search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
471 stars 102 forks source link

HVS: basic dynamic secrets support #917

Closed tvoran closed 2 months ago

tvoran commented 2 months ago

Fetches all dynamic secret key/value pairs along with the rest of the secrets in an HVS App, every RefreshAfter or at the renewalPercent of the TTL of the dynamic secrets, whichever comes first.

Adds a SyncConfig for HVS to the HCPVaultSecretsAppSpec to allow specifying a custom renewalPercent for dynamic secrets, otherwise the default is 67% of the TTL.

apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPVaultSecretsApp
metadata:
  name: myapp
spec:
  appName: sample-app
  hcpAuthRef: my-hc-org
  refreshAfter: 2h
  destination:
    name: myapp-secrets
    create: true
  syncConfig:
    dynamic:
      renewalPercent: 85

Adds the last observed state of each dynamic secret to HCPVaultSecretsAppStatus:

...
status:
  dynamicSecrets:
  - createdAt: "2024-09-12T17:02:50.742Z"
    expiresAt: "2024-09-12T18:02:50.742Z"
    name: gcp
    ttl: 3600s
  lastGeneration: 2
  secretMAC: la2TiOJ1XBvPmB1z3T/mINiwc0/AslBfSyOceN9UCtA=
...

Note: Caching dynamic secret responses in order to avoid constantly creating new secrets every Reconcile() is planned for a follow-on PR.

tvoran commented 2 months ago

Thanks!