Skip to content

Commit 51ac032

Browse files
rhr323naemono
rhr323
and
naemono
authored
Do not set credentials label on Kibana config secret. (#8852) (#8863)
We should no longer have the credentials label on the Kibana config secret as it also contains encryption keys which are not safe to rotate by deleting the secret, which is what was previously suggested in our documentation. (cherry picked from commit e307f63) Co-authored-by: Michael Montgomery <[email protected]>
1 parent e1aaed5 commit 51ac032

File tree

3 files changed

+4
-4
lines changed

3 files changed

+4
-4
lines changed

pkg/controller/kibana/config_reconcile.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ import (
1616
"k8s.io/apimachinery/pkg/types"
1717

1818
kbv1 "github.com/elastic/cloud-on-k8s/v3/pkg/apis/kibana/v1"
19-
"github.com/elastic/cloud-on-k8s/v3/pkg/controller/common/labels"
2019
"github.com/elastic/cloud-on-k8s/v3/pkg/controller/common/metadata"
2120
"github.com/elastic/cloud-on-k8s/v3/pkg/controller/common/reconciler"
2221
"github.com/elastic/cloud-on-k8s/v3/pkg/controller/common/tracing"
@@ -62,7 +61,7 @@ func ReconcileConfigSecret(
6261
ObjectMeta: metav1.ObjectMeta{
6362
Namespace: kb.Namespace,
6463
Name: kbv1.ConfigSecret(kb.Name),
65-
Labels: labels.AddCredentialsLabel(maps.Clone(meta.Labels)),
64+
Labels: maps.Clone(meta.Labels),
6665
Annotations: meta.Annotations,
6766
},
6867
Data: data,

pkg/controller/kibana/config_reconcile_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,8 @@ func TestReconcileConfigSecret(t *testing.T) {
5353
assertions: func(secrets corev1.SecretList) error {
5454
require.Equal(t, 1, len(secrets.Items))
5555
assert.NotNil(t, secrets.Items[0].Data[SettingsFilename])
56+
// The Kibana config secret previously contained the 'credentials' label. It should now not exist.
57+
assert.Empty(t, secrets.Items[0].ObjectMeta.Labels["eck.k8s.elastic.co/credentials"])
5658
return nil
5759
},
5860
},

test/e2e/test/kibana/checks_k8s.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,7 @@ func CheckSecrets(b Builder, k *test.K8sClient) test.Step {
3838
Keys: []string{"kibana.yml"},
3939
OptionalKeys: []string{"telemetry.yml"},
4040
Labels: map[string]string{
41-
"eck.k8s.elastic.co/credentials": "true",
42-
"kibana.k8s.elastic.co/name": kbName,
41+
"kibana.k8s.elastic.co/name": kbName,
4342
},
4443
},
4544
}

0 commit comments

Comments
 (0)