Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Periodically Cleanup Orphaned Shadow Secrets #980

Open
wants to merge 41 commits into
base: main
Choose a base branch
from
Open

Periodically Cleanup Orphaned Shadow Secrets #980

wants to merge 41 commits into from
+292 −35

Conversation

jaireddjawed
Copy link

@jaireddjawed jaireddjawed commented Dec 2, 2024
edited
Loading

Description

When an HCPVaultSecretsApp is deleted, the handleDeletion() method is called to remove the app's shadow secrets from k8s. However, if handleDeletion() fails to remove the secrets for some reason, the orphaned shadow secrets remain in k8s indefinitely because we don't have a mechanism that attempts to remove these shadow secrets again later.

This PR addresses this issue by creating a goroutine that periodically checks for deleted HVS apps and removes the app's shadow secrets.

Local Testing

  • Commented the initial deletion attempt of a HCPVaultSecretsApp in Reconcile() This is to mock the scenario where the first handleDeletion() call fails (mentioned here).
Screenshot 2024-12-17 at 6 00 03 AM
  • Created an HCPVaultSecretsApp that includes a dynamic secret (yaml config below)
Screenshot 2024-12-17 at 9 41 35 AM 
apiVersion: v1
data:
  clientID: redacted
  clientSecret: redacted
kind: Secret
metadata:
  name: vso-demo-sp
  namespace: default
type: Opaque

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPAuth
metadata:
  name: default
  namespace: vault-secrets-operator-system
spec:
  organizationID: redacted
  projectID: redacted
  servicePrincipal:
    secretRef: vso-demo-sp

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPVaultSecretsApp
metadata:
  name: web-application
  namespace: default
spec:
  appName: sample-app
  destination:
    create: true
    labels:
      hvs: "true"
    name: web-application
  refreshAfter: 15m
Screenshot 2024-12-17 at 6 14 27 AM
  • Confirmed that secret exists in k8s (kubectl get secrets -o yaml)
  • Deleted HCPVaultSecretsApp from k8s (kubectl delete hcpvaultsecretsapps.secrets.hashicorp.com web-application)
  • Confirmed that the secret no longer exists in k8s (kubectl get secrets -o yaml)
Screenshot 2024-12-17 at 6 15 28 AM

Jira Ticket

https://hashicorp.atlassian.net/browse/VAULT-31820

@jaireddjawed jaireddjawed self-assigned this Dec 2, 2024
@jaireddjawed jaireddjawed marked this pull request as ready for review December 17, 2024 17:38
@jaireddjawed jaireddjawed requested a review from a team as a code owner December 17, 2024 17:38
tvoran
tvoran reviewed Dec 19, 2024
View reviewed changes
@jaireddjawed jaireddjawed enabled auto-merge (squash) January 9, 2025 21:05
tvoran
tvoran reviewed Jan 10, 2025
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor comments, this is looking pretty good.

benashz
benashz reviewed Jan 10, 2025
View reviewed changes
Copy link
Collaborator

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Getting there. I think we need to probably implement a few interfaces to avoid extra code duplication. We also want to to delegate running the cache pruner to the controller-runtime Manager. Happy to sync up with you on that.

@jaireddjawed jaireddjawed requested a review from benashz January 30, 2025 00:28
@jaireddjawed jaireddjawed requested a review from tvoran January 31, 2025 23:13
benashz
benashz reviewed Feb 3, 2025
View reviewed changes
tvoran
tvoran reviewed Feb 4, 2025
View reviewed changes
@jaireddjawed jaireddjawed force-pushed the jaireddjawed-feature-cleanup-shadow-secrets branch 2 times, most recently from 299d06f to 6fb9622 Compare February 12, 2025 04:02
@jaireddjawed jaireddjawed force-pushed the jaireddjawed-feature-cleanup-shadow-secrets branch from 688e364 to 6fb9622 Compare February 13, 2025 09:44
@jaireddjawed jaireddjawed requested a review from tvoran February 13, 2025 17:35
@jaireddjawed jaireddjawed changed the title Create Goroutine to Cleanup Orphaned Shadow Secrets Periodically Cleanup Orphaned Shadow Secrets Feb 13, 2025
@jaireddjawed jaireddjawed enabled auto-merge (squash) February 13, 2025 23:05
@jaireddjawed jaireddjawed enabled auto-merge (squash) February 13, 2025 23:05
tvoran
tvoran reviewed Feb 15, 2025
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there, this worked locally for me following the reproduction steps in the jira card.

@jaireddjawed jaireddjawed requested a review from tvoran February 19, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lursu lursu lursu left review comments

@benashz benashz Awaiting requested review from benashz

@tvoran tvoran Awaiting requested review from tvoran

At least 1 approving review is required to merge this pull request.

Assignees

@jaireddjawed jaireddjawed

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jaireddjawed @tvoran @lursu @benashz