Kubernetes secret not read anymore in 3.3

[cescoffier]

Describe the bug

I had an application using:

# Kubernetes
%prod.quarkus.kubernetes-config.secrets.enabled=true
quarkus.kubernetes-config.secrets=device-database


# Database
quarkus.hibernate-orm.database.generation=drop-and-create

%prod.quarkus.datasource.db-kind=postgresql
%prod.quarkus.datasource.username=${database-user}
%prod.quarkus.datasource.password=${database-password}
%prod.quarkus.datasource.jdbc.url=jdbc:postgresql://device-database:5432/device-database

It was working perfectly in 3.2.0.CR1.

I've updated it to 3.3.1, and the secret is not read anymore.

The secret is the following:

kind: Secret
apiVersion: v1
metadata:
  name: device-database
data:
  database-name: ZGV2aWNlLWRhdGFiYXNl
  database-password: ZjdHVHFQcW1nWW5wMkNOQg==
  database-user: dXNlcjJLNA==
type: Opaque

Expected behavior

The values from the secret should be read as before.

Actual behavior

The secret is not read.

I can see that the secret permissions are added to the descriptor:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: view-secrets
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: measure-enrichment-view-secrets
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: view-secrets
subjects:
  - kind: ServiceAccount
    apiGroup: ""
    name: measure-enrichment

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @geoand (kubernetes), @iocanel (kubernetes)

[geoand]

@radcortez do I remember correctly that you had looked into some kind of similar issue?

[radcortez]

You may be thinking about this one: #35564

[radcortez]

I'll have a look.

[geoand]

Right, thanks!

[cescoffier]

Just because it raised a flag, the encrypted secrets from above are totally meaningless.

[radcortez]

I've tried to reproduce it, but no luck. Can you please provide me with more information?

• Which exception do you get?
• Does it always fail with multiple runs?
• Do you have any other configuration in place?

Thanks!

[cescoffier]

You can see the whole code and config at: https://github.com/cescoffier/devnation-2023-modern-data-streaming/tree/main/measure-enrichment. Nothing out of the ordinary.

The are no exceptions. Hibernate complains there is no jdbc URL.

[radcortez]

@cescoffier were you able to load the db credentials you have defined in your Secret and create connection? I am getting an error on my side "Failed to load config value of type class java.lang.String for :"

Which Quarkus versions are you using? There was an issue with this which was fixed in 3.3.2.

[radcortez]

Ok, that is not enough information for us to help you with the issue. Can you please open a new issue, with a small reproducer, since it seems unrelated with this one?