Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Guidance on patching existing secrets #804

Closed
piyat opened this issue Jul 27, 2021 · 4 comments
Closed

Guidance on patching existing secrets #804

piyat opened this issue Jul 27, 2021 · 4 comments

Comments

@piyat
Copy link

piyat commented Jul 27, 2021

Hey - thanks for a great tool! I have a general usage/guidance type question.

I tried to use an ExternalSecret to update an existing secret - one containing certs used for the UI components of a popular tool. The secret is created by that deployment and is supposed to be updated if customisation is wanted.

As this secret was created outside of KES and not produced/owned by it, I see a failed sync with:

NAMESPACE    NAME                       LAST SYNC   STATUS
dev          argocd-server-tls          1s          ERROR, secrets "argocd-server-tls" is forbidden: cannot set an ownerRef on a resource you can't delete: , <nil>   5m48s

I can cause this to succeed by granting delete permissions (on secrets) to the KES controller via its rbac clusterrole external-secrets-kubernetes-external-secrets.

I'm trying to weigh up the pros/cons of passing this delete permission to the KES clusterrole (via role aggregation). I'm not sure what the downside is, but there must be some... so, my question is, what is the reason why delete is omitted from the role here (I'm using v8.0.1).

Aside - if the above isn't the right approach, is there a native solution for this kind of use case? Or is this just not something KES was built to do? No sweat either way!

Thanks - hope to hear from you.
@Flydiverny
Copy link
Member

KES expects to fully own any secret it interacts with and does not support modifying / managing data in existing secrets. Any update or change in the ExternalSecret will overwrite the existing secret.
There's no need for the delete permission for KES as it never deletes any Secrets, deletion of an ExternalSecret by the user would orphan the created Secret which would then be deleted.

@piyat
Copy link
Author

piyat commented Jul 27, 2021

Thanks @Flydiverny for the super quick response.

That helped me understand, closing this now. Have a great day!

@piyat piyat closed this as completed Jul 27, 2021
@Flydiverny
Copy link
Member

@piyat
If you are just getting started with KES, you might want to explore ESO (https://external-secrets.io/) the Go rewrite of KES it allows for using a creationPolicy: 'Merge' (https://external-secrets.io/spec/#external-secrets.io/v1alpha1.ExternalSecretCreationPolicy) to update in an existing secret. ESO is still flagged as alpha but the beta stamp is inching closer.

@piyat
Copy link
Author

piyat commented Jul 29, 2021

Thanks for following this up. This does indeed look to be what I'm after. I will try it out.

Again, many thanks @Flydiverny

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Flydiverny @piyat