Creating a secret type of generic using action:azure/k8s-create-secret@v4 but seems to not have the feature of a secret type TLS. Could you make any suggestions? Please

The kubernetes-client library sometimes rejects its promise with an HttpError, but may also reject the promise with a generic Error object: https://github.com/kubernetes-client/javascript/blob/master/src/gen/api/coreV1Api.ts#L9168C24-L9168C39. When this happens, the error does not include a response key.

This GitHub action only warns on error data from an error where response can be destructured: https://github.com/Azure/k8s-create-secret/blob/main/src/run.ts#L171-L176.

We're running into an issue where our CI pipeline regularly fails during the deployment, because for some reason the existing secret cannot deleted, so at the point where the action attempts to recreate the secret an error is issued:

{"response":{"statusCode":409,"body":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"secrets \"my-secret\" already exists","reason":"AlreadyExists" ...

I'm unclear on what can be gotten out of a generic Error object, but in looking at the request library (which the kubernetes-client still uses in spite of being deprecated), it looks as if there may be helpful error messages.

I have this action working with a private cluster with my own self-hosted runner. If you use "ubuntu-latest" runner and a private cluster, it fails. Azure/[email protected] supports private clusters even on a managed runner through "invoke command". Does this action use "invoke command"?

The create secret action is failing randomly upon re-running the workflow with error:
Error from server (AlreadyExists): secrets "bugbash1622dockerauth" already exists

Failed workflow link: https://github.com/anuragc617/acr-build-helloworld-node/runs/450381384#step:7:13

I have the following problem:
When i add a secret to an existing namespace in the cluster: /usr/bin/kubectl create secret generic mysql-secret --from-literal=MYSQL_DATABASE=*** --from-literal=MYSQL_USERNAME=*** -- from-literal=MYSQL_PASSWORD=*** -n magento-test-develop

It adds the secret to the default namespace but the custom namespace is there. And the expected behaviour should be that it adds the secret to the namespace given.

At the moment we should call the action multiple times in case we have multiple secrets.
It will be useful to set multiple secrets at once in one action call.

I'm following up on a recent incident where a user thought they had a secret leak when running this action.

Passing secrets over the command line is insecure as it can accidentally cause the secret to leak. See https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#using-encrypted-secrets-in-a-workflow for details.

For kubectl create secret generic, a better option would be to use --from-file instead of --from-literal. It would work like this:

1. Instead of taking an arbitrary arguments string, take a set of key-value pairs like this:

with:
  secrets: |
    username=${{ secrets.USERNAME }}
    password=${{ secrets.PASSWORD }}
    storage-account-key=${{ secrets.STORAGE_ACCOUNT_KEY }}

1. In the JavaScript for your action, parse these key-value pairs and write them to files as kubectl create secret generic expects (username.txt, password.txt, storage-account-key etc.).
2. Build up the kubectl command line to run with the --from-file arguments.

This will protect users from accidentally exposing their secrets by running this action.

Hi,

are there any considerations to support deployment of secrets for the first time, i.e. when secrets do not yet exist? I am aware that the documentation says: Create a generic secret or docker-registry secret in Kubernetes cluster, replacing the secret if it already exists.

Currently, using the action in this scenario results in:

Warning: Failed to delete secret with statusCode: 404
Warning: {}
Deleting secret:
undefined
Error: SyntaxError: Unexpected token = in JSON at position 27

IMHO it would be quite useful to support this.

Thanks

Issue is when we use the below github action to generate/create a secret in k8s cluster

uses: azure/k8s-create-secret@v5 with: namespace: 'forecast-${{ matrix.client }}' secret-type: genric secret-name: 'dummy' string-data: '{"dummy1":"${{ steps.secrets.outputs.dummy1 }}","dummy2":"${{ steps.secrets.outputs.dummy2 }}","dummy3":"${{ steps.secrets.outputs.dummy3 }}","dummy4":"dummy4"}'

When we specify the "type" as generic --> the action should create the type of "Opaque" but it is trying to create a type of "generic" secret wherein the k8s doesn't have that type of secret.
https://kubernetes.io/docs/concepts/configuration/secret/#secret-types

Created Secret o/p:

apiVersion: v1
data:
dummy1:
dummy2:
dummy3:
dummy4:
kind: Secret
metadata:
creationTimestamp: "2024-06-07T09:32:28Z"
name: dummy
namespace: default
type: Opaque

Note: Removed actual values for security reasons.

This documentation PR flagged that you need to now use arguments: --force true with the action. Could you please take a look? If this is the new way to implement the action please let me know so that we can approve the PR.

