Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets are deleted when delete-psmdb-pvc has been set #1409

Open
m-bahmann opened this issue Jan 3, 2024 · 4 comments
Open

secrets are deleted when delete-psmdb-pvc has been set #1409

m-bahmann opened this issue Jan 3, 2024 · 4 comments

Comments

@m-bahmann
Copy link

m-bahmann commented Jan 3, 2024
edited
Loading

percona-server-mongodb-operator/pkg/controller/perconaservermongodb/finalizers.go

Line 204 in 7b1610a

err = r.deleteSecrets(ctx, cr)

secrets are deleted when delete-psmdb-pvc has been set.
the problem is sometimes the percona secrets (cr.Spec.Secrets.Users,
"internal-" + cr.Name + "-users") are respectively being recreated right after the deletion in reconcileUsersSecret, reconcileUsers func calls. Sometimes not.

This logic of deleting secrets causes issues/side effects in tha case that the psmdb CR might be re-created after to recover a deleted cluster for example.

To work around this logic we try to overwrite/create the user secret with the previous data (leaving to the operator to sync the secrets, etc), but sometimes recreating psmdb lateron ends up creating the mongodb pods successfully with some auth errors on the mongo pods though, sometimes not. the psmdb does not go in initializing status even. (there are logs on the operator: not found the internal users secret.)
@spron-in
Copy link
Collaborator

Hey @m-bahmann ,

I'm not sure which issue you are after here.
So deletion of Secrets is desired behavior if delete-psmdb-pvc is set. We might add a separate finalizer for secrets. Is it what you are after?

Recreating PSMDB cluster without secrets on new PVC should not be the problem.

Also I'm a bit confused with
the problem is sometimes the percona secrets (cr.Spec.Secrets.Users,
"internal-" + cr.Name + "-users") are respectively being recreated right after the deletion in reconcileUsersSecret, reconcileUsers func calls. Sometimes not.

What does it mean "Sometimes not"? Is it that there is an issue that secrets are not deleted sometimes?

@lkadalski
Copy link

lkadalski commented Mar 8, 2024
edited
Loading

Hi :)
I have the same issue. When using terraform and helm_release after destroy plan, there is still one secret internal-{name}-users remaining. This secret then is taken as preffered one for new cluster in that namespace. Regardless what we set in values.yaml for secrets.users. The issue is that it may contain outdated credentials. It would be nice to have an additional finalizer or any other solution/flag for cleaning up that secret.
Currently I have to delete secrets manually after each cluster destroy.
I have this issue specifically when using only one finalizer (delete-pvc).
When using both it usually works as expected.

@m-bahmann
Copy link
Author

m-bahmann commented Mar 10, 2024 via email

@tplavcic
Copy link
Member

@m-bahmann I'm interested in the failure when the secret is recreated after cluster deletion (I have tried to reproduce it with sharding but couldn't).
Could you share your cr.yaml or if not at least which config was used (sharding/replica, anything else interesting). I would like to try to reproduce it, but also if you have some steps to reproduce you can open a Jira ticket in K8SPSMDB project here: https://perconadev.atlassian.net/
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tplavcic @spron-in @lkadalski @m-bahmann