99
1010 "github.com/kagent-dev/kagent/go/core/cli/internal/mcp/manifests"
1111 corev1 "k8s.io/api/core/v1"
12+ apierrors "k8s.io/apimachinery/pkg/api/errors"
1213 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1314 "k8s.io/client-go/kubernetes"
1415 "sigs.k8s.io/controller-runtime/pkg/client/config"
@@ -22,7 +23,7 @@ type SecretsCfg struct {
2223 ProjectDir string
2324}
2425
25- func SyncSecretsMcp (cfg * SecretsCfg , environment string ) error {
26+ func SyncSecretsMcp (ctx context. Context , cfg * SecretsCfg , environment string ) error {
2627 // Determine project root
2728 projectRoot := cfg .ProjectDir
2829 if projectRoot == "" {
@@ -109,10 +110,10 @@ func SyncSecretsMcp(cfg *SecretsCfg, environment string) error {
109110 }
110111
111112 // Apply to cluster
112- return applySecretToCluster (secret )
113+ return applySecretToCluster (ctx , secret )
113114}
114115
115- func applySecretToCluster (secret * corev1.Secret ) error {
116+ func applySecretToCluster (ctx context. Context , secret * corev1.Secret ) error {
116117 // Get kubeconfig
117118 cfg , err := config .GetConfig ()
118119 if err != nil {
@@ -125,18 +126,25 @@ func applySecretToCluster(secret *corev1.Secret) error {
125126 return fmt .Errorf ("failed to create kubernetes clientset: %w" , err )
126127 }
127128
128- // Check if secret exists
129- _ , err = clientset .CoreV1 ().Secrets (secret .Namespace ).Get (context .TODO (), secret .Name , metav1.GetOptions {})
130- if err != nil {
131- // Create if it doesn't exist
132- _ , err = clientset .CoreV1 ().Secrets (secret .Namespace ).Create (context .TODO (), secret , metav1.CreateOptions {})
129+ // Check if secret exists. Branch on IsNotFound so RBAC, network, or
130+ // context-cancellation failures from Get aren't silently treated as
131+ // "secret does not exist" and don't fall through to a Create that masks
132+ // the real error.
133+ existing , err := clientset .CoreV1 ().Secrets (secret .Namespace ).Get (ctx , secret .Name , metav1.GetOptions {})
134+ switch {
135+ case apierrors .IsNotFound (err ):
136+ _ , err = clientset .CoreV1 ().Secrets (secret .Namespace ).Create (ctx , secret , metav1.CreateOptions {})
133137 if err != nil {
134138 return fmt .Errorf ("failed to create secret: %w" , err )
135139 }
136140 fmt .Printf ("✅ Secret '%s' created in namespace '%s'.\n " , secret .Name , secret .Namespace )
137- } else {
138- // Update if it exists
139- _ , err = clientset .CoreV1 ().Secrets (secret .Namespace ).Update (context .TODO (), secret , metav1.UpdateOptions {})
141+ case err != nil :
142+ return fmt .Errorf ("failed to get secret: %w" , err )
143+ default :
144+ // Update requires the live resourceVersion from the existing object;
145+ // the Secret we built from .env has none.
146+ secret .ResourceVersion = existing .ResourceVersion
147+ _ , err = clientset .CoreV1 ().Secrets (secret .Namespace ).Update (ctx , secret , metav1.UpdateOptions {})
140148 if err != nil {
141149 return fmt .Errorf ("failed to update secret: %w" , err )
142150 }
0 commit comments