diff --git a/controllers/vaultstaticsecret_controller.go b/controllers/vaultstaticsecret_controller.go index 7730b030a..b7f530d01 100644 --- a/controllers/vaultstaticsecret_controller.go +++ b/controllers/vaultstaticsecret_controller.go @@ -49,6 +49,9 @@ type VaultStaticSecretReconciler struct { ClientFactory vault.ClientFactory SecretDataBuilder *helpers.SecretDataBuilder HMACValidator helpers.HMACValidator + HMACHorizon time.Duration + MinRefreshAfter time.Duration + DefaultRefreshAfter time.Duration referenceCache ResourceReferenceCache GlobalTransformationOptions *helpers.GlobalTransformationOptions BackOffRegistry *BackOffRegistry @@ -99,7 +102,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re var requeueAfter time.Duration if o.Spec.RefreshAfter != "" { - d, err := parseDurationString(o.Spec.RefreshAfter, ".spec.refreshAfter", 0) + d, err := parseDurationString(o.Spec.RefreshAfter, ".spec.refreshAfter", r.MinRefreshAfter) if err != nil { logger.Error(err, "Field validation failed") r.Recorder.Eventf(o, corev1.EventTypeWarning, consts.ReasonVaultStaticSecret, @@ -107,6 +110,8 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil } requeueAfter = computeHorizonWithJitter(d) + } else if r.DefaultRefreshAfter > 0 { + requeueAfter = computeHorizonWithJitter(r.DefaultRefreshAfter) } r.referenceCache.Set(SecretTransformation, req.NamespacedName, @@ -153,8 +158,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re // we want to ensure that requeueAfter is set so that we can perform the proper drift detection during each reconciliation. // setting up a watcher on the Secret is also possibility, but polling seems to be the simplest approach for now. if requeueAfter == 0 { - // hardcoding a default horizon here, perhaps we will want to make this value public? - requeueAfter = computeHorizonWithJitter(time.Second * 60) + requeueAfter = computeHorizonWithJitter(r.HMACHorizon) } // doRolloutRestart only if this is not the first time this secret has been synced diff --git a/main.go b/main.go index 3bce46ba8..e309a4f1d 100644 --- a/main.go +++ b/main.go @@ -137,6 +137,9 @@ func main() { var uninstall bool var preDeleteHookTimeoutSeconds int var minRefreshAfterHVSA time.Duration + var hmacHorizonVSS time.Duration + var minRefreshAfterVSS time.Duration + var defaultRefreshAfterVSS time.Duration var globalTransformationOpts string var globalVaultAuthOpts string var backoffInitialInterval time.Duration @@ -173,6 +176,12 @@ func main() { "Pre-delete hook timeout in seconds") flag.DurationVar(&minRefreshAfterHVSA, "min-refresh-after-hvsa", time.Second*30, "Minimum duration between HCPVaultSecretsApp resource reconciliation.") + flag.DurationVar(&hmacHorizonVSS, "hmac-horizon-vss", time.Second*60, + "Duration between VaultStaticSecret resource reconciliation, when using HMAC.") + flag.DurationVar(&minRefreshAfterVSS, "min-refresh-after-vss", 0, + "Minimum duration between VaultStaticSecret resource reconciliation.") + flag.DurationVar(&defaultRefreshAfterVSS, "default-refresh-after-vss", 0, + "Global default for refreshAfter of VaultStaticSecret resources. Set to 0 to disable.") flag.StringVar(&globalTransformationOpts, "global-transformation-options", "", fmt.Sprintf("Set global secret transformation options as a comma delimited string. "+ "Also set from environment variable VSO_GLOBAL_TRANSFORMATION_OPTIONS. "+ @@ -449,6 +458,9 @@ func main() { Recorder: mgr.GetEventRecorderFor("VaultStaticSecret"), SecretDataBuilder: secretDataBuilder, HMACValidator: hmacValidator, + HMACHorizon: hmacHorizonVSS, + MinRefreshAfter: minRefreshAfterVSS, + DefaultRefreshAfter: defaultRefreshAfterVSS, ClientFactory: clientFactory, BackOffRegistry: controllers.NewBackOffRegistry(backoffOpts...), GlobalTransformationOptions: globalTransOptions,