patch_namespaced_secret does not delete keys when passing them via string_data

[mpw96]

What happened (please include outputs or screenshots):
I want to remove a key from a secret. So I'm creating the patch data with a None value for this key. This key is not deleted (secret is unchanged).

What you expected to happen:
The key is deleted.

How to reproduce it (as minimally and precisely as possible):
Create a secret my-secret in some namespace mpw. It should contain a key test with some value.
Then run this program:

import kubernetes
import yaml

with open("my-kubeconfig.yaml", encoding="utf-8") as k_config_file:
    k_config = yaml.safe_load(k_config_file) 

k8s_api_client = kubernetes.config.new_client_from_config_dict(k_config)
core_v1_api = kubernetes.client.CoreV1Api(k8s_api_client)

secret_data = {
    "test": None,
}

core_v1_api.patch_namespaced_secret("my-secret", "mpw", kubernetes.client.V1Secret(string_data=secret_data))

Anything else we need to know?:
Note that I'm passing the secret_data to the parameter string_data. When I passing it to data, the key is deleted as expected.

Environment:

• Kubernetes version (kubectl version): Server Version: v1.29.3
• OS (e.g., MacOS 10.13.6): MacOS 14.6.1
• Python version (python --version): Python 3.11.9
• Python client version (pip list | grep kubernetes): kubernetes 30.1.0

[roycaihw]

/assign

We should have some example on patch types (JSON, JSONMERGE, STRATEGIC). Let me find some examples

[mpw96]

@roycaihw thank you for responding. Please note that I think I understand how to remove a key from a secret by patching it.

In my code example above, let's look at the last line. This deletes the key test as expected:

core_v1_api.patch_namespaced_secret("my-secret", "mpw", kubernetes.client.V1Secret(data=secret_data))
                                                                                   ^^^^

Where this does not delete it, but I would expect it to be deleted:

core_v1_api.patch_namespaced_secret("my-secret", "mpw", kubernetes.client.V1Secret(string_data=secret_data))
                                                                                   ^^^^^^^^^^^

[mpw96]

@roycaihw Any updates?

[roycaihw]

Sorry for the delay and thanks for the clarification! @mpw96 #2262 (comment)

I suspect this may be a server-side issue. As I've seen multiple upstream issue discussing the different behavior between data and string_data:

• Data lost when data is applied as data while not lost if data is applied as stringData in secret kubernetes/kubernetes#123843
• kubectl apply sets data to an empty string if you remove corresponding values from stringData kubernetes/kubernetes#89938 (comment)

The behavior in kubernetes/kubernetes#123843 seems to be similar to your use case, and it was suggested that server-side apply may help in this case. It's supported in the dynamic client:

python/kubernetes/base/dynamic/client.py

Line 152 in 4da83df

def server_side_apply(self, resource, body=None, name=None, namespace=None, force_conflicts=None, **kwargs):

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale