Skip to content

fix: cleanup orphaned secret mounts when removed from StackConfigPolicy #8937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: cleanup orphaned secret mounts when removed from StackConfigPolicy #8937

wants to merge 2 commits into from

Conversation

@pkoutsovasilis
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis commented Dec 2, 2025
edited
Loading

Summary

Fixes cleanup of orphaned secret mounts when removed from StackConfigPolicy. When a policy's secretMounts configuration is updated to remove secret references,
the copied secrets in the target Elasticsearch namespace are now automatically deleted.

Fixes #8921

Problem

When a StackConfigPolicy removes a secret reference from its secretMounts configuration, the copied secret remains in the target Elasticsearch namespace indefinitely, leading to resource accumulation and potential confusion.

Reproduction Steps (from issue #8921)

  1. Create an Elasticsearch instance labeled env: test
  2. Create a source secret in the elastic-system namespace
  3. Create a StackConfigPolicy that references this secret via secretMounts
  4. ECK copies the secret to the Elasticsearch namespace
  5. Update the StackConfigPolicy to remove the secretMounts section
  6. Bug: The copied secret persists in the Elasticsearch namespace indefinitely

Expected Behavior

When a secret reference is removed from a StackConfigPolicy's secretMounts, ECK should automatically delete the corresponding copied secret from the target namespace.

Solution

Added cleanupOrphanedSecretMounts() function that runs during policy reconciliation to:

  1. List all secrets in the ES namespace that are soft-owned by the policy
  2. Filter for secrets with the policy.k8s.elastic.co/source-secret-name annotation (identifies SecretMount-managed secrets)
  3. Compare against the current secretMounts list in the policy spec
  4. Delete secrets that are no longer referenced in the policy

@pkoutsovasilis pkoutsovasilis self-assigned this Dec 2, 2025
@pkoutsovasilis pkoutsovasilis added >bug Something isn't working v3.3.0 (next) labels Dec 2, 2025
@prodsecmachine
Copy link
Collaborator

prodsecmachine commented Dec 2, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@pkoutsovasilis pkoutsovasilis marked this pull request as ready for review December 2, 2025 12:28
pebrc
pebrc approved these changes Dec 3, 2025
View reviewed changes
@pkoutsovasilis pkoutsovasilis requested a review from pebrc December 3, 2025 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pebrc pebrc pebrc approved these changes

@barkbay barkbay Awaiting requested review from barkbay

@naemono naemono Awaiting requested review from naemono

@rhr323 rhr323 Awaiting requested review from rhr323

@kvalliyurnatt kvalliyurnatt Awaiting requested review from kvalliyurnatt

Assignees

@pkoutsovasilis pkoutsovasilis

Labels

>bug Something isn't working v3.3.0 (next)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Copied secrets from StackConfigPolicy are not cleaned up when removed from spec

3 participants

@pkoutsovasilis @prodsecmachine @pebrc