Origin: Enable secret update to manage secret lifecycle

Created on 22 Jan 2016  路  10Comments  路  Source: openshift/origin

When I deploy an application that has a secret (a configuration file, for example), I want to be able to update the secret payload. I would like to be instructed how to deploy that update as well. Example workflow:

  1. create secret

$ oc secret new mysecret config.yaml=/path/to/my/config.yaml

  1. deploy application that mounts secret
  2. update secret contents

$ vi /path/to/my/config.yaml

  1. update secret object

$ oc secret update mysecret config.yaml=/path/to/my/config.yaml secret "mysecret" updated. To deploy the update, run "oc deploy <deploy_config> --latest" on any deployment config that references this secret.

  1. User re-deploys per instruction

oc deploy <deploy_config> --latest

componenkubernetes lifecyclrotten prioritP2
Source
picture aweiteka
👍2

Most helpful comment

How is this closed? The lack of a sane way to update secrets without going through the webinterface and manually base64 encoding it or messing with JSON/YAML on the CLI seems like a major annoyance / missing feature.

pinging @pmorie since you were mentioned a few times. dunno who you are, but hopefully someone who can make this feature happen ;)

picture ThiefMaster on 20 Jun 2018
👍4

All 10 comments

This is really a pain. Currently if you need to update a secret, you have to delete and then recreate it. This breaks the linkage of the secret to service accounts, breaks volume identifiers referencing the secret and generally wreaks havok on deployment configs.

brianwcook picture brianwcook on 29 Aug 2016

You should not have to delete/recreate a secret to update it. @pmorie, can you confirm?

liggitt picture liggitt on 29 Aug 2016

I found this ticket while searching for a way to update a secret without deleting and re-creating it (because I didn't want to lose the labels defined for the secret). If anyone is having the same problem, this workaround might help:
oc patch secret mysecret -p '{"data": {"config.yaml": "'$(base64 /path/to/my/config.yaml)'"}}'

Of course, having an oc secret update command would feel much cleaner because the user wouldn't have to know about the internal structure of the secret.

lbilger picture lbilger on 21 Apr 2017

Of course, having an oc secret update command would feel much cleaner because the user wouldn't have to know about the internal structure of the secret.

@lbilger thanks for validating the use case.

I confirmed there is no workaround outside of patch. For example, oc secret new ... does not allow one to overwrite an existing secret.

Options remain:

  1. implement new verb oc secret update ... per this issue
  2. implement "overwrite" flag oc secret new* --overwrite ... to allow overwriting a secret

@pmorie who should this issue be assigned to?

aweiteka picture aweiteka on 24 Apr 2017
👍1

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot picture openshift-bot on 10 Feb 2018

I used the patch option suggested by @lbilger to get past this issue, but on my system, the base64 command automatically wraps lines, which resulted in the command giving the unhelpful message:

error: there is no need to specify a resource type as a separate argument when passing arguments in resource/name form (e.g. 'oc get resource/' instead of 'oc get resource resource/'

I was able to get past the issue by modifying the patch command given by adding -w 0 to disable line wrapping as follows:

 oc patch secret mysecret -p '{"data": {"config.yaml": "'$(base64 -w 0 /path/to/my/config.yaml)'"}}'
ceagan picture ceagan on 27 Feb 2018

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

openshift-bot picture openshift-bot on 29 Mar 2018
👎1

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-bot picture openshift-bot on 28 Apr 2018
👎4

How is this closed? The lack of a sane way to update secrets without going through the webinterface and manually base64 encoding it or messing with JSON/YAML on the CLI seems like a major annoyance / missing feature.

pinging @pmorie since you were mentioned a few times. dunno who you are, but hopefully someone who can make this feature happen ;)

ThiefMaster picture ThiefMaster on 20 Jun 2018
👍4

@ThiefMaster: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

How is this closed? The lack of a sane way to update secrets without going through the webinterface and manually base64 encoding it or messing with JSON/YAML on the CLI seems like a major annoyance / missing feature.

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot picture openshift-ci-robot on 20 Jun 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ibuler picture ibuler  路  4Comments
akram picture akram  路  3Comments
slmzig picture slmzig  路  3Comments
davivd picture davivd  路  4Comments
theone4ever picture theone4ever  路  3Comments