hashicorp
Vault operator is setting VaultStaticSecret hmacSecretData field to true
Describe the bug
Vault operator is changing the hmacSecretData field value for a VaultStaticSecret after creation of the destinaton secret.
When creating a VaultStaticSecret with the hmacSecretData field set to false, vault operator changes it to true. This activates drift detection which is not the expected behavior when deploying with hmacSecretData = false.
To Reproduce Steps to reproduce the behavior:
- Create a VaultStaticSecret resource with hmacSecretData set to false
Application deployment:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: test
namespace: test
spec:
destination:
create: true
name: test
overwrite: false
hmacSecretData: false
mount: test
path: test
refreshAfter: 0s
type: kv-v2
vaultAuthRef: test
Expected behavior The hmacSecretData field of the VaultStaticSecret resource type retains the value that was submitted when creating or updating.
Environment
- Kubernetes version: 1.26
- vault-secrets-operator version: 0.6.0
Further analysis, this appears to occur on the first update of the VaultStaticSecret when it adds the finalizer, subsequent manual updates of the hmacSecretData field retains the update value.
Thanks for reporting this issue @bunniseng. We plan to release the fix in the upcoming v0.7.0 release.
Further analysis, this appears to occur on the first update of the VaultStaticSecret when it adds the finalizer, subsequent manual updates of the hmacSecretData field retains the update value.
Just to clarify a bit here. The default value of true was being set from the VaultStaticSecret CRD's default value for spec.hmacSecretData, and since the Go type for this field was bool the default was being applied at resource creation time even when explicitly set to false; changing the type to be a boolean pointer *bool resolved the issue.
Released in https://github.com/hashicorp/vault-secrets-operator/releases/tag/v0.7.0