Skip to content

Instantly share code, notes, and snippets.

@drnic
Created January 31, 2020 00:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save drnic/96a4160df8da19c809aea0d328aeb81d to your computer and use it in GitHub Desktop.
Save drnic/96a4160df8da19c809aea0d328aeb81d to your computer and use it in GitHub Desktop.
$ kaf generate-secret.yaml
$ k get secret my-internal-secret -n kubecf -ojsonpath='{.data.password}' | base64 --decode
CDVIqCF7LY6dLyEGq10BrzaZfRWGDl8dxSV4vuVz8eDGga8AoP84SEc22Ben25mM

Now rotate secret:

$ kaf rotate-my-internal-secret.yaml

But the secret doesn't change

$ k get secret my-internal-secret -n kubecf -ojsonpath='{.data.password}' | base64 --decode
CDVIqCF7LY6dLyEGq10BrzaZfRWGDl8dxSV4vuVz8eDGga8AoP84SEc22Ben25mM

The rotation logs from cf-operator show an error:

cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.011Z	DEBUG	boshdeployment-reconciler	reference/reconciles.go:88	Listing BOSHDeployment in namespace 'kubecf' for 'rotate-my-internal-secret'
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.011Z	DEBUG	secret-rotation-reconciler	quarkssecret/secret_rotation_controller.go:43Create predicate passed for 'rotate-my-internal-secret'
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.011Z	INFO	secret-rotation-reconciler	quarkssecret/secret_rotation_reconciler.go:50Reconciling QuarksSecret rotation kubecf/rotate-my-internal-secret
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.011Z	DEBUG	quarks-statefulset-reconciler	reference/reconciles.go:88	Listing QuarksStatefulSet in namespace 'kubecf' for 'rotate-my-internal-secret'
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.013Z	DEBUG	controller-runtime.manager.events	recorder/recorder.go:52	Normal	{"object": {"kind":"ConfigMap","namespace":"kubecf","name":"rotate-my-internal-secret","uid":"df2651fb-36d0-461b-935c-eba73d95f619","apiVersion":"v1","resourceVersion":"36898"}, "reason": "Predicates", "message": "{\"reconciliationObjectName\":\"rotate-my-internal-secret\",\"reconciliationObjectKind\":\"corev1.ConfigMap\",\"predicateObjectName\":\"rotate-my-internal-secret\",\"predicateObjectKind\":\"corev1.ConfigMap\",\"namespace\":\"kubecf\",\"message\":\"Create predicate passed for 'rotate-my-internal-secret'\",\"type\":\"Predicates\"}"}
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	DEBUG	controller-runtime.controller	controller/controller.go:242	Successfully Reconciled	{"controller": "secret-rotation-controller", "request": "kubecf/rotate-my-internal-secret"}
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	DEBUG	quarks-secret-reconciler	quarkssecret/quarkssecret_controller.go:65	Update predicate passed for 'my-internal-secret'
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	INFO	quarks-secret-reconciler	quarkssecret/quarkssecret_reconciler.go:86	Reconciling QuarksSecret kubecf/my-internal-secret
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	DEBUG	quarks-secret-reconciler	controller/controller.go:216	Resource 'my-internal-secret' is in meltdown, requeue reconcile after 30s
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	DEBUG	controller-runtime.manager.events	recorder/recorder.go:52	Normal	{"object": {"kind":"QuarksSecret","namespace":"kubecf","name":"my-internal-secret","uid":"78df9c53-50cf-4ad9-b256-8a533d9f9f7b","apiVersion":"quarks.cloudfoundry.org/v1alpha1","resourceVersion":"36900"}, "reason": "Predicates", "message": "{\"reconciliationObjectName\":\"my-internal-secret\",\"reconciliationObjectKind\":\"qsv1a1.QuarksSecret\",\"predicateObjectName\":\"my-internal-secret\",\"predicateObjectKind\":\"qsv1a1.QuarksSecret\",\"namespace\":\"kubecf\",\"message\":\"Update predicate passed for 'my-internal-secret'\",\"type\":\"Predicates\"}"}
cf-operator-9cc8f98dd-kxglp cf-operator 2020-01-31T00:33:43.027Z	DEBUG	controller-runtime.manager.events	recorder/recorder.go:52	Normal	{"object": {"kind":"QuarksSecret","namespace":"kubecf","name":"my-internal-secret","uid":"78df9c53-50cf-4ad9-b256-8a533d9f9f7b","apiVersion":"quarks.cloudfoundry.org/v1alpha1","resourceVersion":"36900"}, "reason": "Meltdown", "message": "Resource 'my-internal-secret' is in meltdown, requeue reconcile after 30s"}
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
name: my-internal-secret
spec:
type: password
secretName: my-internal-secret
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rotate-my-internal-secret
labels:
quarks.cloudfoundry.org/secret-rotation: "true"
data:
secrets: '["my-internal-secret"]'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment