-
-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS SM PushSecret creates new version w/ every refresh cycle with secretPushFormat "string" #3436
Comments
this issue indeed seems to be simple (an if clause) when checking for data validity. It does seems that right now we're comparing binary versions always - leading to error when secretString is used (as the binary is empty) |
Just a heads-up, this issue is also affecting |
Ah bummer. Thanks for the heads up. |
@vsantos Do you have an example please? |
@vsantos Also, what version are you running? |
Okay, I think I was able to reproduce it with a unit test. require.NoError(t, ps.PushSecret(context.TODO(), fakeSecret, psd))
// call twice, secret push should only be called once.
require.NoError(t, ps.PushSecret(context.TODO(), fakeSecret, psd))
assert.Equal(t, 1, client.PutParameterWithContextCalledN) This should have been 1, but actually was 2. |
Err ^ no. :) Because I haven't configured a second call to the mock client. :D |
Sorry @Skarlso, my initial report was wrong. I believe I mixed up things a little since I indeed have a "new version every refresh cycle" bug but for What I'm facing was introduced after this #3576 but only for parameters with type I was able to reproduce it using your PR #3584 (commit Since my report does not relate to this one, I will simply move this thread to a specific issue. Thanks for your support! |
Describe the bug
When using
PushSecret
with the AWS Secrets Manager provider and thesecretPushFormat
is set tostring
, ESO callsPutSecretValueWithContext
to create a new version of the secret on every refresh cycle, even when the desired value has not changed since the previous refresh. This eventually results in hitting AWS API limits (on version update frequency) and creates numerous extraneous revisions of the AWS secret. This appears to have been introduced in v0.9.14 with #3189 which initially enabled the "string" value format.Steps to reproduce the behavior:
PushSecret
resource against aSecretStore
using the AWS Secrets Manager provider and setspec.data[].metadata.secretPushFormat
tostring
. To make the failure more evident, use a shortspec.refreshInterval
like10s
AWSCURRENT
andAWSPREVIOUS
labels.aws secretsmanager list-secret-version-ids
)PutSecretValueWithContext
for the same secret resource.externalsecret_provider_api_calls_count
ESO metrics forPutSecretValueWithContext
Expected behavior
ESO should only create new AWS secret versions when the desired secret value is different from the value observed in the destination secret.
Additional context
It appears that the logic is intended to behave as described in "expected behavior". In line 572 of secretsmanager.go, having read the remote value from the provider, the code checks that the remote secret exists and compares its observed value to the desired value. If those values are the same, it exits the reconcile loop taking no further action:
Unfortunately, it only compares the
SecretBinary
field. If the user elected to usesecretPushFormat: string
, then the API docs indicateSecretBinary
will have no value because the value was set usingSecretString
as in line 590:Presumably, the fix would be fairly straightforward: if the user elected
secretPushFormat: string
(like it checks in line 589), then instead of comparingvalue
toSecretBinary
, we'd want to comparestring(value)
toSecretString
(with appropriate safety checks). I wish I felt confident enough in my golang skills to submit a PR for this, buuuut I don't. :/Sub-optimal workarounds
A few less-than-ideal workarounds are available while awaiting this fix:
refreshInterval
to avoid excessive writes. This can help avoid hitting API limits, but it's no guarantee.The text was updated successfully, but these errors were encountered: