Replace of immutable secret fails

[sebhoss]

SUMMARY

I have a secret that sets its immutable field to true and thus cannot be changed through a normal apply operation but requires a replacement in case its data does change. According to https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html#parameter-force a replacement should have happened but it fails instead

ISSUE TYPE

• Bug Report

COMPONENT NAME

kubernetes.core.k8s

ANSIBLE VERSION

ansible [core 2.17.4]
  config file = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
  configured module search path = ['/home/seb/.config/ansible/home/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/lib/python3.12/site-packages/ansible
  ansible collection location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible
  executable location = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/ansible
  python version = 3.12.6 (main, Sep  9 2024, 22:11:19) [Clang 18.1.8 ] (/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.venv/bin/python)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

# /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible/ansible_collections
Collection      Version
--------------- -------
kubernetes.core 5.0.0 

CONFIGURATION

ANSIBLE_HOME(env: ANSIBLE_HOME) = /home/seb/.config/ansible/home
COLLECTIONS_PATHS(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = ['/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.ansible']
CONFIG_FILE() = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg
DEFAULT_STDOUT_CALLBACK(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = yaml
DEFAULT_VAULT_PASSWORD_FILE(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = /var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/.VAULT_PASSWORD
EDITOR(env: EDITOR) = /var/home/seb/.local/bin/hx
GALAXY_CACHE_DIR(env: ANSIBLE_GALAXY_CACHE_DIR) = /home/seb/.cache/ansible/galaxy
INTERPRETER_PYTHON(/var/home/seb/git/git.infra.run/infra.run/infrastructure/helm-deployments/development/ansible.cfg) = auto_silent
MAX_FILE_SIZE_FOR_DIFF(env: ANSIBLE_MAX_DIFF_SIZE) = 104857600
PAGER(env: PAGER) = less

OS / ENVIRONMENT

Fedora 40

STEPS TO REPRODUCE

- name: Create secret
  delegate_to: localhost
  kubernetes.core.k8s:
    template: some-secret.yaml
    state: present
    force: true

Use the following secret (or any other that sets immutable: true ):

apiVersion: v1
kind: Secret
metadata:
  name: some-secret
  namespace: "{{ some_namespace }}"
stringData:
  token: "{{ some_token }}"
immutable: true

EXPECTED RESULTS

My expectation was that this changing the data of an immutable secret with force: true does work

ACTUAL RESULTS

fatal: [test-cluster -> localhost]: FAILED! => changed=false 
  msg: 'Failed to replace object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Secret \\"some-secret\\" is invalid: data: Forbidden: field is immutable when `immutable` is set","reason":"Invalid","details":{"name":"some-secret","kind":"Secret","causes":[{"reason":"FieldValueForbidden","message":"Forbidden: field is immutable when `immutable` is set","field":"data"}]},"code":422}\n'''
  reason: Unprocessable Entity

[abikouo]

@sebhoss this is a server-side issue. The force=true option replaces the resource whether it exists or not. A post request is issued to the server, however, it fails because you have set immutable=true. The only way to fix that is to delete and re-create the secret

[sebhoss]

@abikouo thanks - I guess I was looking for something like kubectl replace but with Ansible doing the replacement only if there is a difference and thus avoid to delete/create the secret on every execution.

[yurnov]

@abikouo thanks - I guess I was looking for something like kubectl replace but with Ansible doing the replacement only if there is a difference and thus avoid to delete/create the secret on every execution.

you can read content with the k8s_info module, then compare it with the desired state, and then have a block with when that will be invoked only in case the content doesn't match

[mohag]

I'm running into something similar with a deployment (when editing labels and selectors....) (Immutable fields on the Deployment in this case, rather than an immutable object)

fatal: [localhost]: FAILED! => {
    "changed": false,
    "reason": "Unprocessable Entity"
}

MSG:

Failed to apply object: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Deployment.apps \\"kubelet-csr-approver\\" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{\\"app\\":\\"kubelet-csr-approver\\", \\"name\\":\\"kubelet-csr-approver\\"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable","reason":"Invalid","details":{"name":"kubelet-csr-approver","group":"apps","kind":"Deployment","causes":[{"reason":"FieldValueInvalid","message":"Invalid value: v1.LabelSelector{MatchLabels:map[string]string{\\"app\\":\\"kubelet-csr-approver\\", \\"name\\":\\"kubelet-csr-approver\\"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable","field":"spec.selector"}]},"code":422}\n'

I also hoped that setting force=true would work around it... (I'm currently considering a rescue block, but need to move the definition around to avoid having to duplicate it..)