install-stackspin.sh fails when a secret exists
I needed to re-run the install-script on my test cluster in order to fix it's broken SSO installation. However, it fails because a secret was already present:
❯ install/install-stackspin.sh
secret/stackspin-cluster-variables patched (no change)
✚ generating manifests
✔ manifests build completed
► installing components in flux-system namespace
CustomResourceDefinition/buckets.source.toolkit.fluxcd.io unchanged
CustomResourceDefinition/gitrepositories.source.toolkit.fluxcd.io unchanged
CustomResourceDefinition/helmcharts.source.toolkit.fluxcd.io unchanged
CustomResourceDefinition/helmreleases.helm.toolkit.fluxcd.io unchanged
CustomResourceDefinition/helmrepositories.source.toolkit.fluxcd.io unchanged
CustomResourceDefinition/kustomizations.kustomize.toolkit.fluxcd.io unchanged
Namespace/flux-system unchanged
ServiceAccount/flux-system/helm-controller unchanged
ServiceAccount/flux-system/kustomize-controller unchanged
ServiceAccount/flux-system/source-controller unchanged
ClusterRole/crd-controller-flux-system unchanged
ClusterRoleBinding/cluster-reconciler-flux-system unchanged
ClusterRoleBinding/crd-controller-flux-system unchanged
Service/flux-system/source-controller unchanged
Deployment/flux-system/helm-controller configured
Deployment/flux-system/kustomize-controller unchanged
Deployment/flux-system/source-controller configured
◎ verifying installation
✔ helm-controller: deployment ready
✔ kustomize-controller: deployment ready
✔ source-controller: deployment ready
✔ install finished
deployment.apps/helm-controller patched
deployment.apps/source-controller patched
Tracking branch main for https://open.greenhost.net/stackspin/stackspin flux repo
NAME STATUS AGE
stackspin Active 42d
NAME STATUS AGE
stackspin-apps Active 42d
Secret stackspin-dashboard-variables in namespace flux-system is already in a good state, doing nothing.
Storing secret stackspin-{{ app }}-oauth-variables in namespace flux-system in cluster.
Secret created with api response: [[{'api_version': 'v1',
'data': {'client_id': 'ZGFzaGJvYXJk',
'client_secret': '...'},
'immutable': None,
'kind': 'Secret',
'metadata': {'annotations': None,
'cluster_name': None,
'creation_timestamp': datetime.datetime(2021, 12, 23, 11, 39, 51, tzinfo=tzutc()),
'deletion_grace_period_seconds': None,
'deletion_timestamp': None,
'finalizers': None,
'generate_name': None,
'generation': None,
'labels': None,
'managed_fields': [{'api_version': 'v1',
'fields_type': 'FieldsV1',
'fields_v1': {'f:data': {'.': {},
'f:client_id': {},
'f:client_secret': {}},
'f:type': {}},
'manager': 'OpenAPI-Generator',
'operation': 'Update',
'time': datetime.datetime(2021, 12, 23, 11, 39, 51, tzinfo=tzutc())}],
'name': 'stackspin-dashboard-oauth-variables',
'namespace': 'flux-system',
'owner_references': None,
'resource_version': '6050612',
'self_link': None,
'uid': '0830bcff-ea64-416f-9075-f0fd09ba4786'},
'string_data': None,
'type': 'Opaque'}]]
File /home/varac/projects/work/greenhost/stackspin/install/templates/stackspin-dashboard-basic-auth.yaml.jinja does not exist, no action needed
Secret stackspin-single-sign-on-variables in namespace flux-system already exists. Merging...
Storing secret stackspin-single-sign-on-variables in namespace flux-system in cluster.
Secret updated with api response: {'api_version': 'v1',
'data': {...}
'immutable': None,
'kind': 'Secret',
'metadata': {'annotations': None,
'cluster_name': None,
'creation_timestamp': datetime.datetime(2021, 11, 10, 11, 53, 22, tzinfo=tzutc()),
'deletion_grace_period_seconds': None,
'deletion_timestamp': None,
'finalizers': None,
'generate_name': None,
'generation': None,
'labels': None,
'managed_fields': [{'api_version': 'v1',
'fields_type': 'FieldsV1',
'fields_v1': {'f:data': {'.': {},
'f:dashboard_postgresql_password': {},
'f:hydra_postgresql_password': {},
'f:hydra_system_secret': {},
'f:kratos_postgresql_password': {},
'f:kratos_session_secret': {},
'f:userbackend_admin_password': {},
'f:userbackend_admin_username': {},
'f:userbackend_postgres_password': {}},
'f:type': {}},
'manager': 'OpenAPI-Generator',
'operation': 'Update',
'time': datetime.datetime(2021, 12, 23, 11, 39, 51, tzinfo=tzutc())}],
'name': 'stackspin-single-sign-on-variables',
'namespace': 'flux-system',
'owner_references': None,
'resource_version': '6050615',
'self_link': None,
'uid': 'd23e3615-4e63-4cda-96e9-fc1db71d6c68'},
'string_data': None,
'type': 'Opaque'}
File /home/varac/projects/work/greenhost/stackspin/install/templates/stackspin-single-sign-on-basic-auth.yaml.jinja does not exist, no action needed
Secret stackspin-kube-prometheus-stack-variables in namespace flux-system is already in a good state, doing nothing.
Storing secret stackspin-{{ app }}-oauth-variables in namespace flux-system in cluster.
Traceback (most recent call last):
File "/home/varac/projects/work/greenhost/stackspin/install/generate_secrets.py", line 196, in <module>
main()
File "/home/varac/projects/work/greenhost/stackspin/install/generate_secrets.py", line 52, in main
create_variables_secret(app_name, "stackspin-oauth-variables.yaml.jinja", env)
File "/home/varac/projects/work/greenhost/stackspin/install/generate_secrets.py", line 95, in create_variables_secret
store_kubernetes_secret(new_secret_dict, secret_namespace,
File "/home/varac/projects/work/greenhost/stackspin/install/generate_secrets.py", line 164, in store_kubernetes_secret
api_response = create_from_yaml(
File "/home/varac/.local/lib/python3.9/site-packages/kubernetes/utils/create_from_yaml.py", line 88, in create_from_yaml
return create_with(yml_document_all)
File "/home/varac/.local/lib/python3.9/site-packages/kubernetes/utils/create_from_yaml.py", line 83, in create_with
raise FailToCreateError(failures)
kubernetes.utils.create_from_yaml.FailToCreateError: Error from server (Conflict): {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"secrets \"stackspin-kube-prometheus-stack-oauth-variables\" already exists","reason":"AlreadyExists","details":{"name":"stackspin-kube-prometheus-stack-oauth-variables","kind":"secrets"},"code":409}
We need to make this script resilient so it continues even when a secret exist. In this case it should warn the admin how to (manually) resolve the situation.