Ben Ash
Ben Ash
Here's what we would expect to see in the nominal condition for a AWS creds sync with a 15m `default-lease-ttl` (5 VDS instances): ``` $ kubectl get events -n demo-ns...
If it is not possible to configure the value of the secret mount's `default-lease-ttl`, you can tune/lower the value of the [VaultDynamicSecretSpec](https://developer.hashicorp.com/vault/docs/platform/k8s/vso/api-reference#vaultdynamicsecretspec)'s `renewalPercent`, which will cause VSO to poll more...
Hi @Joshua-Beha, thanks for bringing this issue to our attention. I have flagged it for internal review by the team. Stay tuned. Ben
> One problem I see here is that leaseIDs are sensitive information: if you know the leaseID, you can revoke or renew it. It's not unusual for the /sys/leases/revoke endpoint...
Hi @joshbench, Thanks reporting this issue. Would you mind setting the value on the VaultAuth's `.spec.aws.headerValue`, rather than in `.spec.headers`. See https://developer.hashicorp.com/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigaws for more info. Please let us know if...
Thanks @dcaputo-harmoni, that's a good call out.
Hi @kdw174 - sorry to hear you encountered some issues with VSO. We have made a lot improvements to the way the Vault tokens are handled with dynamic secrets, including...
Thanks for the PR @AdamTylerLynch -- we are going to take it over as it aligns with our ongoing platform validation work. Stay tuned!
Hi @marbon87, I will relay your request over to our release engineering team.
Closing in favor of #909