Closed martin2176 closed 5 years ago
ritazh
commented
5 years ago @martin2176 What you have described is the expected behavior as a flexvolume is only mounted when the pod is created. To update the content pulled from the source, the pod will need to be restarted so that the flexvolume will mount the latest from source.
martin2176
commented
5 years ago Thanks for the reply. Is it because the mount is actually referring to the Object version number even though I left that out in the POD spec?
ritazh
commented
5 years ago The flex volume will only be triggered at the time the pod is created. During pod creation, the flex volume will look for the object version in keyvaultobjectversions. If you do not provide a keyvaultobjectversions or leave it empty in your spec, then it will use the latest version from Azure Key Vault. Once the pod is running, the flex volume's job is completed. The secret content is mounted as a volume to the mount point specified in the spec for as long as the pod is running.
I have a question I ran into while testing this . If I generate a new secret in Key vault, does the volume mount inside a pod reflect the latest value . If it does, how long is the wait time ?
Inside the pod spec for the volume, I am not using the version number so I always refer to the latest version. During my testing, new version of the secret in Key vault is not shown unless I delete and recreate the pod.
POD spec as below
apiVersion: v1 kind: Pod metadata: name: demopod spec: containers: — name: demopod image: nginx volumeMounts: — name: secretvolume mountPath: /opt readOnly: true volumes: — name: secretvolume flexVolume: driver: “azure/kv” secretRef: name: kvcreds options: usepodidentity: “false” resourcegroup: “xxxxx” keyvaultname: “yyyyy” keyvaultobjectname: “configfile” keyvaultobjecttype: secret subscriptionid: “xxxxx-yyyy-zzzzz” tenantid: “aaaaa-bbbbbb-cccccccc”