Status fields for resource health in VaultStaticSecret and VaultDynamicSecret resources

[dmavis]

Is your feature request related to a problem? Please describe. GitOps tools like Argo CD have the notion of resource health. When using Argo CD, the health of resources help indicate if any issues or errors exist in the application. Teaching Argo CD about the health of Vault secrets resources like VaultStaticSecret and VaultDynamicSecret enables those resources to accurately provide their health status to Argo CD. Both the VaultStaticSecret and VaultDynamicSecret resources don't seem to have any fields in their status that would make that possible (e.g. a valid or error field or even the standard conditions field).

Describe the solution you'd like Add field(s) to the status of VaultStaticSecret and VaultDynamicSecret resources that indicate the state of the secret, similar to the valid and error fields in the VaultPKISecret, VaultAuth, and VaultConnection resources. Even having a standard conditions field would help communicate any issues and provide easy access to any error details.

Describe alternatives you've considered Clear communication of the resource status is critical when using the extensible, declarative resource model provided by Kubernetes, so any alternatives or workarounds would probably not be appropriate for this use case

[benashz]

Thanks for submitting this enhancement request @dmavis - I like the idea of adopting Conditions for all VSO CRDs.

[dmavis]

Thanks for submitting this enhancement request @dmavis - I like the idea of adopting Conditions for all VSO CRDs.

Excellent! I completely agree that adding conditions to all CRDs would be the best option. In my internal work building Kubernetes controllers/operators, I've found using conditions to be a great, flexible way to communicate various status details and many Kubernetes-based tools automatically have some understanding of them.

[ChristianCiach]

The missing status is unfortunate, since I tried to implement a custom health-indicator for ArgoCD, but there is nothing inside the VaultStaticSecret or VaultDynamicSecret resources that I can work with to assess the health of the object. This means that these objects always appear to be "healthy" when looking at them via the ArgoCD UI.

For comparison, external-secrets.io properly sets the status of their resources, and ArgoCD even bundles an appropriate health-check: https://github.com/argoproj/argo-cd/blob/master/resource_customizations/external-secrets.io/ExternalSecret/health.lua

Currently, this is the best I can do:

  resource.customizations: |
    secrets.hashicorp.com/VaultStaticSecret:
      health.lua: |
        hs = {}
        hs.status = "Progressing"
        hs.message = "Waiting for Secret creation..."
        if obj.status ~= nil and obj.status.secretMAC ~= nil then
          hs.status = "Healthy"
          hs.message = ""
        end
        return hs

But this only works correctly when deploying the object for the first time. If the VaultStaticSecret degrades later (e.g. patched with a wrong configuration or some vault backend failure) there is currently no way to notice that and the object continues to appear as "healthy".