Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refresh time for dynamic ldap static-role secret #445

Open
ninjadude333 opened this issue Nov 8, 2023 · 2 comments
Open

refresh time for dynamic ldap static-role secret #445

ninjadude333 opened this issue Nov 8, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@ninjadude333
Copy link

Is your feature request related to a problem? Please describe.
hi, when creating a dynamic LDAP secret of type static-role (semi automatic), LDAP user exists and vault only periodically rotate it's password. the vault operator secret type is VaultDynamicSecret therefore there isn't any option to add the refreshAfter: 60s parameter.
in this case how can i make sure the vault operator will sync the newly rotated LDAP password to k8s ? is that working automatically by a trigger from vault or has some kind of manual interval that can be configured ?

Describe the solution you'd like
eighter automatically trigger update once vault rotated the password or some kind of manual interval that can be configured.

Describe alternatives you've considered
none

Additional context
configuring the LDAP static role secret:

vault write ldap/static-role/hashicorp \
    dn='uid=hashicorp,ou=People,dc=ninjadude,dc=com' \
    username='hashicorp' \
    rotation_period="60m"

configuring the VaultDynamicSecret:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  namespace: default
  name: example-dyn
spec:
  vaultAuthRef: example
  mount: ldap
  path: static-cred/hashicorp
  allowStaticCreds: true
  destination:
    create: true
    name: dynamic1
  rolloutRestartTargets:
        -  kind: "Deployment"
           name: "deployment-smb"

thanks
Dave
@ninjadude333 ninjadude333 added the enhancement New feature or request label Nov 8, 2023
@radek-sprta
Copy link

This still seems to be an issue. You can configure refreshAfter for VaultDynamicSecret nowadays. But that still leaves some time between secret rotation taking place in Vault and refresh kicking in, when application has stale credentials.

@bdeluca-igenius
Copy link

I'm currently testing this feature as well, in my case I have a static-role configured to rotate the credentials of some Postgres user. In the cluster I have the VSO and a VaultDynamicSecret. The static-role has a rotation_period=1d and after that time period, the VSO seems to re fetch the new credential. But if I manually rotate them in the Vault web UI, it does not seem that the VSO notices it. Is this ment to be this way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@radek-sprta @ninjadude333 @bdeluca-igenius