Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using an explicitly empty secret throws error #5584

Closed
3 tasks done
Oro opened this issue Feb 23, 2021 · 6 comments · Fixed by argoproj/gitops-engine#345 or #7603
Closed
3 tasks done

Using an explicitly empty secret throws error #5584

Oro opened this issue Feb 23, 2021 · 6 comments · Fixed by argoproj/gitops-engine#345 or #7603
Assignees
@leoluz
Labels
bug/severity:major Malfunction in one of the core component, impacting a majority of users bug Something isn't working cherry-pick/2.1 Candidate for cherry picking into the 2.1 release branch component:core Syncing, diffing, cluster state cache good first issue Good for newcomers
Milestone
v2.2

Comments

@Oro
Copy link

Oro commented Feb 23, 2021

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug
Using an application with just the following manifest will always stay out-of-sync (which is kinda expected since data should always be non-empty for such a secret) but throws an error inside logs. While this example might be silly, I think it might be related to #4044 - when redis is restarted it will no longer show a diff and instead throw Unable to load data: cache: key is missing

To Reproduce
Use an application with just the following yaml:

data: {}
stringData: {}
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: an-empty-secret
  annotations:
    kubernetes.io/service-account.name: default
  • Let application sync, the secret will stay out of sync.
  • Kill the redis pod, wait for it to restart.
  • Observe error in GUI when trying to diff - Unable to load data: cache: key is missing

Expected behavior
I am not sure tbh. I guess staying out of sync is correct, however there should not be an error when redis was restarted.

Version

argocd: v1.8.3+ef5010c
  BuildDate: unknown
  GitCommit: ef5010c3a0b5e027fd642732d03c5b0391b1e574
  GitTreeState: clean
  GoVersion: go1.15.7
  Compiler: gc
  Platform: linux/amd64
argocd-server: v1.8.5+d0f8edf
  BuildDate: 2021-02-20T05:40:24Z
  GitCommit: d0f8edfec804c013d4fc535e8b9022eb47602617
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
  Helm Version: v3.4.1+gc4e7485
  Kubectl Version: v1.17.8
  Jsonnet Version: v0.17.0

Logs

time="2021-02-23T15:31:43Z" level=info msg="getRepoObjs stats" application=empty-secret build_options_ms=0 helm_ms=0 plugins_ms=0 repo_ms=0 time_ms=854 unmarshal_ms=854 version_ms=0
time="2021-02-23T15:31:43Z" level=error msg="Failed to cache app resources: .data accessor error: <nil> is of the type <nil>, expected map[string]interface{}" application=empty-secret dedup_ms=0 diff_ms=6 git_ms=854 health_ms=0 live_ms=12 settings_ms=0 sync_ms=0
time="2021-02-23T15:31:43Z" level=info msg="Update successful" application=empty-secret
time="2021-02-23T15:31:43Z" level=info msg="Reconciliation completed" application=empty-secret dedup_ms=0 dest-name= dest-namespace=default dest-server="https://kubernetes.default.svc" diff_ms=6 fields.level=2 git_ms=854 health_ms=0 live_ms=12 settings_ms=0 sync_ms=0 time_ms=897
@Oro Oro added the bug Something isn't working label Feb 23, 2021
@yann-soubeyrand
Copy link
Contributor

I confirm, I can reproduce it.

@Reamer
Copy link
Contributor

Reamer commented Aug 12, 2021

I can also confirm this with argocd v2.1.0-rc2
As a workaround you can insert a small dummy value.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-dex-server-token
  labels:
    app.kubernetes.io/name: argocd-dex-server-token
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/instance: argocd
  annotations:
    kubernetes.io/service-account.name: "argocd-dex-server"
type: kubernetes.io/service-account-token
stringData:
  dummy: value

@alexmt alexmt added bug/severity:major Malfunction in one of the core component, impacting a majority of users component:core Syncing, diffing, cluster state cache labels Aug 12, 2021
@alexmt alexmt added this to the v2.2 milestone Aug 12, 2021
@alexmt alexmt added the cherry-pick/2.1 Candidate for cherry picking into the 2.1 release branch label Aug 12, 2021
@tsunamishaun
Copy link

Wanted to report that I also see this when last-applied configuration for a secret contains data: {} my example is a certificate from cert manager. You can delete the last-applied annotation all you want but it will come back.

@alexmt alexmt added the good first issue Good for newcomers label Oct 20, 2021
@leoluz leoluz self-assigned this Oct 21, 2021
@leoluz
Copy link
Collaborator

leoluz commented Nov 2, 2021
edited
Loading

Just clarifying that the out-of-sync happens because the secret type is: kubernetes.io/service-account-token. This will automatically generate entries in the secret data with something like:

data:
  ca.crt: ++++++++
  namespace: ++++++++
  token: ++++++++

In this case live and desired state will always have a diff.

The bug with log Failed to cache app resources was happening when ArgoCD applies the diff logic and the desired state has the data field as nil.

@leoluz leoluz mentioned this issue Nov 2, 2021
Merged
@leoluz
Copy link
Collaborator

leoluz commented Nov 2, 2021
edited
Loading

There are 2 different bugs related to this issue:

  1. Bug when ArgoCD was trying to diff a secret with empty data
  2. Bug restarting Redis when it isn't running as a StatefulSet.

Bug 1 is addressed by argoproj/gitops-engine#345 and #7603
Bug 2 is a duplicate and will be addressed in #5068

@leoluz leoluz mentioned this issue Nov 2, 2021
Merged
10 tasks
@davem-git
Copy link

is this supposed to be fixed for type: kubernetes.io/service-account-token

I'm still getting the diff error

2,5d1
< data:
<   ca.crt: ++++++++
<   namespace: ++++++++
<   token: ++++++++

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leoluz leoluz

Labels
bug/severity:major Malfunction in one of the core component, impacting a majority of users bug Something isn't working cherry-pick/2.1 Candidate for cherry picking into the 2.1 release branch component:core Syncing, diffing, cluster state cache good first issue Good for newcomers
Projects
None yet
Milestone
v2.2
7 participants
@leoluz @Oro @alexmt @Reamer @yann-soubeyrand @davem-git @tsunamishaun