Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing a secret's data always results in a replace insted of an update #1772

Closed
johnb8 opened this issue Oct 18, 2021 · 7 comments
Closed
Assignees
Labels
kind/enhancement Improvements or new features resolution/fixed This issue was fixed

Comments

@johnb8
Copy link

johnb8 commented Oct 18, 2021

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

When the data or stringData of a Secret is modified, Pulumi wants to do a replace instead of a update.

Steps to reproduce

Deploy this Pulumi script

import * as k8s from "@pulumi/kubernetes";

const kubeProvider = new k8s.Provider("main", {
  context: "minikube",
  namespace: "secret-test",
});

const namespace = new k8s.core.v1.Namespace(
  "main",
  {
    metadata: {
      name: "secret-test",
    },
  },
  { provider: kubeProvider }
);

const secret = new k8s.core.v1.Secret(
  "secret-env",
  {
    metadata: {
      name: "secret-env",
      namespace: "secret-test",
    },
    stringData: {
      test: "super secret",
    },
  },

  { provider: kubeProvider }
);

then change the test secret value and deploy again. Pulumi will replace the secret. The same happens when using data instead of stringData too.

I'm using Pulumi version 3.15.0 and @pulumi/kubernetes 3.8.1.

Expected: Pulumi should do an update on the Secret
Actual: Pulumi replaces the Secret

@johnb8 johnb8 added the kind/bug Some behavior is incorrect or out of spec label Oct 18, 2021
@mikhailshilkov mikhailshilkov added kind/enhancement Improvements or new features and removed kind/bug Some behavior is incorrect or out of spec labels Oct 19, 2021
@mikhailshilkov
Copy link
Member

Thank you for reporting this!

This is currently the expected behavior, see #1568 for description. We may consider an improvement here, so I'll leave the issue open for now.

@lblackstone
Copy link
Member

I opened #1775 to track a planned improvement here.

@johnb8
Copy link
Author

johnb8 commented Oct 20, 2021

Sorry I missed that issue. Using replaceOnChanges to override the default behaviour would be a nice improvement.

I probably should have included in my original issue that when that Secret is updated and used by a Deployment the Deployment is replaced as well, resulting in downtime. I know now that I can let Pulumi auto-name the secret to avoid this (as mentioned in #1567, thanks for linking that!), though it would be nice to have a static name for the Secret.

But since Pulumi knows that the Deployment needs to be changed when the Secret changes if the Secret behaviour was changed to update wouldn't the Deployment only be updated too and restarted in the process avoiding concern 1 mentioned here #1567 (comment)?

I guess once replaceOnChanges allows overriding the default those concerns will be irrelevant anyway, since the user can decide what they want

@lblackstone
Copy link
Member

But since Pulumi knows that the Deployment needs to be changed when the Secret changes if the Secret behaviour was changed to update wouldn't the Deployment only be updated too and restarted in the process avoiding concern 1 mentioned here #1567 (comment)?

The Deployment should be updated (not replaced) using a rollout, so it generally shouldn't cause downtime.

@johnb8
Copy link
Author

johnb8 commented Oct 20, 2021

Right, I think it was doing a replace because I was using apply in my other project, instead of just referencing the secret and keys directly. Thanks for the clarification!

@protometa
Copy link

I'm having this issue changing a named secret referenced by imagePullSecrets which triggers full replacement of the deployments. Changing the secret to auto-name will merely trigger updates of the deployments, but that's still undesired behavior to my understanding since imagePullSecrets only need be looked up on the next redeployment at the earliest. The auto-named reference is causing an unnecessary update to the spec and redeployment.

@blampe blampe added the resolution/fixed This issue was fixed label Sep 30, 2024
@blampe blampe self-assigned this Sep 30, 2024
@blampe
Copy link
Contributor

blampe commented Sep 30, 2024

@protometa @gunzy83 @johnb8 FYI support for mutable secrets was added in v4.18 -- see the release notes. Note this might become the default behavior in a future major release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Improvements or new features resolution/fixed This issue was fixed
Projects
None yet
Development

No branches or pull requests

5 participants