Skip to content

Strange results when editing generated secrets #4029

Closed as not planned
Closed as not planned
Strange results when editing generated secrets#4029
Labels
StaleThis issue/Pull Request is stale and will be automatically closedkind/bugCategorizes issue or PR as related to a bug.
@thoroughsoft

Description

@thoroughsoft
thoroughsoft
opened on Oct 22, 2024

Describe the bug
I am not totally sure if this is a bug or a feature request so let's see where we land.
I have an ExternalSecret resource that generates the expected Secret resource (see below).
All is showing up and working fine.
The issue starts when I manually edit the generated secrets in Rancher (the behavior has also been confirmed via the rest api).
I can change the secrets that are picked up from the dataFrom section.
But these values never gets reset based on the refreshInterval so they stay with the edited value.
(Note that the value did not change in the key vault, it was edited directly in the Secret resource.)
This might be a design choice.
However, the secrets generated by the template section are not possible to change at all.
Edit the value, save and reload shows that the value has not changed.
This should be possible to make it consistent.

To Reproduce
Kubernetes Version: v1.30.4
ESO Version: 0.10.4

Input:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: bindings.generic.optimize
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secret-store-external-secrets
    kind: SecretStore
  target:
    name: bindings.generic.optimize
    creationPolicy: Owner
    template:
      type: Opaque
      metadata:
        labels:          
          managed-by: external-secrets
      data:
        url: https://nowhere.com
  dataFrom:
    - extract:
        key: bindings-generic-optimize-credentials

Resulting Secret:

apiVersion: v1
data:
  optimize-password: password (base64)
  optimize-username: username (base64)
  url: https://nowhere.com (base64)
immutable: false
kind: Secret
metadata:
  labels:
    managed-by: external-secrets
  name: bindings.generic.optimize
  ownerReferences:
    - apiVersion: external-secrets.io/v1beta1
      blockOwnerDeletion: true
      controller: true
      kind: ExternalSecret
      name: bindings.generic.optimize
type: Opaque

Expected behavior
I would like to be able to edit all secret keys (during debug sessions etc), including the ones generated from the template section.
Whether the edited keys should follow the refreshInterval and be overwritten or not can be debated but it should be consistent.
Maybe the behavior can be controlled by a flag in the resource.

Metadata

Metadata

Assignees

No one assigned

    Labels

    StaleThis issue/Pull Request is stale and will be automatically closedkind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions