search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
450 stars 94 forks source link

Artificial delay for eventually consistent secrets #271

Open adrianmoisey opened 1 year ago

adrianmoisey commented 1 year ago

Is your feature request related to a problem? Please describe. Some secrets (ie, AWS IAM) are eventually consistent and require a delay before they can be used.

Describe the solution you'd like A method to introduce a delay before VSO writes secrets to Kubernetes

Describe alternatives you've considered It may be possible to get the pods that consume VSO secrets to have a delay before attempting to use their secrets, but then logic needs to be build into each application. It may make sense for VSO to handle this delay, as it a central service/tool.

Additional context To quote: https://developer.hashicorp.com/vault/docs/secrets/aws#usage

Unfortunately, IAM credentials are eventually consistent with respect to other Amazon services. If you are planning on using these credential in a pipeline, you may need to add a delay of 5-10 seconds (or more) after fetching credentials before they can be used successfully.

adrianmoisey commented 3 months ago

This bug is still hurting us. Is there any way it can be prioritised? I made a PR but it hasn't been looked at.

adrianmoisey commented 2 months ago

Hey @benashz Sorry for the ping!

Would it be possible for someone to take a look at this issue? I did make a PR to handle it, but that went unreviewed. I'm happy to fix up that PR if needed.

Thanks.