vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard
verified publisher icon hashicorp

refresh time for dynamic ldap static-role secret

Open ninjadude333 opened this issue 2 years ago • 3 comments

Is your feature request related to a problem? Please describe. hi, when creating a dynamic LDAP secret of type static-role (semi automatic), LDAP user exists and vault only periodically rotate it's password. the vault operator secret type is VaultDynamicSecret therefore there isn't any option to add the refreshAfter: 60s parameter. in this case how can i make sure the vault operator will sync the newly rotated LDAP password to k8s ? is that working automatically by a trigger from vault or has some kind of manual interval that can be configured ?

Describe the solution you'd like eighter automatically trigger update once vault rotated the password or some kind of manual interval that can be configured.

Describe alternatives you've considered none

Additional context configuring the LDAP static role secret:

vault write ldap/static-role/hashicorp \
    dn='uid=hashicorp,ou=People,dc=ninjadude,dc=com' \
    username='hashicorp' \
    rotation_period="60m"

configuring the VaultDynamicSecret:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  namespace: default
  name: example-dyn
spec:
  vaultAuthRef: example
  mount: ldap
  path: static-cred/hashicorp
  allowStaticCreds: true
  destination:
    create: true
    name: dynamic1
  rolloutRestartTargets:
        -  kind: "Deployment"
           name: "deployment-smb"

thanks Dave

ninjadude333 avatar Nov 08 '23 08:11 ninjadude333

This still seems to be an issue. You can configure refreshAfter for VaultDynamicSecret nowadays. But that still leaves some time between secret rotation taking place in Vault and refresh kicking in, when application has stale credentials.

radek-sprta avatar Jan 24 '25 12:01 radek-sprta

I'm currently testing this feature as well, in my case I have a static-role configured to rotate the credentials of some Postgres user. In the cluster I have the VSO and a VaultDynamicSecret. The static-role has a rotation_period=1d and after that time period, the VSO seems to re fetch the new credential. But if I manually rotate them in the Vault web UI, it does not seem that the VSO notices it. Is this ment to be this way?

bdeluca-igenius avatar Jan 24 '25 17:01 bdeluca-igenius

In the documentation for VaultDynamicSecretSpec, under refreshAfter, it states:

RefreshAfter a period of time for VSO to sync the source secret data, in duration notation e.g. 30s, 1m, 24h. This value only needs to be set when syncing from a secret's engine that does not provide a lease TTL in its response. The value should be within the secret engine's configured ttl or max_ttl. The source secret's lease duration takes precedence over this configuration when it is greater than 0.

It looks like refreshAfter is only considered if there is no lease duration specified.

Additionally, looking at https://github.com/hashicorp/vault-secrets-operator/blob/6c52b7c7ccd7ded831e40cdb4d2b5053a0fb0263/controllers/vaultdynamicsecret_controller.go, it seems that when allowStaticCreds is true, the refreshAfter is never considered at all.

It would be nice to have it able to respond to manual rotation. The workaround I used is to force a re-sync by making some change to the VaultDynamicSecret, e.g. by changing the refreshAfter value.

jmmk avatar Feb 25 '25 21:02 jmmk