Skip to content

Fix race when creating secrets and Kubernetes jobs #4319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix race when creating secrets and Kubernetes jobs #4319

wants to merge 1 commit into from

Conversation

@p-se
Copy link
Contributor

@p-se p-se commented Nov 12, 2025
edited
Loading

When creating secrets and a Kubernetes Job that uses those secrets in volumes, it is possible that the job is created before the secret has been synchronized. If the job required the content of the secret to be mounted, the file would be missing.

Also fixes usage of controllerutil.CreateOrUpdate.

Possibly related to kubernetes-sigs/secrets-store-csi-driver#1051.

Additional Information

The implementation of the annotations I didn't test. It only would be used in case of updates, which in turn would only happen if the reconciler was unable to complete the creation of the job after the secret was created, so that it would have to re-reconcile. That case should be fairly rare, but since it can happen, I have included this mechanism that would take care of that. In my tests I never hit the point where the secret could be retrieved but wasn't equal to the one that was created and/or updated.

On the other hand, hitting a case where the secret could not be fetched right after it's creation, I have encountered about every 10th attempt.

The tests that seem to be most affected by this change are the infra setup tests for git, helm and OCI. I noticed that because they all failed when I still used retry.RetryOnConflict which is not suitable for this case, it requires an error of type Conflict to trigger the back-off. Other errors end the attempts of retrying. Which I have replaced that functionality with retry.OnError.

Checklist

  • I have updated the documentation via a pull request in the
    fleet-docs repository.

@kkaempf kkaempf added this to Fleet Nov 12, 2025
@kkaempf kkaempf moved this to 👀 In review in Fleet Nov 12, 2025
@p-se
Fix race when creating secrets and Kubernetes jobs
bba4dd5 
When creating secrets and a Kubernetes Job that uses those secrets in
volumes, it is possible that the job is created before the secret has
been synchronized. If the job required the content of the secret to be
mounted, the file would be missing.

Also fixes usage of `controllerutil.CreateOrUpdate`.
@p-se p-se force-pushed the fleet-secret-volume-race branch from c007299 to bba4dd5 Compare November 12, 2025 11:09
@p-se p-se marked this pull request as ready for review November 12, 2025 11:51
@p-se p-se requested a review from a team as a code owner November 12, 2025 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/bug

Projects

Fleet
Status: 👀 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@p-se @kkaempf