Open dmavis opened 10 months ago
Thanks for submitting this enhancement request @dmavis - I like the idea of adopting Conditions for all VSO CRDs.
Thanks for submitting this enhancement request @dmavis - I like the idea of adopting Conditions for all VSO CRDs.
Excellent! I completely agree that adding conditions to all CRDs would be the best option. In my internal work building Kubernetes controllers/operators, I've found using conditions to be a great, flexible way to communicate various status details and many Kubernetes-based tools automatically have some understanding of them.
The missing status is unfortunate, since I tried to implement a custom health-indicator for ArgoCD, but there is nothing inside the VaultStaticSecret
or VaultDynamicSecret
resources that I can work with to assess the health of the object. This means that these objects always appear to be "healthy" when looking at them via the ArgoCD UI.
For comparison, external-secrets.io properly sets the status
of their resources, and ArgoCD even bundles an appropriate health-check: https://github.com/argoproj/argo-cd/blob/master/resource_customizations/external-secrets.io/ExternalSecret/health.lua
Currently, this is the best I can do:
resource.customizations: |
secrets.hashicorp.com/VaultStaticSecret:
health.lua: |
hs = {}
hs.status = "Progressing"
hs.message = "Waiting for Secret creation..."
if obj.status ~= nil and obj.status.secretMAC ~= nil then
hs.status = "Healthy"
hs.message = ""
end
return hs
But this only works correctly when deploying the object for the first time. If the VaultStaticSecret
degrades later (e.g. patched with a wrong configuration or some vault backend failure) there is currently no way to notice that and the object continues to appear as "healthy".
Is your feature request related to a problem? Please describe. GitOps tools like Argo CD have the notion of resource health. When using Argo CD, the health of resources help indicate if any issues or errors exist in the application. Teaching Argo CD about the health of Vault secrets resources like VaultStaticSecret and VaultDynamicSecret enables those resources to accurately provide their health status to Argo CD. Both the
VaultStaticSecret
andVaultDynamicSecret
resources don't seem to have any fields in theirstatus
that would make that possible (e.g. avalid
orerror
field or even the standardconditions
field).Describe the solution you'd like Add field(s) to the
status
ofVaultStaticSecret
andVaultDynamicSecret
resources that indicate the state of the secret, similar to thevalid
anderror
fields in theVaultPKISecret
,VaultAuth
, andVaultConnection
resources. Even having a standardconditions
field would help communicate any issues and provide easy access to any error details.Describe alternatives you've considered Clear communication of the resource status is critical when using the extensible, declarative resource model provided by Kubernetes, so any alternatives or workarounds would probably not be appropriate for this use case