  conditions:
  - lastTransitionTime: "2022-07-29T13:00:02Z"
    message: Secret was synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2022-07-29T13:00:02Z"
  syncedResourceVersion: 1-e14a463096c0abc993f1d6fae0a1876c

The created secret is present and available for already 10 minutes without being deleted.

Environment

external-secrets v0.5.8 deployed through Helm

[steckhelena]

Following the workaround on this thread we solved the same problem on our clusters.

In our case by looking at audit logs we saw that argocd was deleting the secrets, probably because it detected they were orphaned.

This behavior seems like a bug as the docs state that the default value for the secret creation is creating it with the Owner policy(thus setting the ownerReferences metadata).

[cep21]

We can verify this issue, but for flux.

When we do not specify a target field, the secret created does not have the field metadata.ownerReferences, but if we specify a target, then the secret created DOES have the field metadata.ownerReferences

[moolen]

Wild guess here: the target can be empty and when it is not defined the struct has go default values (i.e. empty string for string type) instead of the values provided by the controller-runtime defaulter mechanic (target.CreationPolicy=Owner).

That's maybe why we don't go into this branch to add the ownerRef: https://github.com/external-secrets/external-secrets/blob/main/pkg/controllers/externalsecret/externalsecret_controller.go#L251

This is just a wild guess, help would be appreciated 🙏

[steckhelena]

I just opened a PR which fixed the CRDs default values for the target field.