PushSecret fails to properly upload ca.crt to Azure KeyVault *sometimes* #5018
Description
Describe the bug
I'm using pushsecret with advanced templating engine v2. It seemed to work fine at first. But after a while, we've discovered, that every now and then, secret pushed to keyvault is missing value for ca.crt.
We've reviewed, isolated and tested filterCertChain function, and it always properly filter intermediate ca and leaf cert. So its not on the filter/templating engine. Probably somewhere in azure kv provider section.
To Reproduce
Steps to reproduce the behavior:
Secret:
apiVersion: v1
data:
tls.crt: pem chain (intermediate CA + leaf cert)
tls.key: leaf PK
kind: Secret
metadata:
name: test-pushsecret
namespace: certificates
type: kubernetes.io/tls
PushSecret:
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: test-pushsecret
namespace: certificates
spec:
data:
- conversionStrategy: None
match:
remoteRef:
remoteKey: test-pushsecret
deletionPolicy: None
refreshInterval: 1m
secretStoreRefs:
- kind: ClusterSecretStore
name: my-css
selector:
secret:
name: test-pushsecret
template:
data:
ca.crt: '{{ index . "tls.crt" | filterPEM "CERTIFICATE" | filterCertChain "intermediate"
}}'
tls.crt: '{{ index . "tls.crt" | filterPEM "CERTIFICATE" | filterCertChain "leaf"
}}'
tls.key: '{{ index . "tls.key" }}'
engineVersion: v2
mergePolicy: Replace
updatePolicy: Replace
- provide the Kubernetes and ESO version
1.31 AKS cluster.
Tested on 16.1 and 18.2 ESO version.
Expected behavior
Always have synced ca.crt, tls.crt and tls.key in azure keyvault with proper values. E.g.:
{"ca.crt": "proper intermediate ca content", "tls.crt": "proper leaf cert content", "tls.key": "proper leaf cert pk"}Actual behavior:
Mostly have proper values as expected above, but once in a while (every few minutes), it does sync secret with empty ca.crt data:
{"ca.crt": "", "tls.crt": "proper leaf cert content", "tls.key": "proper leaf cert pk"}