Hi'

I see a bit of weirdness in the release versions on this action. Will there be a new major version released that has the small fixes and node16 upgrade incorporated?

Hello,

I have read the document and I believe I am using the manifest correctly. I am using azure/k8s-set-context@v3 to set the context first. It seems to be successful (but I'm not 100% sure). Here is the debug info for that portion:

##[debug]Writing kubeconfig contents to /home/runner/work/_temp/kubeconfig_1674177059730
##[debug]Setting KUBECONFIG environment variable
##[debug]Node Action run completed with exit code 0
##[debug]KUBECONFIG='/home/runner/work/_temp/kubeconfig_1674177059730'
##[debug]Finishing: Set the Kubernetes context

Then I am using azure/k8s-create-secret@v4 and I get a timeout when trying to connect to the EKS URL. I don't have a problem creating the secret the usual way with a manifest.

Here is my GHA code:

        uses: azure/k8s-set-context@v3
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KCONFIG }}
          context: 'arn:aws:eks:us-east-1:{my_account_number}:cluster/{my_cluster_name}'
        id: set-context
      - name: Set imagePullSecret
        uses: azure/k8s-create-secret@v4
        with:
          namespace: '{my_namespace}'
          secret-name: 'ghcr'
          container-registry-url: 'ghcr.io/{my_org_id}'
          container-registry-username: ${{ github.actor }}
          container-registry-password: ${{ secrets.PAT }}
        id: create-secret

Here is the DEBUG output:

Warning: Failed to delete secret with statusCode: undefined
Deleting secret:
undefined
Creating secret
{"errno":-110,"code":"ETIMEDOUT","syscall":"connect","address":"10.XX.31.115","port":443}
Error: connect ETIMEDOUT 10.XX.31.115:443
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Set imagePullSecret

Can you please help me understand if/what I'm doing wrong?

Thanks in advance!

When running 2.0 I get the following error:

Run azure/k8s-create-secret@v2
internal/modules/cjs/loader.js:800
    throw err;
    ^

Error: Cannot find module '@actions/core'
Require stack:
- /home/runner/work/_actions/azure/k8s-create-secret/v2/lib/run.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:797:15)
    at Function.Module._load (internal/modules/cjs/loader.js:690:27)
    at Module.require (internal/modules/cjs/loader.js:852:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at Object.<anonymous> (/home/runner/work/_actions/azure/k8s-create-secret/v2/lib/run.js:13:14)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10) ***
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/runner/work/_actions/azure/k8s-create-secret/v2/lib/run.js'
  ]
***

Based on the diff between 1.1 and 2.0 I would guess you forgot to commit the node_modules directory but I could be wrong, I haven't worked that much with custom GH actions.

I use the k8s-create-secret action to setup kubernetes and create secrets, and azure/setup-helm to setup helm and deploy charts. When my deploy pipeline runs against the new kubernetes cluster the secrets are not created because the provided namespace does not exist already.

The action seems to be suppressing the namespaces not found error and shows the status successful.

It would be great if the action simply creates the namespace if it does not exist already with the help of some boolean property passed to the action. something like createnamespace: true which will create the namespace if not exist.

Please suggest if there is any other way to automate namespace creation before running this action.

I'm getting this warning when creating docker-registry secrets

Warning: Unexpected input(s) 'container-registry-username', 'container-registry-password', valid inputs are ['namespace', 'secret-type', 'secret-name', 'string-data', 'data']

- name: Set imagePullSecret
  uses: azure/k8s-create-secret@v2
  with:
     namespace: 'somenamespace'
     secret-name: 'somesecretname'
     container-registry-username: ${{ secrets.SOMEUSER }}
     container-registry-password: ${{ secrets.SOMEPASS }}

It should be defined this way according to the documentation and url is optional in the code.

How should this definition look like for a docker-registry secret for Docker Hub?

The secret is also not created, just deleted
Last lines of the log

Deleting secret:
[object Object]

    name: Set secret
    uses: azure/k8s-create-secret@v4
    with:
      namespace: ${{ inputs.namespace }}
      secret-type: 'generic'
      secret-name: database-data
      string-data: '{"data": "Very secret data"}'

I get an error for this action

Run azure/k8s-create-secret@v4
Warning: Failed to delete secret with statusCode: undefined
Deleting secret:
undefined
Creating secret
***"errno":-2,"code":"ENOENT","syscall":"spawnSync kubelogin","path":"kubelogin","spawnargs":["get-token","--environment","AzurePublicCloud"

How to fix this?