Closed tvoran closed 4 days ago
Is there any chance to implement this for Static Credentials of DB Secret Engines too? Or is this too far out of scope for this PR? (https://github.com/hashicorp/vault-secrets-operator/issues/494#issuecomment-1840689503)
Hi @Floppy012, DB Engine events are out of scope for this PR, but they're on our list for the future.
Support for triggering a VaultStaticSecret (VSS) sync from Vault events instead of just on a refresh interval. Adds a new parameter in a new config block (
SyncConfig.InstantUpdates
) that enables VSS Reconcile() to spawns a goroutine with a websocket client that receives event notifications from Vault, and triggers Reconcile() for the VSS using the controller's source channel. Uses a registry based on go-cache to store which VSS' have event watchers running along with the event watcher's context cancel function and other control metadata.Requirements:
Caveats:
Documentation update: https://github.com/hashicorp/vault/pull/27668
The websocket event client is built with the VaultStaticSecret's auth, so extra permissions will be needed on the policy for the associated VaultAuth role.
Example for a kv-v2 secret "campaign" with the engine mounted under "kv-marketing" in the "us-west-org" namespace:
And the corresponding VaultStaticSecret:
Vault event subscription status and errors are emitted as k8s events on the VaultStaticSecret object. For example: