Skip to content

'Forbidden' error when creating Immutable secrets #3604

New issue
New issue
Closed
Closed
'Forbidden' error when creating Immutable secrets#3604
Labels
kind/bugCategorizes issue or PR as related to a bug.
@alexgenon

Description

@alexgenon
alexgenon
opened on Jun 19, 2024

Describe the bug
I'm trying to create a an ExternalSecret with data coming from a password generator and using a template. As we don't want this password to be refreshed, we set the spec.target.immutable attribute to true. However, whenever I create it, the controller reports the following error

Status:
  Binding:
    Name:  es-5-test
  Conditions:
    Last Transition Time:   2024-06-19T05:40:30Z
    Message:                could not update Secret
    Reason:                 SecretSyncedError
    Status:                 False
    Type:                   Ready
  Refresh Time:             2024-06-19T05:40:30Z
  Synced Resource Version:  1-afdbc4873f1d1bdfd2885d1d7b0e682b
Events:
  Type     Reason        Age                From              Message
  ----     ------        ----               ----              -------
  Normal   Updated       28s                external-secrets  Updated Secret
  Warning  UpdateFailed  1s (x11 over 28s)  external-secrets  Secret "es-5-test" is invalid: data: Forbidden: field is immutable when `immutable` is set

If we set creationPolicy: Orphan then we don't have this issue but the secret is not recreated whenever it is deleted by accident.

To Reproduce
Kubernetes version: 1.27.13
ExternalSecrets version: v0.9.16

This is the ExternalSecret manifest

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: es-5-test
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: Password
        name: password-generator
  refreshInterval: 0m
  target:
    immutable: true
    name: es-5-test
    template:
      data:
        password: '{{ .password }}'
        username: someone

For the sake of completeness, here's the Password's manifest:

apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  name: password-generator
spec:
  allowRepeat: true
  length: 16
  noUpper: false
  symbolCharacters: ~!%^&*()_+-={}|[]\<>?,./

Expected behavior
Secret is created with immutable: true and ExternalSecret conditions is set to SecretSynced.

Screenshots
not applicable

Additional context
Add any other context about the problem here.

Many thanks in advance for your support!

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions