Skip to content

Skip router ConfigMap entries when TLS credential secrets are missing#2449

Open
AryanP123 wants to merge 3 commits into
skupperproject:mainfrom
AryanP123:secret-router-access
Open

Skip router ConfigMap entries when TLS credential secrets are missing#2449
AryanP123 wants to merge 3 commits into
skupperproject:mainfrom
AryanP123:secret-router-access

Conversation

@AryanP123

@AryanP123 AryanP123 commented May 14, 2026

Copy link
Copy Markdown
Contributor

Fixes #2433

@AryanP123 AryanP123 force-pushed the secret-router-access branch 7 times, most recently from 990bf32 to 30510e0 Compare May 15, 2026 20:34
@AryanP123 AryanP123 marked this pull request as draft May 19, 2026 13:17
@AryanP123 AryanP123 force-pushed the secret-router-access branch from 30510e0 to f0a59d1 Compare May 26, 2026 14:41
@AryanP123 AryanP123 marked this pull request as ready for review May 26, 2026 17:15
nluaces
nluaces reviewed May 27, 2026
View reviewed changes
Comment thread internal/site/routeraccess.go Outdated
nluaces
nluaces reviewed May 27, 2026
View reviewed changes
Comment thread internal/site/bindings.go Outdated
nluaces
nluaces reviewed May 27, 2026
View reviewed changes
Comment thread internal/site/bindings.go Outdated
@AryanP123 AryanP123 force-pushed the secret-router-access branch from 5d69ec0 to dddb71a Compare May 27, 2026 18:42
@AryanP123 AryanP123 requested a review from nluaces May 27, 2026 19:04
fgiorgetti
fgiorgetti reviewed May 28, 2026
View reviewed changes

@fgiorgetti fgiorgetti left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It worked well for me.

I have been able to create links and accesses resources without providing a secret and that did not prevent other resources from being reconciled and configured.

Restarting the skupper-router deployment worked fine without blocking the config-init container.

One comment, though, was the Listeners and Connectors that refer to tlsCredentials that do not exist, are processed without warning or errors on the CR status. It would be nice to get a similar behavior to what we have with Links and RouterAccesses.

Comment thread internal/kube/site/extended_bindings.go Outdated
@AryanP123 AryanP123 requested a review from fgiorgetti May 28, 2026 15:44
c-kruse
c-kruse reviewed May 28, 2026
View reviewed changes
Comment thread internal/kube/secrets/manager.go
@nluaces nluaces modified the milestone: 2.2.1 Jun 1, 2026
@fgiorgetti

fgiorgetti commented Jun 1, 2026

Copy link
Copy Markdown
Member

It is working for me. Now we get appropriate status on resources that are not ready, pending TLS secret availability.
@c-kruse @nluaces I'd like to know thoughts as well before approving it.

@AryanP123 AryanP123 mentioned this pull request Jun 4, 2026
Open
c-kruse
c-kruse approved these changes Jun 10, 2026
View reviewed changes

@c-kruse c-kruse left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we've got a few more things to work through before this gets released, but I'm happy to get it merged now and running in development before we work things out.

Quickly:

  • It appears that Listener and Connector (and AttachedConnector I think) may never get configured after a missing tls secret is added without a spec change.
  • I'm suspicious about the logging here, I suspect it will log (and re-log) a lot of redundant information that users should be getting from the resource status instead.
  • We're missing MultiKeyListener logic - could be this work predates that resource.
  • I'm vaguely concerned about the assumptions we make (outside of this changeset) on Site readiness in relation to RouterAccess readiness and configuration, and think we should play with it for a bit longer before resolving to change anything.

fgiorgetti
fgiorgetti reviewed Jun 11, 2026
View reviewed changes

@fgiorgetti fgiorgetti left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AryanP123 Could you rebase your work on top of main? As @c-kruse pointed, this is missing MKL, Proxy and a few other changes already on main.

@AryanP123 AryanP123 force-pushed the secret-router-access branch from 711938e to b0d20bc Compare June 11, 2026 13:36
@AryanP123 AryanP123 requested a review from fgiorgetti June 11, 2026 18:49
fgiorgetti
fgiorgetti approved these changes Jun 12, 2026
View reviewed changes

@fgiorgetti fgiorgetti left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks cleaner and seems to work great now!
@c-kruse @nluaces if you wanna give it another try.
I tried a local scenario with listeners, connectors, links, routeraccess, attached connectors and mkls.
A missing secret did not seem to block the configuration of other resources now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nluaces nluaces nluaces approved these changes

@fgiorgetti fgiorgetti fgiorgetti approved these changes

@c-kruse c-kruse c-kruse approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Kube-adaptor is not syncing resources when a secret is missing

4 participants

@AryanP123 @fgiorgetti @nluaces @c-kruse