-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rollout in cycle with enabled rolloutRestartTargets #582
Comments
@benashz Do you know about this behavior, is it expected? |
@benashz Thank you for replay. As I can see https://github.com/hashicorp/vault-secrets-operator/blob/v0.4.1/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml |
@yotles We had the same problem. After updating to version |
@bhaku Yep, looks like this problem disappeared after updating to |
Same issue here. We have deployments being rollout restarted every 30s (which is the spec:
destination:
create: true
name: secretkv
overwrite: false
hmacSecretData: true
mount: ***/
path: ***
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: ***
type: kv-v2
vaultAuthRef: static-auth Updated to v0.5.1 didn't solve this issue. |
@jameshwc did you remember about the CRD update? They will not be updated when you update the version using helm. |
On version apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-secret
spec:
vaultAuthRef: argocd
mount: secret
type: kv-v2
path: argocd/argocd-secret
destination:
create: true
overwrite: true
name: argocd-secret
rolloutRestartTargets:
- kind: Deployment
name: argocd-server results in |
@skeet70 - if you are using the rollout restart feature with static secrets, we recommend setting |
Going to close this issue out. If you are still encountering a related problem, please open a new issue linking to this one. Thanks. |
I've tried to use
VaultStaticSecret
to sync secrets from vault. And for proper rotating keys in secret I want to trigger deployment after updating secret in Vault. For this purpose I've addedRolloutRestartTriggered
toVaultStaticSecret
. But even if I pinned version for secret kv-v2 my deployment triggered each minutes with logsRollout restart triggered for {Deployment ***}
. If I add for example to descriptionRefreshAfter: 10s
, it will be triggered each 10s.At this time in logs of vault-secret-operator:
DEBUG events Rollout restart triggered for {Deployment ***} {"type": "Normal", "object": {"kind":"VaultStaticSecret","namespace":"***","name":"***","uid":"***","apiVersion":"secrets.hashicorp.com/v1beta1","resourceVersion":"***"}, "reason": "RolloutRestartTriggered"} DEBUG events Secret synced {"type": "Normal", "object": {"kind":"VaultStaticSecret","namespace":"***","name":"***","uid":"***","apiVersion":"secrets.hashicorp.com/v1beta1","resourceVersion":"***"}, "reason": "SecretRotated"}
To stop this behavior I've found only one solution, configure RefreshAfter for long period, for example 24h, in this way it works as expected, rollout restart happened only once when secret really changed with rotating version.
My VaultStaticSecret:
Expected behavior
RolloutRestartTriggered happened only when I've changed version of secret in VaultStaticSecret.
Environment
The text was updated successfully, but these errors were encountered: