VSS: Ensure all resource updates are synced.

Previously, whenever HMACSecretData was set to true and no data drift was detected, the reconciler would skip destination updates, like annotations, labels etc. This change adds tracking of a resource's generation to determine when the reconciler is handling a resource update.
hashicorp · Dec 4, 2023 · a76b030 · a76b030
1 parent f68311c
commit a76b030
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/api/v1beta1/vaultstaticsecret_types.go b/api/v1beta1/vaultstaticsecret_types.go
@@ -56,6 +56,8 @@ type VaultStaticSecretSpec struct {
 
 // VaultStaticSecretStatus defines the observed state of VaultStaticSecret
 type VaultStaticSecretStatus struct {
+	// LastGeneration is the Generation of the last reconciled resource.
+	LastGeneration int64 `json:"lastGeneration"`
 	// SecretMAC used when deciding whether new Vault secret data should be synced.
 	//
 	// The controller will compare the "new" Vault secret data to this value using HMAC,

diff --git a/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml
@@ -151,6 +151,11 @@ spec:
           status:
             description: VaultStaticSecretStatus defines the observed state of VaultStaticSecret
             properties:
+              lastGeneration:
+                description: LastGeneration is the Generation of the last reconciled
+                  resource.
+                format: int64
+                type: integer
               secretMAC:
                 description: "SecretMAC used when deciding whether new Vault secret
                   data should be synced. \n The controller will compare the \"new\"
@@ -159,6 +164,8 @@ spec:
                   is also used to detect drift in the Destination Secret's Data. If
                   drift is detected the data will be synced to the Destination."
                 type: string
+            required:
+            - lastGeneration
             type: object
         type: object
     served: true

diff --git a/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml
@@ -151,6 +151,11 @@ spec:
           status:
             description: VaultStaticSecretStatus defines the observed state of VaultStaticSecret
             properties:
+              lastGeneration:
+                description: LastGeneration is the Generation of the last reconciled
+                  resource.
+                format: int64
+                type: integer
               secretMAC:
                 description: "SecretMAC used when deciding whether new Vault secret
                   data should be synced. \n The controller will compare the \"new\"
@@ -159,6 +164,8 @@ spec:
                   is also used to detect drift in the Destination Secret's Data. If
                   drift is detected the data will be synced to the Destination."
                 type: string
+            required:
+            - lastGeneration
             type: object
         type: object
     served: true

diff --git a/controllers/vaultstaticsecret_controller.go b/controllers/vaultstaticsecret_controller.go
@@ -100,7 +100,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	}
 
 	var doRolloutRestart bool
-	syncSecret := true
+	doSync := true
 	if o.Spec.HMACSecretData {
 		// we want to ensure that requeueAfter is set so that we can perform the proper drift detection during each reconciliation.
 		// setting up a watcher on the Secret is also possibility, but polling seems to be the simplest approach for now.
@@ -117,7 +117,11 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 			return ctrl.Result{}, err
 		}
 
-		syncSecret = !macsEqual
+		// skip the next sync if the data has not changed since the last sync, and the
+		// resource has not been updated.
+		if o.Status.LastGeneration == o.GetGeneration() {
+			doSync = !macsEqual
+		}
 
 		o.Status.SecretMAC = base64.StdEncoding.EncodeToString(messageMAC)
 	} else if len(o.Spec.RolloutRestartTargets) > 0 {
@@ -126,7 +130,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 			"targets", o.Spec.RolloutRestartTargets)
 	}
 
-	if syncSecret {
+	if doSync {
 		if err := helpers.SyncSecret(ctx, r.Client, o, data); err != nil {
 			r.Recorder.Eventf(o, corev1.EventTypeWarning, consts.ReasonSecretSyncError,
 				"Failed to update k8s secret: %s", err)
@@ -144,6 +148,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		r.Recorder.Event(o, corev1.EventTypeNormal, consts.ReasonSecretSync, "Secret sync not required")
 	}
 
+	o.Status.LastGeneration = o.GetGeneration()
 	if err := r.Status().Update(ctx, o); err != nil {
 		return ctrl.Result{}, err
 	}