FAQ | This is a LIVE service | Changelog

[Sanctuary] Old secret versions are not disabled/destroyed

👓 What did you see?

It was noticed while working on https://gitlab.developers.cam.ac.uk/uis/devops/devhub/gitlab-deploy/-/issues/425, that despite sanctuary prints the line

[info ] Destroying previous versions of secret name=...

all secret versions stay enabled:

image.png

What did you expect to see?

Latest version - enabled, previous versions destroyed

💻 Where does this happen?

Examples:

https://console.cloud.google.com/security/secret-manager/secret/gitlab-deploy/versions?project=gitlab-rk72-68734331

(same behaviour in gitlab prod project)

🔬 How do I recreate this?

The problem mentioned in gitlab-deploy repository, where we use sanctuary to sync up secrets between 1p and google sm.

Steps:

  1. Sanctuary config (example):
sanctuary: 
  secrets: 
    somename: 
      from: 
        op-cli-item: 
          item-id: ITEM_ID
          use_field_labels: true
          fields: 
            - FIELD_1
            - FIELD_2

With this config in .logan.yaml, run sanctuary sync --verbose . In log you will see sanctuary prints that it destroys version.

  1. Open Google cloud console and check all versions are "enabled"