Unable to change secret value when `refreshInterval: 0` and `creationPolicy: Orphan`

[onedr0p]

Describe the bug

I would like to update a secrets (created from an externalsecret) data values. From what I gathered this should be possible by setting refreshInterval: 0 and creationPolicy: Orphan

To Reproduce

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test
spec:
  refreshInterval: "0"
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: test
    creationPolicy: Orphan
    template:
      engineVersion: v2
      type: kubernetes.io/tls
      metadata:
        annotations:
          testAnnotation: annotation 
        labels:
          testLabel: label
  dataFrom:
    - extract:
        key: test
        decodingStrategy: Auto

Now try to edit a field in the generated secret, it will get overridden on save.

Expected behavior

I expect to edit the data values in the generated secret and have them persistent.

Additional context

I am trying to automate pushing my LE certificate to my eso provider (onepassword) and then when the cluster is re-provisioned have the certificate be "imported" from onepassword but this doesn't work because when cert-manager renews the cert it writes to the *-tls secret but ESO just reverts it.

Here's my implementation using Flux:

https://github.com/onedr0p/home-ops/tree/e3b1bda79ef408d497d649f166a92fc04ee0bb4c/kubernetes/main/apps/cert-manager/certificates

• export folder creates the certificate and pushsecret resources
• import folder creates the externalsecret that tries to pull down the cert into a secret that cert-manager will read.

Related

#2245 (comment)

#4029

https://github.com/external-secrets/external-secrets/discussions/3148

[thesuperzapper]

I just want to highlight that even after #4086, this is still the behavior.

The reason is that the behavior I think most users are expecting when they set refreshInterval=0 is:

1. Sync/Create the target secret exactly once
2. If the target secret is deleted, re-create it.
3. If the target secret's data is changed, revert it.

Your problem is with number 3, but I am still not sure why you are using ESO to manage certificates when you are also managing the Secret with cert-manager?

[onedr0p]

Your problem is with number 3, but I am still not sure why you are using ESO to manage certificates when you are also managing the Secret with cert-manager?

@thesuperzapper [1] I want ESO to create the secret for my tls cert when my cluster bootstraps to avoid rate-limiting from letsencrypt, then I want cert-manager to renew that certificate when the renewal date comes up. ESO's pushsecret will then keep my cert updated in my provider so anytime I bootstrap (we go back to [1]) my cluster I don't run into rate-limits with letsencrypt. I get the operators will battle for ownership of the resulting tls secret but ESO should have a way create once and not revert any changes made by cert-manager. Does that help understand the issue more?

[thesuperzapper]

@onedr0p Under the current design of ExternalSecrets with refreshInterval=0, that's not possible, although it's a bit of a strange use case for ESO, would a Job that runs once on cluster creation not make more sense?

[thesuperzapper]

@Skarlso, I am interested to know if you think that we should not revert changes made (to the data) when refreshInterval=0?

Currently (after #4086) we are detecting this situation in isSecretValid() by saying that if the data actually found in the secret does not match the reconcile.external-secrets.io/data-hash that we should reconcile.

In that PR I kept the current behavior, but there are pros to not re-syncing when data is changed:

• The core benefit is that if the secret already exists, and we have reconciled the ExternalSecret at least once, then we truly will never update the target secret again
• This means we can never accidentally re-generate secrets if the secret source is a generator, which is probably what users are expecting when they use generators with refreshInterval=0.

The only negative is that that when users are not using generators (i.e. they are pulling from an actual secret store), they are probably simply saying that the source secret does not change if they set refreshInterval=0, but that they still want ExternalSecrets to manage that data in the secret (and revert unexpected changes).

[onedr0p]

would a Job that runs once on cluster creation not make more sense?

It's a bit janky to have the rollout of my cluster kind of be dependent on this job but I get your point.

I know you're aware, currently there's no way to have ESO create a secret that can be mutated by another operator or cluster admin which I think would be a useful feature any way it would be implemented.

Here's a couple ideas for thought:

• Maybe there can be a new field called syncPolicy that accepts Always or Once as options with Always being the default.
• Or, instead let refreshInterval: -1 to disable eso from updating the secret. This would ensure backwards compatibility for people who already use refreshInterval: 0 in it's current functionality.

[heavybullets8]

Maybe there can be a new field called syncPolicy that accepts Always or Once as options, with Always being the default.

I think this would be really helpful. Alternatively, similar to how Push Secret works, we could have an IfNotExists option for the creationPolicy. This way, it would only create the secret if it doesn't already exist, without overwriting any subsequent changes. This option would also need to disable or ignore all other update behaviors, except for refreshInterval, which can be used to continuously check if the secret exists and proceed accordingly.

This would be super useful for bootstrap use cases, as mentioned. I would be happy with any implementation. Love the project.

[gusfcarvalho]

Problem with all of these is backwards compatibility. We need to be able to re-create a given secret if it was e.g. wrongfully deleted within your cluster.

Removing Updates (e.g. with SyncPolicy or with refreshInterval: -1) essentially means we want to run a Job. external-secrets was never designed for it, and I can see a lot of edge cases when we mix these with some manifests with e.g. other creation policies.

[gusfcarvalho]

IMO - I think we should probably try to fix job-related issues within job-related tools Like CI or workflows instead of trying to create a reconciler that does not Update 🤔 .

[gusfcarvalho]

I think this would be really helpful. Alternatively, similar to how Push Secret works, we could have an IfNotExists option for the creationPolicy. This way, it would only create the secret if it doesn't already exist, without overwriting any subsequent changes. This option would also need to disable or ignore all other update behaviors, except for refreshInterval, which can be used to continuously check if the secret exists and proceed accordingly.

to my point - what would be the expected outcome of:

• 1 ExternalSecret with IfNotExists policy
• 1 ExternalSecret targeting the same Secret with Merge Policy?
• 1 ExternalSecret targeting the same Secret with Orphan Policy?

☝️ Should we just ignore that secret update?

What we should not do is having the same set of manifests leading to possible different results just because they were reconciled on a different order, and I think the spirit of the ideas here go to this direction.

IMO We would need to have a proper design, PoC, and edge case evaluation before moving this forward 😅

[gusfcarvalho]

Your problem is with number 3, but I am still not sure why you are using ESO to manage certificates when you are also managing the Secret with cert-manager?

@thesuperzapper [1] I want ESO to create the secret for my tls cert when my cluster bootstraps to avoid rate-limiting from letsencrypt, then I want cert-manager to renew that certificate when the renewal date comes up. ESO's pushsecret will then keep my cert updated in my provider so anytime I bootstrap (we go back to [1]) my cluster I don't run into rate-limits with letsencrypt. I get the operators will battle for ownership of the resulting tls secret but ESO should have a way create once and not revert any changes made by cert-manager. Does that help understand the issue more?

By design - if ESO manages a given key (tls.key in this case) - it will always fight for it - as this is a controller. While you can have multiple manifests composing a given Secret - you need to make them compose different keys by yourself, though. The only way around this is to not have the tls.key as part of your secret, which would probably defeat the purpose you're trying to achieve here.

Properly supporting what you're trying to achieve here only with ESO, we would need a way to specify per-key policies or something like that - which is why I mentioned a proper design on it.

(as if I understood correctly, If an user decided to change tls.crt on your given Secret, you'd actually want ESO to pull it back in, as opposed to having cert-manager re-generate it). You really want ESO to forget about updating the tls.key

[gusfcarvalho]

Also relevant here : #2699

[gusfcarvalho]

@onedr0p I believe from 0.11.0 onwards this should not update anymore. Can you confirm?