Kustomize: v 1.0.8 does not include secret key ref suffix
When using secretGenerator a secret is created with a suffix, but when referencing it the resource does not have the suffix. See output on the same code from 1.0.3 vs 1.0.8 below.
Given:
apiVersion: v1
kind: Pod
metadata:
name: cory-test-pod
spec:
containers:
- name: test-pod
image: busybox
env:
- name: USER
valueFrom:
secretKeyRef:
name: env
key: user
On 1.0.3 outputs:
apiVersion: v1
kind: Pod
metadata:
annotations: {}
labels:
app: test
name: test-cory-test-pod
namespace: playground
spec:
containers:
- env:
- name: USER
valueFrom:
secretKeyRef:
key: user
name: env-b77282thcd # <--- Has the suffix
image: busybox
name: test-pod
---
apiVersion: v1
data:
pass: a2V3bA==
user: Y29yeQ==
kind: Secret
metadata:
creationTimestamp: null
labels:
app: test
name: env-b77282thcd
namespace: playground
type: Opaque
On 1.0.8 outputs:
apiVersion: v1
kind: Pod
metadata:
annotations: {}
labels:
app: test
name: test-cory-test-pod
namespace: playground
spec:
containers:
- env:
- name: USER
valueFrom:
secretKeyRef:
key: user
name: env # <--- No suffix
image: busybox
name: test-pod
---
apiVersion: v1
data:
pass: a2V3bA==
user: Y29yeQ==
kind: Secret
metadata:
creationTimestamp: null
labels:
app: test
name: env-b77282thcd
namespace: playground
type: Opaque
coryodaniel
All 7 comments
Thanks for the detailed repro. Can you add the kustomization.yaml code for the secretgenerator (i.e. the full bug reproduction?)
monopole
on 19 Sep 2018
Can you add the kustomization.yaml code for the secretgenerator (i.e. the full bug reproduction?)
Not OP, but I'm running into this too.
Putting the secretGenerator in base/kustomization.yaml, where the deployment is also listed, works.
commonLabels:
app: spotinst-cluster-controller
inventorycode: spotinst-cluster-controller
productcode: prd354
namespace: prd354
resources:
- certs-secret.yaml
- clusterrole.yaml
- clusterrolebinding.yaml
- deployment.yaml
- serviceaccount.yaml
secretGenerator:
- name: spotinst-cluster-controller
commands:
ACCOUNT: "printf ..."
CLUSTER_IDENTIFIER: "printf ..."
TOKEN: "printf ..."
type: Opaque
but moving the secretGenerator to an overlay kustomization.yaml results in the deployment's reference not having the suffix.
mgoodness
on 24 Sep 2018
This is still an issue in v1.0.10.
mgoodness
on 5 Nov 2018
Issue should be reopened IMHO. Secret names generated in an overlay are not being inserted into deployments from the base.
mgoodness
on 12 Nov 2018
@mgoodness I couldn't reproduce the error. Can you open another issue with the steps to reproduce? Thank you.
Liujingfang1
on 12 Nov 2018
@mgoodness I figured out what was wrong in my case, curious if its the same for you...
My resources declare their namespace as my kustomization.yaml is building for multiple namespaces, so I'm not setting a namespace in the kustomization file... so my secretGenerator doesn't end up generating the secret in the same namespace as the resources that is trying to use it.
I had to break out my kustomization bases to per-namespace to get this to work correctly. So I think the bug was technically before 1.0.8 - it worked by chance and shouldn't have?!
I was thinking it might be nice to have a namespace option on a secretGenerator but that seems to conflict with the idea of setting the namespace in the kustomization file. So not sure if that would be confusing to people.
coryodaniel
on 15 Nov 2018
Yeah, not sure what I ultimately changed, but everything's working for me now too.
mgoodness
on 15 Nov 2018
Related issues
mgoodness
路
4Comments
nabadger
路
4Comments
bcbrockway
路
5Comments
lionelvillard
路
4Comments
Liujingfang1
路
4Comments