SparebankenVest / azure-key-vault-to-kubernetes

Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
https://akv2k8s.io
Apache License 2.0
439 stars 97 forks source link

[BUG] Updating spec.vault.object.name doesn't result in updating an existing target secret #607

Open joyrex2001 opened 1 year ago

joyrex2001 commented 1 year ago

Components and versions

[X] Controller, version: 1.5.0 (docker image tag) [ ] Env-Injector (webhook), version: x.x.x (docker image tag) [ ] Other

Describe the bug Updating the AzureKeyVaultSecret by changing spec.vault.object.name doesn't result in updating an existing target secret.

To Reproduce Steps to reproduce the behavior:

Consider following AzureKeyValutSecret:

apiVersion: spv.no/v1
kind: AzureKeyVaultSecret
metadata:
  name: my-secret 
spec:
  output:
    secret:
      name: my-secret 
      dataKey: itsasecret
  vault:
    name: my-keyvault-dev
    object:
      name: version-de-secret
      type: secret

After applying the secret, a k8s secret my-secret will appear.

When patching the spec.vault.object.name with a different name, the target secret is not updated with the new values.

Patch command: kubectl patch akvs my-secret --type merge -p '{"spec":{"vault":{"object":{"name":"version-de-secret"}}}}'.

Expected behavior

When patching the spec.vault.object.name with a different name, the target secret should contain the values of the newly targetted keyvault secret.

Additional context It looks like the md5 doesn't take spec.vault.object.name into account, making it seem the AzureKeyVautSecret is not changed and nothing needs to be done.

181192 commented 1 year ago

Hi @joyrex2001 good observation. Yes the hashing logic only takes the secrets related to one akvs resource. Need to look into how to handle, multiple akvs resources can also write to the same k8s secret