Operator should not remove cluster secret in case of CR deletion
General
Escalation
General
Escalation
Description
Environment
None
Smart Checklist
Activity
Show:

Tomislav Plavcic September 23, 2022 at 7:28 AM
I'm closing this one since I opened: https://jira.percona.com/browse/K8SPS-158 under which we can discuss creating delete-ssl finalizer or changing behaviour.

Tomislav Plavcic September 23, 2022 at 7:00 AM
I think above I didn't use cert manager, if you use cert manager in that case the secret doesn't seem to be deleted, but issuer and certificates seem to be deleted:
# this is after cr delete, but when I used cert manager
$ k get secrets
NAME TYPE DATA AGE
cluster1-ca-cert kubernetes.io/tls 3 12m
cluster1-s3-credentials Opaque 2 13m
cluster1-secrets Opaque 8 13m
cluster1-ssl kubernetes.io/tls 3 12m
default-token-j7pnp kubernetes.io/service-account-token 3 13m
internal-cluster1 Opaque 8 12m
percona-server-mysql-operator-token-wd8fs kubernetes.io/service-account-token 3 13m
$ k get issuer
No resources found in test namespace.
$ k get certificates
No resources found in test namespace.

Slava Sarzhan September 21, 2022 at 7:17 PM
@Tomislav Plavcic I think we need to have the same logic as in PXC but we can improve it when we add "delete-ssl" finalizer. @ege.gunes what do you think ?

Tomislav Plavcic September 21, 2022 at 6:36 PM
@Slava Sarzhan @ege.gunes
I can see that we delete ssl secrets and I'm not sure if that is ok or not. In PXC we don't delete them but we have a finalizer "delete-ssl".
# BEFORE DELETE
NAME TYPE DATA AGE
cluster1-s3-credentials Opaque 2 50s
cluster1-secrets Opaque 9 51s
cluster1-ssl kubernetes.io/tls 3 14s
default-token-5k6fh kubernetes.io/service-account-token 3 58s
internal-cluster1 Opaque 9 16s
percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 55s
# AFTER DELETE
NAME TYPE DATA AGE
cluster1-s3-credentials Opaque 2 9m3s
cluster1-secrets Opaque 9 9m4s
default-token-5k6fh kubernetes.io/service-account-token 3 9m11s
internal-cluster1 Opaque 9 8m29s
percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 9m8s

Slava Sarzhan September 20, 2022 at 7:14 AM
Hi,
The issue was fixed.
Hi,
Now operator leaves only internal-cluster1 secret when the user deletes the CR. It is incorrect because as soon as user creates a new one or recreates the old, a new cluster1-secrets will be created and all secrets will be generated as well. As a result, all passwords will be changed.