spring-cloud-kubernetes: Incorrect secret is injected when there are multiple secrets with same key

Version Java version 11 Kubernetes version 1.21.7

Version after upgrade [issue found] Spring Boot 2.6.2 Spring Cloud 2021.0.1

Version before upgrade [works fine] Spring Boot 2.5.3 Spring Cloud 2020.0.3

Describe the bug We’re developing Spring boot backend project and deploy to Kubernetes. There are 2 pods (I’ll call them Microservice A and Microservice B) being deployed in the same namespace. Each Microservice have a K8s secrets corresponding to them(which also are in the same namespace). Before upgrading to Spring Boot 2.6.2 and Spring Cloud 2021.0.1, the secrets properties source works correct but after upgrading both A and B, secrets value of Microservice B is injected to Microservice A instead.

Microservice A

Secret
- name : a-service-oauth
  data:
    oauth2.client_id: aaaaa_id
    oauth2.client_secret: aaaaa_secret
- name : a-mongodb
  data:
    url: aaaaa_url


bootstrap.yaml
spring:
  application:
    name: a
  ...
  cloud:
    kubernetes:
      reload:
        enabled: true
        monitoring-secrets: true
      secrets:
        enable-api: true
        sources:
          - name: a-mongodb
          - name: a-service-oauth
      enabled: true
...

Microservice B

Secret
- name : b-service-oauth
- data:
    oauth2.client_id: bbbbb_id
    oauth2.client_secret: bbbbb_secret
- name : b-mongodb
  data:
    url: bbbbb_url


bootstrap.yaml
spring:
  application:
    name: a
  ...
  cloud:
    kubernetes:
      reload:
        enabled: true
        monitoring-secrets: true
      secrets:
        enable-api: true
        sources:
          - name: b-mongodb
          - name: b-service-oauth
      enabled: true

When i investigated bug. I checked the value by exposing via actuator endpoint(/actuator/configprops). after upgrade I notice 2 things that incorrect

  • Value of client id is bbbbb_id which suppose to be aaaaa_id
  • In origin, it shows that value are from secret name a-mongodb which suppose be a-service-oauth.

After I downgrade and check these values that expose via actuator. They are correct.

If any information further is required, please let me know thanks!

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

right, I was going to backport this today, so here you go 😃

+1
wind57 on Mar 16, 2022

I still don’t have a very good picture in mind of what is going on, but I think there is a strong hint towards this issue/comment.

It seems that you might have multiple secrets with the same key, and because I have introduced that defect - they are messed up. For the time being, I can only recommend for you to stay on a lower version and watch that defect. We will close it and fix it, for sure, but not entirely sure in which version.

Or, if you can, rename your secret keys to use different names.

+1
wind57 on Mar 14, 2022

thx, unfortunately I do not see anything obvious. how about logs from both pods in debug mode, at least at start-up.

I mean 1) enable spring logs in debug mode 2) give the logs for me to look at

+1
wind57 on Mar 11, 2022

you could start by showing the exact contents of your entire bootstrap.yaml and your Secrets - I don’t need your company name, etc; I just need the exact structure - may be something jumps into my eyes immediately.

+1
wind57 on Mar 11, 2022
Read more comments on GitHub
← spring-cloud-kubernetes: FeignClients do not currently work without the spring-cloud-kubernetes-ribbon implementation
spring-cloud-kubernetes: KubernetesClientException when trying to start Spring Boot microservice on Kubernetes →