Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Operator should not remove cluster secret in case of CR deletion

Description

Hi,

Now operator leaves only internal-cluster1  secret when the user deletes the CR. It is incorrect because as soon as user creates a new one or recreates the old, a new cluster1-secrets will be created and all secrets will be generated as well. As a result, all passwords will be changed.

Environment

None

Smart Checklist

Activity

Show:

Tomislav Plavcic September 23, 2022 at 7:28 AM

I'm closing this one since I opened: https://jira.percona.com/browse/K8SPS-158 under which we can discuss creating delete-ssl finalizer or changing behaviour.

Tomislav Plavcic September 23, 2022 at 7:00 AM

I think above I didn't use cert manager, if you use cert manager in that case the secret doesn't seem to be deleted, but issuer and certificates seem to be deleted:

# this is after cr delete, but when I used cert manager $ k get secrets NAME TYPE DATA AGE cluster1-ca-cert kubernetes.io/tls 3 12m cluster1-s3-credentials Opaque 2 13m cluster1-secrets Opaque 8 13m cluster1-ssl kubernetes.io/tls 3 12m default-token-j7pnp kubernetes.io/service-account-token 3 13m internal-cluster1 Opaque 8 12m percona-server-mysql-operator-token-wd8fs kubernetes.io/service-account-token 3 13m $ k get issuer No resources found in test namespace. $ k get certificates No resources found in test namespace.

Slava Sarzhan September 21, 2022 at 7:17 PM

I think we need to have the same logic as in PXC but we can improve it when we add "delete-ssl" finalizer. what do you think ?

Tomislav Plavcic September 21, 2022 at 6:36 PM

 

I can see that we delete ssl secrets and I'm not sure if that is ok or not. In PXC we don't delete them but we have a finalizer "delete-ssl".

# BEFORE DELETE NAME TYPE DATA AGE cluster1-s3-credentials Opaque 2 50s cluster1-secrets Opaque 9 51s cluster1-ssl kubernetes.io/tls 3 14s default-token-5k6fh kubernetes.io/service-account-token 3 58s internal-cluster1 Opaque 9 16s percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 55s # AFTER DELETE NAME TYPE DATA AGE cluster1-s3-credentials Opaque 2 9m3s cluster1-secrets Opaque 9 9m4s default-token-5k6fh kubernetes.io/service-account-token 3 9m11s internal-cluster1 Opaque 9 8m29s percona-server-mysql-operator-token-scbf6 kubernetes.io/service-account-token 3 9m8s

Slava Sarzhan September 20, 2022 at 7:14 AM

Hi,

The issue was fixed.

Done

Details

Assignee

Reporter

Needs QA

Yes

Fix versions

Affects versions

Priority

Smart Checklist

Created August 11, 2022 at 4:04 PM
Updated February 29, 2024 at 8:11 PM
Resolved September 23, 2022 at 7:29 AM