Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rollout in cycle with enabled rolloutRestartTargets #582

Closed
yotles opened this issue Feb 6, 2024 · 10 comments
Closed

rollout in cycle with enabled rolloutRestartTargets #582

yotles opened this issue Feb 6, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@yotles
Copy link

yotles commented Feb 6, 2024

I've tried to use VaultStaticSecret to sync secrets from vault. And for proper rotating keys in secret I want to trigger deployment after updating secret in Vault. For this purpose I've added RolloutRestartTriggered to VaultStaticSecret. But even if I pinned version for secret kv-v2 my deployment triggered each minutes with logs Rollout restart triggered for {Deployment ***}. If I add for example to description RefreshAfter: 10s, it will be triggered each 10s.
At this time in logs of vault-secret-operator:
DEBUG events Rollout restart triggered for {Deployment ***} {"type": "Normal", "object": {"kind":"VaultStaticSecret","namespace":"***","name":"***","uid":"***","apiVersion":"secrets.hashicorp.com/v1beta1","resourceVersion":"***"}, "reason": "RolloutRestartTriggered"} DEBUG events Secret synced {"type": "Normal", "object": {"kind":"VaultStaticSecret","namespace":"***","name":"***","uid":"***","apiVersion":"secrets.hashicorp.com/v1beta1","resourceVersion":"***"}, "reason": "SecretRotated"}

To stop this behavior I've found only one solution, configure RefreshAfter for long period, for example 24h, in this way it works as expected, rollout restart happened only once when secret really changed with rotating version.

My VaultStaticSecret:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: ***
  namespace: ***
spec:
  type: kv-v2
  mount: ***
  path: ***
  destination:
    name: ***
    create: true
  version: 4
  vaultAuthRef: ***
  rolloutRestartTargets:
    - kind: Deployment
      name: ***

Expected behavior

RolloutRestartTriggered happened only when I've changed version of secret in VaultStaticSecret.

Environment

  • Kubernetes version: v1.24.0
    • Distribution: OpenShift
  • vault-secrets-operator version: 0.4.1
@yotles yotles added the bug Something isn't working label Feb 6, 2024
@yotles
Copy link
Author

yotles commented Feb 10, 2024

@benashz Do you know about this behavior, is it expected?

@benashz
Copy link
Collaborator

benashz commented Feb 13, 2024

@benashz Do you know about this behavior, is it expected?

@yotles - would you mind testing with spec.hmacSecretData=true on your VSS CR? I did not see it set in the example you have provide.

@yotles
Copy link
Author

yotles commented Feb 15, 2024

@benashz Thank you for replay. As I can see https://github.com/hashicorp/vault-secrets-operator/blob/v0.4.1/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml hmacSecretData=true is default value. But even if I set it explicitly in VaultStaticSecret config and configured for example refreshAfter: 1m still get recreating pod each sync secret within 1 minute.

@bhaku
Copy link

bhaku commented Feb 20, 2024

@yotles We had the same problem. After updating to version 0.5.0 it went away, but remember to update the CRD!

@yotles
Copy link
Author

yotles commented Mar 4, 2024

@bhaku Yep, looks like this problem disappeared after updating to 0.5.1. Much appreciate for you advice!

@jameshwc
Copy link

Same issue here. We have deployments being rollout restarted every 30s (which is the refreshAfter value)
Here's the static secret yaml we have:

 spec:
   destination:
     create: true
     name: secretkv
     overwrite: false
   hmacSecretData: true
   mount: ***/
   path: ***
   refreshAfter: 30s
   rolloutRestartTargets:
   - kind: Deployment
     name: ***
   type: kv-v2
   vaultAuthRef: static-auth

Updated to v0.5.1 didn't solve this issue.

@bhaku
Copy link

bhaku commented Mar 14, 2024

@jameshwc did you remember about the CRD update? They will not be updated when you update the version using helm.

@skeet70
Copy link

skeet70 commented Mar 27, 2024
edited

On version 0.5.2, CRDs have been updated, but

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: argocd-secret
spec:
  vaultAuthRef: argocd
  mount: secret
  type: kv-v2
  path: argocd/argocd-secret
  destination:
    create: true
    overwrite: true
    name: argocd-secret
  rolloutRestartTargets:
  - kind: Deployment
    name: argocd-server

results in argocd-server coming up, working, and once confirmed working VSO triggers another rolling restart. This happens in an infinite ~1 min cycle so no downtime is detected, but we have some 10,000 revisions of the deployment over the last few days.

@benashz
Copy link
Collaborator

benashz commented May 14, 2024

@skeet70 - if you are using the rollout restart feature with static secrets, we recommend setting spec.hmacSecretData=true, that will ensure that only updated secret data triggers the rollout restart. In your example, the restarts will probably be triggered VSO restarting, since you are not specifying spec.refreshAfter.

@benashz
Copy link
Collaborator

benashz commented May 14, 2024

Going to close this issue out. If you are still encountering a related problem, please open a new issue linking to this one. Thanks.

@benashz benashz closed this as completed May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@skeet70 @bhaku @yotles @benashz @jameshwc