Vault
Instant updates for a VaultStaticSecret
Vault Secrets Operator (VSO) supports instant updates for VaultStaticSecrets by subscribing to event notifications from Vault.
Before you start
- You must have Vault Secrets Operator installed.
- You must use Vault Enterprise version 1.16.3 or later.
Step 1: Set event permissions
Grant these permissions in the policy associated with the VaultAuth role:
path "<kv mount>/<kv secret path>" {
capabilities = ["read", "list", "subscribe"]
subscribe_event_types = ["*"]
}
path "sys/events/subscribe/kv*" {
capabilities = ["read"]
}
Tip
See Event Notifications Policies for more information on Vault event notification permissions.
Step 2: Enable instant updates on the VaultStaticSecret
Set syncConfig.instantUpdates=true
in the VaultStaticSecret spec:
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
namespace: vso-example
name: vault-static-secret-v2
spec:
vaultAuthRef: vault-auth
mount: <kv mount>
type: kv-v2
path: <kv secret path>
version: 2
refreshAfter: 1h
destination:
create: true
name: static-secret2
syncConfig:
instantUpdates: true
Debugging
Check Kubernetes events on the VaultStaticSecret resource to see if VSO subscribed to Vault event notifications.
Example: VSO is subscribed to Vault event notifications for the secret
$ kubectl describe vaultstaticsecret vault-static-secret-v2 -n vso-example
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SecretSynced 2s VaultStaticSecret Secret synced
Normal EventWatcherStarted 2s (x2 over 2s) VaultStaticSecret Started watching events
Normal SecretRotated 2s VaultStaticSecret Secret synced
Example: The VaultAuth role policy lacks the required event permissions
$ kubectl describe vaultstaticsecret vault-static-secret-v2 -n vso-example
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SecretSynced 2s VaultStaticSecret Secret synced
Warning EventWatcherError 2s VaultStaticSecret Error while watching events:
failed to connect to vault websocket: error returned when opening event stream
web socket to wss://vault.vault.svc.cluster.local:8200/v1/sys/events/subscribe/kv%2A?json=true,
ensure VaultAuth role has correct permissions and Vault is Enterprise version
1.16 or above: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}
Normal SecretRotated 2s VaultStaticSecret Secret synced