From 5fe2ebb467e8ca81a6ce6e29e0feb669c439d4f8 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Tue, 22 Apr 2025 13:37:22 -0700 Subject: [PATCH 01/12] Fix VDS controller where 2 leases are being generated on initial deployment --- controllers/vaultdynamicsecret_controller.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 2472fb94..3ebcf47d 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -396,6 +396,21 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C ) (*secretsv1beta1.VaultSecretLease, bool, error) { logger := log.FromContext(ctx).WithName("syncSecret") + // check if lease already exists + if o.Status.SecretLease.ID != "" { + logger.V(consts.LogLevelDebug).Info("Lease already exists", "leaseID", o.Status.SecretLease.ID) + // if the lease is renewable, renew it + if o.Status.SecretLease.Renewable { + secretLease, err := r.renewLease(ctx, c, o) + if err != nil { + logger.Error(err, "Failed to renew lease") + return nil, false, err + } + o.Status.SecretLease = *secretLease + return secretLease, false, nil + } + } + resp, err := r.doVault(ctx, c, o) if err != nil { return nil, false, err From b720864cb318956fc1bc23e93e3e7ccfbd4e0272 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Tue, 22 Apr 2025 14:31:10 -0700 Subject: [PATCH 02/12] update --- controllers/vaultdynamicsecret_controller.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 3ebcf47d..a48bf26c 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -408,6 +408,9 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C } o.Status.SecretLease = *secretLease return secretLease, false, nil + } else { + // Handle static creds + return &o.Status.SecretLease, false, nil } } From 38b7dfe76f6c6303559a727fb4f4289265e3e77c Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Tue, 22 Apr 2025 15:13:04 -0700 Subject: [PATCH 03/12] fix --- controllers/vaultdynamicsecret_controller.go | 74 +++++++++----------- 1 file changed, 33 insertions(+), 41 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index a48bf26c..6dd31ce3 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -409,8 +409,35 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C o.Status.SecretLease = *secretLease return secretLease, false, nil } else { - // Handle static creds - return &o.Status.SecretLease, false, nil + staticCredsMeta, rotatedResponse, err := r.awaitVaultSecretRotation(ctx, o, c, nil) + if err != nil { + return nil, false, err + } + + data, err := rotatedResponse.SecretK8sData(opt) + if err != nil { + return nil, false, err + } + + dataToMAC := maps.Clone(data) + for _, k := range []string{"ttl", "rotation_schedule", "rotation_period", "last_vault_rotation", "_raw"} { + delete(dataToMAC, k) + } + + macsEqual, messageMAC, err := helpers.HandleSecretHMAC(ctx, r.SecretsClient, r.HMACValidator, o, dataToMAC) + if err != nil { + return nil, false, err + } + + logger.V(consts.LogLevelTrace).Info("Secret HMAC", "macsEqual", macsEqual) + + o.Status.SecretMAC = base64.StdEncoding.EncodeToString(messageMAC) + if macsEqual { + return r.getVaultSecretLease(rotatedResponse.Secret()), false, nil + } + + o.Status.StaticCredsMetaData = *staticCredsMeta + logger.V(consts.LogLevelDebug).Info("Static creds", "status", o.Status) } } @@ -423,44 +450,9 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C return nil, false, errors.New("nil response") } - var data map[string][]byte - secretLease := r.getVaultSecretLease(resp.Secret()) - if !r.isRenewableLease(secretLease, o, true) && o.Spec.AllowStaticCreds { - staticCredsMeta, rotatedResponse, err := r.awaitVaultSecretRotation(ctx, o, c, resp) - if err != nil { - return nil, false, err - } - - resp = rotatedResponse - data, err = resp.SecretK8sData(opt) - if err != nil { - return nil, false, err - } - - dataToMAC := maps.Clone(data) - for _, k := range []string{"ttl", "rotation_schedule", "rotation_period", "last_vault_rotation", "_raw"} { - delete(dataToMAC, k) - } - - macsEqual, messageMAC, err := helpers.HandleSecretHMAC(ctx, r.SecretsClient, r.HMACValidator, o, dataToMAC) - if err != nil { - return nil, false, err - } - - logger.V(consts.LogLevelTrace).Info("Secret HMAC", "macsEqual", macsEqual) - - o.Status.SecretMAC = base64.StdEncoding.EncodeToString(messageMAC) - if macsEqual { - return secretLease, false, nil - } - - o.Status.StaticCredsMetaData = *staticCredsMeta - logger.V(consts.LogLevelDebug).Info("Static creds", "status", o.Status) - } else { - data, err = resp.SecretK8sData(opt) - if err != nil { - return nil, false, err - } + data, err := resp.SecretK8sData(opt) + if err != nil { + return nil, false, err } if err := helpers.SyncSecret(ctx, r.Client, o, data); err != nil { @@ -468,7 +460,7 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C return nil, false, err } - return secretLease, true, nil + return r.getVaultSecretLease(resp.Secret()), true, nil } // awaitVaultSecretRotation waits for the Vault secret to be rotated. This is From b3c5b88a5b66fe92d816fab9df6a48de9399a7a7 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Tue, 22 Apr 2025 15:40:10 -0700 Subject: [PATCH 04/12] revert --- controllers/vaultdynamicsecret_controller.go | 73 +++++++++++--------- 1 file changed, 40 insertions(+), 33 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 6dd31ce3..084b7106 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -409,35 +409,7 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C o.Status.SecretLease = *secretLease return secretLease, false, nil } else { - staticCredsMeta, rotatedResponse, err := r.awaitVaultSecretRotation(ctx, o, c, nil) - if err != nil { - return nil, false, err - } - - data, err := rotatedResponse.SecretK8sData(opt) - if err != nil { - return nil, false, err - } - - dataToMAC := maps.Clone(data) - for _, k := range []string{"ttl", "rotation_schedule", "rotation_period", "last_vault_rotation", "_raw"} { - delete(dataToMAC, k) - } - - macsEqual, messageMAC, err := helpers.HandleSecretHMAC(ctx, r.SecretsClient, r.HMACValidator, o, dataToMAC) - if err != nil { - return nil, false, err - } - - logger.V(consts.LogLevelTrace).Info("Secret HMAC", "macsEqual", macsEqual) - - o.Status.SecretMAC = base64.StdEncoding.EncodeToString(messageMAC) - if macsEqual { - return r.getVaultSecretLease(rotatedResponse.Secret()), false, nil - } - - o.Status.StaticCredsMetaData = *staticCredsMeta - logger.V(consts.LogLevelDebug).Info("Static creds", "status", o.Status) + return &o.Status.SecretLease, false, nil } } @@ -450,9 +422,44 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C return nil, false, errors.New("nil response") } - data, err := resp.SecretK8sData(opt) - if err != nil { - return nil, false, err + var data map[string][]byte + secretLease := r.getVaultSecretLease(resp.Secret()) + if !r.isRenewableLease(secretLease, o, true) && o.Spec.AllowStaticCreds { + staticCredsMeta, rotatedResponse, err := r.awaitVaultSecretRotation(ctx, o, c, resp) + if err != nil { + return nil, false, err + } + + resp = rotatedResponse + data, err = resp.SecretK8sData(opt) + if err != nil { + return nil, false, err + } + + dataToMAC := maps.Clone(data) + for _, k := range []string{"ttl", "rotation_schedule", "rotation_period", "last_vault_rotation", "_raw"} { + delete(dataToMAC, k) + } + + macsEqual, messageMAC, err := helpers.HandleSecretHMAC(ctx, r.SecretsClient, r.HMACValidator, o, dataToMAC) + if err != nil { + return nil, false, err + } + + logger.V(consts.LogLevelTrace).Info("Secret HMAC", "macsEqual", macsEqual) + + o.Status.SecretMAC = base64.StdEncoding.EncodeToString(messageMAC) + if macsEqual { + return secretLease, false, nil + } + + o.Status.StaticCredsMetaData = *staticCredsMeta + logger.V(consts.LogLevelDebug).Info("Static creds", "status", o.Status) + } else { + data, err = resp.SecretK8sData(opt) + if err != nil { + return nil, false, err + } } if err := helpers.SyncSecret(ctx, r.Client, o, data); err != nil { @@ -460,7 +467,7 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C return nil, false, err } - return r.getVaultSecretLease(resp.Secret()), true, nil + return secretLease, true, nil } // awaitVaultSecretRotation waits for the Vault secret to be rotated. This is From f65c2e672aa510db3891cec2a3c64ec334ddb9aa Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 10:14:16 -0700 Subject: [PATCH 05/12] update to check if lease exists right before we try to sync --- controllers/vaultdynamicsecret_controller.go | 36 ++++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 084b7106..422650ba 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -272,6 +272,12 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil } + // check if lease already exists + if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 { + logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") + return ctrl.Result{}, nil + } + // sync the secret secretLease, staticCredsUpdated, err := r.syncSecret(ctx, vClient, o, transOption) if err != nil { @@ -397,21 +403,21 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C logger := log.FromContext(ctx).WithName("syncSecret") // check if lease already exists - if o.Status.SecretLease.ID != "" { - logger.V(consts.LogLevelDebug).Info("Lease already exists", "leaseID", o.Status.SecretLease.ID) - // if the lease is renewable, renew it - if