Skip to content

HVS: shadow cache for dynamic secret responses #939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 7, 2024
Merged

HVS: shadow cache for dynamic secret responses #939

merged 8 commits into from
Oct 7, 2024

Conversation

tvoran
Copy link
Member

@tvoran tvoran commented Oct 2, 2024
edited
Loading

Caches HVS dynamic secrets (values and TTL/expiration info) for each HCPVaultSecretsApp in a k8s secret in the operator's namespace. This way dynamic secrets aren't fetched from the HVS API before the renewalPercent of their TTL (since each dynamic secret fetch from the HVS API creates and returns a new set of dynamic credentials, which would trigger rollout-restart, etc.).

The cache secret is named with a common prefix (vso-hvs) and a hash of the HCPVaultSecretsApp namespace and name, and has these labels and data layout:

apiVersion: v1
data:
  <dynamic secret name>: <dynamic secret response from HVS>
  <dynamic secret name>: <dynamic secret response from HVS>
  vso-messageMAC: <HMAC of all the dynamic secrets>
kind: Secret
immutable: true
metadata:
  labels:
    app.kubernetes.io/component: hvs-dynamic-secret-cache
    app.kubernetes.io/managed-by: hashicorp-vso
    app.kubernetes.io/name: vault-secrets-operator
    hcpvaultsecretsapps.secrets.hashicorp.com/hvs-app-name: sample-app
    hcpvaultsecretsapps.secrets.hashicorp.com/name: myapp
    hcpvaultsecretsapps.secrets.hashicorp.com/namespace: default
    secrets.hashicorp.com/vso-ownerRefUID: c66776d8-c547-4183-bf77-3c0e70768712
  name: vso-hvs-e1859a3957fcac8cd9f511
  namespace: vault-secrets-operator-system
type: Opaque

@tvoran
HVS: shadow cache for dynamic secret responses
3d2b4ab 
Caches HVS dynamic secrets (values and TTL/expiration info) for each
HCPVaultSecretsApp in a k8s secret in the operator's namespace, so
that dynamic secrets aren't fetched/created from the HVS API before
the renewalPercent of their TTL.
@tvoran tvoran added this to the v0.9.0 milestone Oct 2, 2024
@tvoran tvoran marked this pull request as ready for review October 2, 2024 07:19
@tvoran tvoran requested a review from a team as a code owner October 2, 2024 07:19
benashz
benashz reviewed Oct 2, 2024
View reviewed changes
benashz
benashz reviewed Oct 2, 2024
View reviewed changes
benashz
benashz reviewed Oct 4, 2024
View reviewed changes
Copy link
Collaborator

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking really good!

@tvoran
Copy link
Member Author

tvoran commented Oct 7, 2024

Agree on the extra unit tests and periodic cleanup task, will work on those in a separate PR.

@tvoran tvoran requested a review from benashz October 7, 2024 06:46
benashz
benashz approved these changes Oct 7, 2024
View reviewed changes
Copy link
Collaborator

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tvoran
Copy link
Member Author

tvoran commented Oct 7, 2024

Thanks!

@tvoran tvoran merged commit 0b17a0b into main Oct 7, 2024
43 checks passed
@tvoran tvoran deleted the VAULT-30921/hvs-dynamic-secrets-shadow branch October 7, 2024 21:03
@tvoran tvoran mentioned this pull request Oct 16, 2024
Open
@jaireddjawed jaireddjawed mentioned this pull request Dec 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.9.0
Development

Successfully merging this pull request may close these issues.
2 participants
@tvoran @benashz