"Secret does not exist" fake news about kubernetes-replicator HOT 5 CLOSED

For anyone finding an issue with this, here's a working example with the previous behavior:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: replicator-deployment
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: replicator
    spec:
      serviceAccountName: replicator
      containers:
        - name: replicator
          image: quay.io/mittwald/kubernetes-replicator:v1.0.0
          command: ["/replicator"]
          args: ["--allow-all"]   

from kubernetes-replicator.

Specifying args: ["--resync-period=1m" ] in the deployment fixed my issue

from kubernetes-replicator.

Is the behaviour about secret not existing expected?

Nope, this should not happen. Are the two secrets (source and target) created simultaneously? The replicator is working on a local cache; maybe it took a while to catch up.

Do you have a way in mind to mimic previous behavior not needing origin secret to have replicator annotations?

Yes, it's even already implemented, although not broadly advertised. You can start the replicator with the -allow-all flag to restore the previous behaviour -- that we consider to be not totally secure (at least in a cluster with potentially untrustworthy actors).

Regarding the breaking change in behaviour; up until recently, this controller was still in an alpha release. At the same time, it was desirable for us to change this controller's behaviour to a more secure default -- meaning to explicitly whitelist which secrets could be replicated to which target (reasoning by a contributor in #2). We felt that the best time to introduce such a breaking change was while still in alpha; however, we could have communicated the breaking change more clearly -- sorry if it broke your setup.

Btw, we have stable release out by now, so we'll do our very best to avoid any future breaking changes from now on.

Let me know if this helped you with your question.

from kubernetes-replicator.

Awesome, thank you for the quick reply!

I'm aware about it being in alpha before, that's the reason of the "kind of".

I was just pointed out that cert-manager only updates the secret so no issues with annotations.

Thanks again!

from kubernetes-replicator.

I'm still getting this issue even with the "--allow-all" args as lucascollino showed above:

kubectl logs -nkube-system replicator-deployment-b795b874b-n5tcm

2019/06/20 13:29:58 using in-cluster configuration
2019/06/20 13:29:58 running config map controller
2019/06/20 13:29:58 running secret controller
2019/06/20 13:29:58 secret development-tkdb/tkdb-secret is replicated from kube-certificates/dev-tkdb-com-tls-2
2019/06/20 13:29:58 could not get secret kube-certificates/dev-tkdb-com-tls-2: does not exist

from kubernetes-replicator.