Skip to content

Fix VDS bug where 2 leases are being generated on initial deployment #1054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
+21 −0
Open

Fix VDS bug where 2 leases are being generated on initial deployment #1054

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5fe2ebb
Fix VDS controller where 2 leases are being generated on initial depl…
Zlaticanin Apr 22, 2025
b720864
update
Zlaticanin Apr 22, 2025
38b7dfe
fix
Zlaticanin Apr 22, 2025
b3c5b88
revert
Zlaticanin Apr 22, 2025
74c88dd
Merge branch 'main' into VAULT-35251/fix-vds-crd-bug
Zlaticanin Apr 22, 2025
f65c2e6
update to check if lease exists right before we try to sync
Zlaticanin Apr 23, 2025
094c61b
fix tests
Zlaticanin Apr 23, 2025
6b6d05e
Add a check to see if the lease is renewable
Zlaticanin Apr 23, 2025
bcbc556
fix tests
Zlaticanin Apr 23, 2025
eafe9a7
check if in window
Zlaticanin Apr 23, 2025
6b8a499
fix tests
Zlaticanin Apr 23, 2025
bd8a3d2
fix
Zlaticanin Apr 23, 2025
4a4dc56
add check for static creds
Zlaticanin Apr 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions controllers/vaultdynamicsecret_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,15 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
o.Status.VaultClientMeta.CacheKey = clientCacheKey.String()
o.Status.VaultClientMeta.ID = vClient.ID()

if !o.Spec.AllowStaticCreds && o.Status.LastGeneration != o.GetGeneration() && o.Status.SecretLease.ID == "" {
logger.Info("short circuting sync, initial generation with empty lease")
o.Status.LastGeneration = o.GetGeneration()
if err := r.updateStatus(ctx, o); err != nil {
return ctrl.Result{}, err
}
return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil
}

var syncReason string
// doSync indicates that the controller should perform the secret sync,
switch {
Expand Down Expand Up @@ -179,6 +188,12 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
}

doSync := syncReason != ""
logger.Info("Reconciling",
"generation", o.GetGeneration(),
"lastGeneration", o.Status.LastGeneration,
"leaseID", o.Status.SecretLease.ID,
"doSync", doSync,
)
leaseID := o.Status.SecretLease.ID
if !doSync && r.runtimePodUID != "" && r.runtimePodUID != o.Status.LastRuntimePodUID {
// don't take part in the thundering herd on start up,
Expand Down Expand Up @@ -548,6 +563,12 @@ func (r *VaultDynamicSecretReconciler) awaitVaultSecretRotation(ctx context.Cont
}

func (r *VaultDynamicSecretReconciler) updateStatus(ctx context.Context, o *secretsv1beta1.VaultDynamicSecret) error {
logger := log.FromContext(ctx).WithName("updateStatus")
logger.Info("Updating status",
"settingLastGeneration", o.GetGeneration(),
"existingLastGeneration", o.Status.LastGeneration,
)

if r.runtimePodUID != "" {
o.Status.LastRuntimePodUID = r.runtimePodUID
}
Expand Down