<-- Back

Secrets managed by external vault fail with error: Secret "mendix-proxy" is invalid: type: Invalid value: "Opaque": field is immutable

Issue

When running mxpc-cli apply-config on an OpenShift cluster with auto-generated secrets from Vault Secret Operator (VSO) and ArgoCD, the following error occurs:

Failed to apply Kubernetes Secrets: failed to update secret proxy_secret: Secret "mendix-proxy" is invalid: type: Invalid value: "Opaque": field is immutable

This issue occurs when secrets are created by custom processes (such as VSO with ArgoCD) before running mxpc-cli, causing a conflict because the secret type field is immutable in Kubernetes.

Environment

Applications hosted in Mendix on Kubernetes

Cause

The issue occurs when secrets are pre-created by the VSO and ArgoCD pipeline using the type kubernetes.io/Opaque, while mxpc-clicreates secrets using the type Opaque

Although these two types are functionally equivalent, Kubernetes treats the secret type field as immutable after creation, resulting in an error.

Solution/Workaround

To resolve this issue, ensure that secrets created by custom processes are fully identical to how mxpc-cli would create them. Choose one of the following approaches:

Option 1: Align custom secret creation with mxpc-cli format (Recommended)

  1. Update the custom secret management process (VSO/ArgoCD) to use the secret type Opaque instead of kubernetes.io/Opaque

  2. Match all secret attributes match exactly how mxpc-cli creates them

  3. Run mxpc-cli apply-config 

Option 2: Delete existing secrets and let mxpc-cli manage them

  1. Remove the secrets from the custom management process (VSO/ArgoCD)

  2. Delete the existing secrets from the cluster

  3. Run mxpc-cli apply-config to allow mxpc-cli to create and manage the secrets

Option 3: Use dry-run mode for manual application

  1. Use the dry-run option in mxpc-cli to review the configuration changes

  2. Apply the changes manually to avoid conflicts with existing secrets

Note: mxpc-cli is only validated to be compatible with processes documented in the official Mendix documentation. If secrets are created by another process, they must be fully identical to how mxpc-cli creates them. External secret management solutions such as VSO and ArgoCD are not officially supported.

Internal information related

264938

Additional information

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.