sealed-secrets: Annotations/Labels missing in sealed secrets resource metadata

Pipe a secret into kubeseal results in a sealed secrets resource without any annotations/labels at sealedsecrets.metadata.labels /sealedsecrets.metadata.labels.

Expected:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  annotations:
    app: my-app # used from secret.metadata.annotations
  labels:
    app: my-app # used from secret.metadata.labels
  name: my-token
  namespace: my-namespace
spec:
  ... # the rest is fine

The missing labels in particular prevents me from applying sealed secrets objects with kubectl + labelselector option (whats also needed for whitelist pruning).

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 18

Most upvoted comments

@juan131 this is not a duplicate of #403 in this Issue here it is talked about adding labels/annotations that are on the secret automatically also to the sealedSecret.

As far as I see 403 it is a bug where the sealedSecret is missing to set some labels inside the secret? So the other way around.

It would even be nice to have a way to use kubeseal to directly annotate or label the sealed secrets --annotate or --label to the command allowing to directly to apply annotations and labels to the sealedSecret when generating them.

+3
rufreakde on Oct 19, 2022

This can be very usefully actually, especially for argocd solution;

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: test-secrets
  namespace: default
spec:
  encryptedData:
    mysql_password: AgBwo33P0cpDAM3qymxkQ6mz71kxo2SbWKthDHctl5dFB4jjhKMAoWfjep6aPg1BrREFL+RCRsYvHPE80DH4lWWmDQfLGz7ND/wS6e04O6DThP5EO22SCtYsFLlpyUtH4huERn/ou0Qv0h6FyotSBsZCt0UuW0giu2rXE3PP4icPbVzbgA+Rq1Im6IAvEZFXUH+5vePpNvmcl5eRnJdK3mXbcATt+ExdNVd2X3/qxenbE9K2cYx1qDXt8/OLtTSsuMdpMMWAwu6TAwVadgYvj4TwJHZmyvD7x9Qg24TctbRrqP+eTkGQVTLlPv5ABlLLXFD+/4crkmTF7JgofMdqg+1KFJfXMYO6DQ+iiPyKb7D6AJemzoWXvE/gvAkTHf74nSTGs3emUXsAjY1yHPRodYiKY2En/XvHnt5omoefiwalo5Hl8EzRixkzU19qwI71d9mYRJEOZC9BFN+6ZclQ5bHKUdkEH8erzJQUHKvwnPfqRkp7DVy8VjSzA4NZBkvKyHUEChMsNrAxIy6p2Ek6NbHMSyuwxxBMxZfepi86NDXlbV1l5yC23RIn/iVLdeuDMpzws7LRrpfg/xGzo1gu62dQ3P2Jn8Kv3TCAztItDql/4uyDpPDLZW/scC5+Z86dBdpl4ATbYEAU4T+Q6WGzwTPPzFHtx7B2V/c0OJ1bnPntMvgiPocgEkUysi0DfLn0MfwwRiNaz9rpE88lg6GgRxDQzAyDaF9dARo=
    mysql_username: AgCHKJt468nqsMsRjqQAhnVY6jnjpdiKf6haYYQSxpiGpIUQ3xhEMDhHxQckhAF6IKOdCQZtHrXIjPtIh1dFT3+rB6yd+ofj0Inugqd99z3/Jhgqz8bg8VrcneqrbihM4lp1jtaW6qYAZQm1V4dwo1R8up0WXJdQZN86pN57QdCeTlOhL9u07cdHjDlAdOR9dK8IDrgcLnbPaTj4u9B0ljqKCjWYN6yN+nmA0mz28JShGEIseZXDMGhppcE/xPzTHWnKGT+MigbLtB42678bKwNv1ZrVgiA18yYpRWKA5V//AiiSmw/wNDMW0vPaS7d9XCOQLOq8JEVevn4FScylEqtQx09SRTa00DGOOVC3U12kl+zXkM9LOYl7ZmqPHPujNEVzorjyL2NB2zsQrDeAeEaIBRqw7ozf/YGhITarYDZEGPC6DgHPx0cMxTcWfPYh9EDy3/6yQ/HohtkBQpwE/3TYl+E8n0Fm+zImkbVSrWmduO/TIwSFeQYCMUVJT9ISYE/Zqd+pAAGNCXEGzzIerpVWqU68f7zRSVUAeMBuoBp9p1sqAH+Vbka9oJf6rgL9UjYVTB3FSbNmo87vUS9aApn8VEico6pKw5gJX+j6HqScv0rN80q1SNd8vINsrAQC+GJObCkXBctbx/R7Cf84D45hudcATJrt9DltHlQcnDyv8u2HxSoqIs1mQKbuKpoiua2XZcVh7K1ryURX3Yw=
  template:
    data: null
    metadata:
      annotations:
        argocd.argoproj.io/hook: PreSync
        argocd.argoproj.io/sync-wave: "-1"
        sealedsecrets.bitnami.com/managed: "true"
      creationTimestamp: null
      name: test-secrets
      namespace: default
    type: Opaque

I really need the annotations argocd.argoproj.io/hook: and argocd.argoproj.io/sync-wave to exist on the sealedsecret resource, allowing argocd to deploy it FIRST before migration jobs.

+3
gimpiron on Jan 16, 2022
Read more comments on GitHub
← sample-market-maker: on_error() missing 1 required positional argument: 'error'
sealed-secrets: Bug in regards to "cannot fetch certificate: no endpoints available for service "http:sealed-secrets-controller:" →