Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deleting RandomSecret resource not removing secret in vault #134

Closed
kartikeyavashishth opened this issue Mar 21, 2023 · 7 comments
Closed

deleting RandomSecret resource not removing secret in vault #134

kartikeyavashishth opened this issue Mar 21, 2023 · 7 comments
Assignees
@trevorbox

Comments

@kartikeyavashishth
Copy link

secret created in vault is not cleaned up when the Randomsecret CR is deleted.

following is the randomsecret being used:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: RandomSecret
metadata:
  name: test-random-secret
spec:
  authentication: 
    path: kubernetes
    role: test
    serviceAccount:
      name: test
  isKVSecretsEngineV2: true
  path: namespace/test-random-secret-a/
  secretKey: secret
  secretFormat:
    passwordPolicyName: 30-char

this can be replicated by creating (by adding YAML) and deleting Randomsecret on Openshift console or adding Randomsecret in helm chart.
@erlisb
Copy link
Contributor

erlisb commented Mar 21, 2023 via email

@kartikeyavashishth
Copy link
Author

update: on further analysis we have noticed upon deleting Randomsecret CR the value of the secret is cleared from Vault, however the key that was created by CR is not removed.

@trevorbox
Copy link
Contributor

If the RandomSecret is KV Secrets Engine v1, both the key and value of the secret is deleted. The path is not deleted.
If the RandomSecret is KV Secrets Engine v2 only the value is deleted. The key and path remains.
I'm curious, what level of "clean up" is expected and what problems emerge if things are not "cleaned up"? Scenarios would be helpful.

@trevorbox trevorbox self-assigned this Apr 5, 2023
@kartikeyavashishth
Copy link
Author

one of the current use-case we have is that we have Randomsecret CR as part of a helm-chart for DB instance.
for any one/any pipeline using the the chart to create an instance, the password is created using RandomSecret.

each instance creates a Key and value, and as per current working "cleanup" in vault, value is being deleted and key remains, leading to list of keys in vault what would never be used again

@davoustp
Copy link
Contributor

davoustp commented Jun 12, 2023
edited
Loading

@trevorbox we do have a similar situation.

I find the default behavior safe and sound (this prevents to erroneously delete a critical secret, which can be recovered using kv-v2 version management).

But there are also automation-related use cases where being able to fully remove a kv-v2 secret (read: all its versions) when the CR is removed from k8s would be helpful.

So I would propose to be able to control the cleanup behavior using a new optional attribute into the RandomSecret resource, named clearAllVersionsOnDelete (default value: false), relevant only when isKVSecretsEngineV2 is set to true.
When this new attribute is set to true, the controller would trigger a DELETE onto the metadata endpoint instead of the data endpoint.

I've got code and tests handy, so I can then submit a PR with all this for you to review - just let me know!

@trevorbox
Copy link
Contributor

I believe the current behavior is the kvv2 randomsecret is permanently deleted. @davoustp perhaps your suggestion can be a separate feature enhancement? I believe this issue should be closed as of #174

@davoustp
Copy link
Contributor

@trevorbox I agree, this is a connected but separate improvement.
I'll drop a new issue and related PR as soon as I can.

@davoustp davoustp mentioned this issue Sep 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trevorbox trevorbox

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davoustp @erlisb @trevorbox @kartikeyavashishth