Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VaultDynamicSecret fails to be updated when Vault rotates the credential #1002

Open
jbouse opened this issue Jan 13, 2025 · 0 comments
Open

VaultDynamicSecret fails to be updated when Vault rotates the credential #1002

jbouse opened this issue Jan 13, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@jbouse
Copy link

jbouse commented Jan 13, 2025

Describe the bug
While using a VaultDynamicSecret for a Vault database secret engine static role with a 90 day rotation period, VSO is unable to successfully rotate the k8s secret when Vault rotates the credentials.

In this instance we're rotating the database credentials for Grafana

To Reproduce
Steps to reproduce the behavior:

  1. Deploy Vault static role for database connection
vault read database/static-roles/grafana                                                                                                                                       ─╯
Key                    Value
---                    -----
credential_type        password
db_name                grafana-rds
last_vault_rotation    2025-01-11T19:14:13.546015704Z
rotation_period        2160h
rotation_statements    []
username               grafana
  1. Deploy Grafana with envFrom for the k8s secret to be created by VSO as required
      envFrom:
        - secretRef:
            name: grafana-db-credentials
            optional: false
  1. Deploy VSO VaultDynamicSecret
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  annotations:
    database-host: <RDS DB DNS Name>:5432
  name: grafana-db-credentials
  namespace: monitoring
spec:
  allowStaticCreds: true
  destination:
    create: true
    name: grafana-db-credentials
    overwrite: true
    transformation:
      excludes:
        - password|username
      templates:
        GF_DATABASE_HOST:
          text: |
            {{- $grafana := get .Annotations "database-host" -}}
            {{ $grafana  | trim }}
        GF_DATABASE_PASSWORD:
          text: '{{ .Secrets.password | trim }}'
        GF_DATABASE_USER:
          text: '{{ .Secrets.username | trim }}'
  mount: database
  path: static-creds/grafana
  rolloutRestartTargets:
    - kind: Deployment
      name: grafana
  vaultAuthRef: grafana

The credentials are able to be retrieved manually and rotated successfully through Vault and confirmed to be operational. In fact when VSO does retrieve them and create the k8s secret it works fine. The issue is only when the credentials are rotated.

Expected behavior
Expect that when the credentials are rotated that VSO will update the credentials which should trigger the rolling restart and the application service should be able to connect to database and operate as normal.

Environment

  • Kubernetes version:
    • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS
    • Other configuration options or runtime services (istio, etc.): Vault 1.18.1
  • vault-secrets-operator version: 0.9.1
@jbouse jbouse added the bug Something isn't working label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jbouse