Vault Operator resyncing secret when VaultStaticSecret hmacSecretData field has been set to false

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.

https://hashicorp.com

Other

430 stars 89 forks source link

Vault Operator resyncing secret when VaultStaticSecret hmacSecretData field has been set to false #748

Open bunniseng opened 1 month ago

bunniseng commented 1 month ago

Describe the bug

Vault operator is performing drift detection and resyncing the secret when setting hmacSecretData = false

To Reproduce Steps to reproduce the behavior:

Create a VaultStaticSecret resource with hmacSecretData set to false
Once the secret is synced, update the hmacSecretData and reset back to false
Delete leading vault operator

Application deployment:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: test
  namespace: test
spec:
  destination:
    create: true
    name: test
    overwrite: false
  hmacSecretData: false
  mount: test
  path: test
  refreshAfter: 0s
  type: kv-v2
  vaultAuthRef: test

Expected behavior When hmacSecretData is set to false, vault operator does not resync the secret in any event.

Environment

Kubernetes version: 1.26
vault-secrets-operator version: 0.6.0

benashz commented 1 month ago

Hi @bunniseng, I don't think that VSO supports the use case you have laid out in this issue. The example VaultStaticSecret will be synced once per leader election. So in step 3, when VSO starts up in a new Pod it will reconcile all configured VaultStaticSecrets, this is necessary to ensure that cluster state matches what is in Vault. I think what you might be looking for is a sync once feature?

Thanks,

Ben

bunniseng commented 1 month ago

Thanks for coming back so quickly on this. Yes a sync once capability is what I was hoping to achieve and would like to have implemented.

As for the documentation for the hmacSecretData field:

" HMACSecretData determines whether the Operator computes the HMAC of the Secret's data.

The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection and during incoming Vault secret comparison.

Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault. " I feel the description is a little misleading, it implies that setting the field to false would disable consistency reconciliation, perhaps an update on the documentation would be good too to make it a bit more clear what the field does in all situations.