o.Status.SecretLease.Renewable { - secretLease, err := r.renewLease(ctx, c, o) - if err != nil { - logger.Error(err, "Failed to renew lease") - return nil, false, err - } - o.Status.SecretLease = *secretLease - return secretLease, false, nil - } else { - return &o.Status.SecretLease, false, nil - } - } + //if o.Status.SecretLease.ID != "" { + // logger.V(consts.LogLevelDebug).Info("Lease already exists", "leaseID", o.Status.SecretLease.ID) + // // if the lease is renewable, renew it + // if o.Status.SecretLease.Renewable { + // secretLease, err := r.renewLease(ctx, c, o) + // if err != nil { + // logger.Error(err, "Failed to renew lease") + // return nil, false, err + // } + // o.Status.SecretLease = *secretLease + // return secretLease, false, nil + // } else { + // return &o.Status.SecretLease, false, nil + // } + //} resp, err := r.doVault(ctx, c, o) if err != nil { From 094c61b7f701e32834f7f65848825e3f9bc586c5 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 10:57:10 -0700 Subject: [PATCH 06/12] fix tests --- controllers/vaultdynamicsecret_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 422650ba..643a0f6e 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -273,7 +273,7 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R } // check if lease already exists - if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 { + if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && !r.SyncRegistry.Has(req.NamespacedName) { logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") return ctrl.Result{}, nil } From 6b6d05eb7332ba8817a064932403553a793e26ff Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 11:25:25 -0700 Subject: [PATCH 07/12] Add a check to see if the lease is renewable --- controllers/vaultdynamicsecret_controller.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 643a0f6e..e67fbcf1 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -273,7 +273,8 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R } // check if lease already exists - if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && !r.SyncRegistry.Has(req.NamespacedName) { + if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && + !r.SyncRegistry.Has(req.NamespacedName) && r.isRenewableLease(&o.Status.SecretLease, o, true) { logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") return ctrl.Result{}, nil } From bcbc55673914473d813618313dd36554ad1a0bcd Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 11:56:08 -0700 Subject: [PATCH 08/12] fix tests --- controllers/vaultdynamicsecret_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index e67fbcf1..c3fba06e 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -273,7 +273,7 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R } // check if lease already exists - if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && + if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && o.Status.LastRenewalTime > 0 && !r.SyncRegistry.Has(req.NamespacedName) && r.isRenewableLease(&o.Status.SecretLease, o, true) { logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") return ctrl.Result{}, nil From eafe9a74b0495454cf477c5ec2dca724fdd29232 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 12:25:18 -0700 Subject: [PATCH 09/12] check if in window --- controllers/vaultdynamicsecret_controller.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index c3fba06e..6276c5a8 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -275,8 +275,11 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R // check if lease already exists if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && o.Status.LastRenewalTime > 0 && !r.SyncRegistry.Has(req.NamespacedName) && r.isRenewableLease(&o.Status.SecretLease, o, true) { - logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") - return ctrl.Result{}, nil + horizon, inWindow := computeRelativeHorizonWithJitter(o, staticCredsJitterHorizon) + if !inWindow { + logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") + return ctrl.Result{RequeueAfter: horizon}, nil + } } // sync the secret From 6b8a49900ef17c25056f3abf081a2f187a79b1e3 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 12:46:24 -0700 Subject: [PATCH 10/12] fix tests --- controllers/vaultdynamicsecret_controller.