Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with admission webhook while validating "unique" key in secrets #1245

Open
darkxeno opened this issue Feb 4, 2025 · 0 comments
Open

Issue with admission webhook while validating "unique" key in secrets #1245

darkxeno opened this issue Feb 4, 2025 · 0 comments

Comments

@darkxeno
Copy link

darkxeno commented Feb 4, 2025
edited
Loading

While using this config for the kong helm chart:

    apiVersion: argoproj.io/v1alpha1
    kind: Application
    metadata:
      name: networking
      namespace: argocd
      annotations:
        argocd.argoproj.io/sync-wave: "3"
      finalizers:
      - resources-finalizer.argocd.argoproj.io
    spec:
      project: default
      sources:
      - chart: kong
        repoURL: 'https://charts.konghq.com'
        targetRevision: 2.46.0
        helm:
          parameters:
          - name: env.trusted_ips
            value: ${var.vpc_cidr}
          - name: service.beta.kubernetes.io/aws-load-balancer-name
            value: ${var.cloud_config.env}-xxx-k8s-loadbalancer
          values: |
            ingressController:
              admissionWebhook:
                enabled: true
                filterSecrets: true
              env:
                feature_gates: GatewayAlpha=true,RewriteURIs=true,CombinedServicesFromDifferentHTTPRoutes=true
...

I am facing errors like these (from the kong logs):

2025-02-04T18:26:45Z	info	admission-server	Object admission request not allowed	{"v": 0, "name": "auth0-consumer-secret", "kind": "Secret", "namespace": "networking", "message": "consumer credential failed validation: unique key constraint violated for key"}
2025-02-04T18:26:45Z	info	admission-server	Object admission request not allowed	{"v": 0, "name": "grafana-key-auth-consumer-secret", "kind": "Secret", "namespace": "grafana", "message": "consumer credential failed validation: unique key constraint violated for key"}

I know the key field of each of these secrets need to be unique, so i decided to use filterSecrets: true config with the label konghq.com/validate: "true" on the secrets to narrow down the conflicting secrets.

If i filter all secrets with that annotation in the whole cluster, i get these too as the unique ones.

k get secrets --all-namespaces -l "konghq.com/validate=true"
NAMESPACE    NAME                               TYPE     DATA   AGE
grafana      grafana-key-auth-consumer-secret   Opaque   2      5h44m
networking   auth0-consumer-secret              Opaque   5      5h52m

But still each time i try to sync on argocd i get the following errors again:

one or more objects failed to apply, reason: error when patching "/dev/shm/2190820843": admission webhook "secrets.credentials.validation.ingress-controller.konghq.com" denied the request: consumer credential failed validation: unique key constraint violated for key,error when patching "/dev/shm/1637693030": admission webhook "secrets.plugins.validation.ingress-controller.konghq.com" denied the request: consumer credential failed validation: unique key constraint violated for key

Any idea what can be the problem here? i am using kong on the dbless mode.

Thank you so much
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@darkxeno