Open bunniseng opened 1 month ago
Hi @bunniseng, I don't think that VSO supports the use case you have laid out in this issue. The example VaultStaticSecret will be synced once per leader election. So in step 3, when VSO starts up in a new Pod it will reconcile all configured VaultStaticSecrets, this is necessary to ensure that cluster state matches what is in Vault. I think what you might be looking for is a sync once feature?
Thanks,
Ben
Thanks for coming back so quickly on this. Yes a sync once capability is what I was hoping to achieve and would like to have implemented.
As for the documentation for the hmacSecretData field:
" HMACSecretData determines whether the Operator computes the HMAC of the Secret's data.
The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection and during incoming Vault secret comparison.
Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. " I feel the description is a little misleading, it implies that setting the field to false would disable consistency reconciliation, perhaps an update on the documentation would be good too to make it a bit more clear what the field does in all situations.
Describe the bug
Vault operator is performing drift detection and resyncing the secret when setting hmacSecretData = false
To Reproduce Steps to reproduce the behavior:
Application deployment:
Expected behavior When hmacSecretData is set to false, vault operator does not resync the secret in any event.
Environment