UserOperator creates Secrets with app.kubernetes.io/instance label #5690
Comments
|
It is hard to call this bug because there is no real specification of how it should behave. And different apps and different users have different requirements and expectations. |
|
I guess you could implement the same configurable exclusion which we already have in the Cluster Operator also for the USer Operator if you want. That might allow you to make it configurable. |
If you read https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels, the
I would argue that is the cluster itself..but I think even more so, this should be a configurable behavior not a hard-coded behavior. If you have a hard-coded need to use labels to track resources that the operator is managing, that should be done through |
Instance of what application? The application which created the user? The application which created the Kafka cluster which the user belongs to? The User Operator application which created it? You can argue for any of these. And because these labels are used for many different use-cases including UIs etc., there are conflicting semantics and what does not work for you works fine for someone else. That is why I suggested that the same thing which was done to the Cluster Operator can be implemented to make it configurable what labels make it through and which don't. |
|
Triaged on 21.7.2022: There does not seem to be an easy solution because the Kubernetes labels are badly specified and everyone is using them in a slightly different way. We considered removing these labels completely, but that can break it for any users relying on them. So if anyone wants, it might be possible to implement something similar to #4791 to filter the automatically assigned labels. |
|
I have created a proposal for this issue (strimzi/proposals#60) |
|
Filtering labels included from the parent custom resource seems to be already possible in the same way as in the Cluster Operator by configuring the exclusion pattern using the |
Describe the bug
We use ArgoCD as our deployment tool to launch Kafka, KafkaTopics, KafkaUsers, and our other apps. We ran into a situation where ArgoCD kept deleting "Secret" resources that were created by Strimzi. The root cause we discovered was that the Strimzi User Operator is creating Secrets with the
app.kubernetes.io/instancelabel.Why is this a problem?
If you have an ArgoCD Application named
MyApp, it tracks all of the resources that it creates for that application with the standardapp.kubernetes.io/*labels - including theapp.kubernetes.io/instancelabel. So each resource it creates will haveapp.kubernetes.io/instance: MyAppfor example as a label. When Argo sees resources that have that label, and they are not in the desired manifest for theMyAppapplication, it will delete them.Now consider that we have a
KafkaApplication as well, and it creates aKafkaUsernamedMyAppfor our application we described above? It turns out that if you do this, Strimzi creates the resource with the labelapp.kubernetes.io/instance: MyAppbecause (I think) of this code.Well what happens at that point is that Argo's Application for
MyAppdoes not have aSecretresource in it with that label.. so it deletes the resource. Then the User Operator goes and re-creates it.. then argo deletes it again.It seems like a bug that the
instancelabel would be used in this way. If anything, theinstancelabel should refer to the cluster that the KafkaUser is a part of - not match the username itself.Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: