Operator should not remove cluster secret in case of CR deletion

Description

Hi,

Now operator leaves only internal-cluster1  secret when the user deletes the CR. It is incorrect because as soon as user creates a new one or recreates the old, a new cluster1-secrets will be created and all secrets will be generated as well. As a result, all passwords will be changed.

Environment

None

Smart Checklist

Activity

Show:

Tomislav Plavcic September 23, 2022 at 7:28 AM

I'm closing this one since I opened: https://jira.percona.com/browse/K8SPS-158 under which we can discuss creating delete-ssl finalizer or changing behaviour.

Tomislav Plavcic September 23, 2022 at 7:00 AM

I think above I didn't use cert manager, if you use cert manager in that case the secret doesn't seem to be deleted, but issuer and certificates seem to be deleted:

# this is after cr delete, but when I used cert manager $ k get secrets NAME TYPE DATA AGE cluster1-ca-cert kubernetes.io/tls 3 12m cluster1-s3-credentials Opaque 2 13m cluster1-secrets Opaque 8 13m cluster1-ssl kubernetes.io/tls 3 12m default-token-j7pnp kubernetes.io/service-account-token 3 13m internal-cluster1 Opaque 8 12m percona-server-mysql-operator-token-wd8fs kubernetes.io/service-account-token 3 13m $ k get issuer No resources found in test namespace. $ k get certificates No resources found in test namespace.

Slava Sarzhan September 21, 2022 at 7:17 PM

I think we need to have the same logic as in PXC but we can improve it when we add "delete-ssl" finalizer. what do you think ?

Tomislav Plavcic September 21, 2022 at 6:36 PM

 

I can see that we delete ssl secrets and I'm not sure if that is ok or not. In PXC we don't delete them but we have a finalizer "delete-ssl".

# BEFORE DELETE NAME TYPE DATA AGE cluster1-s3-credentials Opaque 2 50s cluster1-secrets Opaque 9 51s cluster1-ssl kubernetes.io/tls 3 14s default-token-5k6fh kubernetes.io/service-account-token 3 58s internal-cluster1 Opaque 9 16s percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 55s # AFTER DELETE NAME TYPE DATA AGE cluster1-s3-credentials Opaque 2 9m3s cluster1-secrets Opaque 9 9m4s default-token-5k6fh kubernetes.io/service-account-token 3 9m11s internal-cluster1 Opaque 9 8m29s percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 9m8s

Slava Sarzhan September 20, 2022 at 7:14 AM

Hi,

The issue was fixed.

Done

Details

Assignee

Reporter

Needs QA

Yes

Fix versions

Affects versions

Priority

Smart Checklist

Created August 11, 2022 at 4:04 PM
Updated February 29, 2024 at 8:11 PM
Resolved September 23, 2022 at 7:29 AM