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 6276c5a8..a2dc470b 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -272,8 +272,7 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil } - // check if lease already exists - if o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && o.Status.LastRenewalTime > 0 && + if !doSync && o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && o.Status.LastRenewalTime > 0 && !r.SyncRegistry.Has(req.NamespacedName) && r.isRenewableLease(&o.Status.SecretLease, o, true) { horizon, inWindow := computeRelativeHorizonWithJitter(o, staticCredsJitterHorizon) if !inWindow { From bd8a3d2aa00f742504ddc5a2b8e6642e74144e78 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 16:03:00 -0700 Subject: [PATCH 11/12] fix --- controllers/vaultdynamicsecret_controller.go | 47 +++++++++----------- 1 file changed, 21 insertions(+), 26 deletions(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index a2dc470b..6ff7d984 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -150,6 +150,15 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R o.Status.VaultClientMeta.CacheKey = clientCacheKey.String() o.Status.VaultClientMeta.ID = vClient.ID() + if o.Status.LastGeneration != o.GetGeneration() && o.Status.SecretLease.ID == "" { + logger.Info("short circuting sync, initial generation with empty lease") + o.Status.LastGeneration = o.GetGeneration() + if err := r.updateStatus(ctx, o); err != nil { + return ctrl.Result{}, err + } + return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil + } + var syncReason string // doSync indicates that the controller should perform the secret sync, switch { @@ -179,6 +188,12 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R } doSync := syncReason != "" + logger.Info("Reconciling", + "generation", o.GetGeneration(), + "lastGeneration", o.Status.LastGeneration, + "leaseID", o.Status.SecretLease.ID, + "doSync", doSync, + ) leaseID := o.Status.SecretLease.ID if !doSync && r.runtimePodUID != "" && r.runtimePodUID != o.Status.LastRuntimePodUID { // don't take part in the thundering herd on start up, @@ -272,15 +287,6 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil } - if !doSync && o.Status.SecretLease.ID != "" && o.Status.LastGeneration > 0 && o.Status.LastRenewalTime > 0 && - !r.SyncRegistry.Has(req.NamespacedName) && r.isRenewableLease(&o.Status.SecretLease, o, true) { - horizon, inWindow := computeRelativeHorizonWithJitter(o, staticCredsJitterHorizon) - if !inWindow { - logger.V(consts.LogLevelDebug).Info("Skipping sync, lease already exists") - return ctrl.Result{RequeueAfter: horizon}, nil - } - } - // sync the secret secretLease, staticCredsUpdated, err := r.syncSecret(ctx, vClient, o, transOption) if err != nil { @@ -405,23 +411,6 @@ func (r *VaultDynamicSecretReconciler) syncSecret(ctx context.Context, c vault.C ) (*secretsv1beta1.VaultSecretLease, bool, error) { logger := log.FromContext(ctx).WithName("syncSecret") - // check if lease already exists - //if o.Status.SecretLease.ID != "" { - // logger.V(consts.LogLevelDebug).Info("Lease already exists", "leaseID", o.Status.SecretLease.ID) - // // if the lease is renewable, renew it - // if o.Status.SecretLease.Renewable { - // secretLease, err := r.renewLease(ctx, c, o) - // if err != nil { - // logger.Error(err, "Failed to renew lease") - // return nil, false, err - // } - // o.Status.SecretLease = *secretLease - // return secretLease, false, nil - // } else { - // return &o.Status.SecretLease, false, nil - // } - //} - resp, err := r.doVault(ctx, c, o) if err != nil { return nil, false, err @@ -574,6 +563,12 @@ func (r *VaultDynamicSecretReconciler) awaitVaultSecretRotation(ctx context.Cont } func (r *VaultDynamicSecretReconciler) updateStatus(ctx context.Context, o *secretsv1beta1.VaultDynamicSecret) error { + logger := log.FromContext(ctx).WithName("updateStatus") + logger.Info("Updating status", + "settingLastGeneration", o.GetGeneration(), + "existingLastGeneration", o.Status.LastGeneration, + ) + if r.runtimePodUID != "" { o.Status.LastRuntimePodUID = r.runtimePodUID } From 4a4dc56ddf1350a4b6d0e982e54ca5c2c198e935 Mon Sep 17 00:00:00 2001 From: Zlaticanin Date: Wed, 23 Apr 2025 16:31:44 -0700 Subject: [PATCH 12/12] add check for static creds --- controllers/vaultdynamicsecret_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go index 6ff7d984..aafca26d 100644 --- a/controllers/vaultdynamicsecret_controller.go +++ b/controllers/vaultdynamicsecret_controller.go @@ -150,7 +150,7 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R o.Status.VaultClientMeta.CacheKey = clientCacheKey.String() o.Status.VaultClientMeta.ID = vClient.ID() - if o.Status.LastGeneration != o.GetGeneration() && o.Status.SecretLease.ID == "" { + if !o.Spec.AllowStaticCreds && o.Status.LastGeneration != o.GetGeneration() && o.Status.SecretLease.ID == "" { logger.Info("short circuting sync, initial generation with empty lease") o.Status.LastGeneration = o.GetGeneration() if err := r.updateStatus(ctx, o); err != nil {