Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate Credentials button in Static Role in VDS doesn't work for pods No rolling updates. #494

Open
toasahi opened this issue Dec 5, 2023 · 3 comments
Open

Rotate Credentials button in Static Role in VDS doesn't work for pods No rolling updates. #494

toasahi opened this issue Dec 5, 2023 · 3 comments
Labels
enhancement New feature or request vault-events

Comments

@toasahi
Copy link

toasahi commented Dec 5, 2023
edited
Loading

Group 1

Describe the bug
The "Rotate credentials" button in the image changes the DataBase password, but not the pod environment variable (Secret). You will not be able to connect.
The reason is obvious: the values of "rotationPeriod" and "rotationSchedule" in the VaultStaticCredsMetaData are not changed from the values when VaultDynamicSecrets is applied.
Therefore, the pod does not perform a rolling update when the "Rotate credentials" button is pressed.
This will cause a big problem in the future.

To Reproduce
Steps to reproduce the behavior:

  1. Enable database engine for postgres
  2. Create static role
  3. Apply the CRD of VSO.
  4. Specify Deployment to be rotated for VDS
  5. Press Rotate credential
  6. Pods don't do rolling updates.

Application deployment:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: vso-db-demo
  namespace: default
spec:
  allowStaticCreds: true
  # Mount path of the secrets backend
  mount: db/postgres

  # Path to the secret
  path: static-creds/postgres-role

  # Where to store the secrets, end user will create the secret
  destination:
    create: true
    name: db-secret

  # Restart these pods when secrets rotated
  rolloutRestartTargets:
  - kind: Deployment
    name: postgres

  # Name of the CRD to authenticate to Vault
  vaultAuthRef: vault-auth

Expected behavior
VDS(StaticRole) uses a single User, so when the RotateCredentials button is pressed, the Pod should do a rolling update and the Secret should be rewritten.

Environment
Kubernetes version:
EKS
vault: 1.15.1
vault-secrets-operator version: 0.4.0
postgres: 16.1.0
@toasahi toasahi added the bug Something isn't working label Dec 5, 2023
@benashz benashz added enhancement New feature or request and removed bug Something isn't working labels Dec 5, 2023
@benashz
Copy link
Collaborator

benashz commented Dec 5, 2023
edited
Loading

Hi @toasahi, currently, VSO does not support the use-case described in this issue, rather it relies on the interval set from the last sync. We plan to extend VSO to support Vault's notification system to reconcile the sort of of event that you describe here. Stay tuned.

Thanks,

Ben

@toasahi
Copy link
Author

toasahi commented Dec 5, 2023

Hi @benashz ,I am very excited about that feature.I look forward to future upgrades.

Thanks,

Asahi

@Floppy012
Copy link

In the meantime: Would it be an option to have a flag that lets us force the refreshAfter period to take precedence over the lease time? Maybe even compare the last_vault_rotation with the one currently stored in the secret to detect whether a restart needs to happen.

@Floppy012 Floppy012 mentioned this issue May 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request vault-events
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Floppy012 @benashz @toasahi