HVS: basic dynamic secrets support (#917)

Fetches all dynamic secret key/value pairs along with the rest of the secrets in an HVS App, every RefreshAfter or at the renewalPercent of the TTL of the dynamic secrets, whichever comes first. Adds a SyncConfig for HVS to the HCPVaultSecretsAppSpec to allow specifying a custom renewalPercent for dynamic secrets, otherwise the default is 67% of the TTL. Adds the last observed state of each dynamic secret to HCPVaultSecretsAppStatus.
hashicorp · Sep 19, 2024 · 51cf004 · 51cf004
1 parent 76be1ee
commit 51cf004
Show file tree

Hide file tree

Showing 8 changed files with 629 additions and 17 deletions.
diff --git a/api/v1beta1/hcpvaultsecretsapp_types.go b/api/v1beta1/hcpvaultsecretsapp_types.go
@@ -32,6 +32,37 @@ type HCPVaultSecretsAppSpec struct {
 	// Destination provides configuration necessary for syncing the HCP Vault
 	// Application secrets to Kubernetes.
 	Destination Destination `json:"destination"`
+	// SyncConfig configures sync behavior from HVS to VSO
+	SyncConfig *HVSSyncConfig `json:"syncConfig,omitempty"`
+}
+
+// HVSSyncConfig configures sync behavior from HVS to VSO
+type HVSSyncConfig struct {
+	// Dynamic configures sync behavior for dynamic secrets.
+	Dynamic *HVSDynamicSyncConfig `json:"dynamic,omitempty"`
+}
+
+// HVSDynamicSyncConfig configures sync behavior for HVS dynamic secrets.
+type HVSDynamicSyncConfig struct {
+	// RenewalPercent is the percent out of 100 of a dynamic secret's TTL when
+	// new secrets are generated. Defaults to 67 percent minus jitter.
+	// +kubebuilder:default=67
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=100
+	RenewalPercent int `json:"renewalPercent,omitempty"`
+}
+
+// HVSDynamicStatus defines the observed state of a dynamic secret within an HCP
+// Vault Secrets App
+type HVSDynamicStatus struct {
+	// Name of the dynamic secret
+	Name string `json:"name,omitempty"`
+	// CreatedAt is the timestamp string of when the dynamic secret was created
+	CreatedAt string `json:"createdAt,omitempty"`
+	// ExpiresAt is the timestamp string of when the dynamic secret will expire
+	ExpiresAt string `json:"expiresAt,omitempty"`
+	// TTL is the time-to-live of the dynamic secret in seconds
+	TTL string `json:"ttl,omitempty"`
 }
 
 // HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
@@ -47,6 +78,9 @@ type HCPVaultSecretsAppStatus struct {
 	// The SecretMac is also used to detect drift in the Destination Secret's Data.
 	// If drift is detected the data will be synced to the Destination.
 	SecretMAC string `json:"secretMAC,omitempty"`
+	// DynamicSecrets lists the last observed state of any dynamic secrets
+	// within the HCP Vault Secrets App
+	DynamicSecrets []HVSDynamicStatus `json:"dynamicSecrets,omitempty"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml b/chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
@@ -244,13 +244,55 @@ spec:
                   - name
                   type: object
                 type: array
+              syncConfig:
+                description: SyncConfig configures sync behavior from HVS to VSO
+                properties:
+                  dynamic:
+                    description: Dynamic configures sync behavior for dynamic secrets.
+                    properties:
+                      renewalPercent:
+                        default: 67
+                        description: |-
+                          RenewalPercent is the percent out of 100 of a dynamic secret's TTL when
+                          new secrets are generated. Defaults to 67 percent minus jitter.
+                        maximum: 100
+                        minimum: 0
+                        type: integer
+                    type: object
+                type: object
             required:
             - appName
             - destination
             type: object
           status:
             description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
             properties:
+              dynamicSecrets:
+                description: |-
+                  DynamicSecrets lists the last observed state of any dynamic secrets
+                  within the HCP Vault Secrets App
+                items:
+                  description: |-
+                    HVSDynamicStatus defines the observed state of a dynamic secret within an HCP
+                    Vault Secrets App
+                  properties:
+                    createdAt:
+                      description: CreatedAt is the timestamp string of when the dynamic
+                        secret was created
+                      type: string
+                    expiresAt:
+                      description: ExpiresAt is the timestamp string of when the dynamic
+                        secret will expire
+                      type: string
+                    name:
+                      description: Name of the dynamic secret
+                      type: string
+                    ttl:
+                      description: TTL is the time-to-live of the dynamic secret in
+                        seconds
+                      type: string
+                  type: object
+                type: array
               lastGeneration:
                 description: LastGeneration is the Generation of the last reconciled
                   resource.

diff --git a/config/crd/bases/secrets.hashicorp.com_hcpvaultsecretsapps.yaml b/config/crd/bases/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
@@ -244,13 +244,55 @@ spec:
                   - name
                   type: object
                 type: array
+              syncConfig:
+                description: SyncConfig configures sync behavior from HVS to VSO
+                properties:
+                  dynamic:
+                    description: Dynamic configures sync behavior for dynamic secrets.
+                    properties:
+                      renewalPercent:
+                        default: 67
+                        description: |-
+                          RenewalPercent is the percent out of 100 of a dynamic secret's TTL when
+                          new secrets are generated. Defaults to 67 percent minus jitter.
+                        maximum: 100
+                        minimum: 0
+                        type: integer
+                    type: object
+                type: object
             required:
             - appName
             - destination
             type: object
           status:
             description: HCPVaultSecretsAppStatus defines the observed state of HCPVaultSecretsApp
             properties:
+              dynamicSecrets:
+                description: |-
+                  DynamicSecrets lists the last observed state of any dynamic secrets
+                  within the HCP Vault Secrets App
+                items:
+                  description: |-
+                    HVSDynamicStatus defines the observed state of a dynamic secret within an HCP
+                    Vault Secrets App
+                  properties:
+                    createdAt:
+                      description: CreatedAt is the timestamp string of when the dynamic
+                        secret was created
+                      type: string
+                    expiresAt:
+                      description: ExpiresAt is the timestamp string of when the dynamic
+                        secret will expire
+                      type: string
+                    name:
+                      description: Name of the dynamic secret
+                      type: string
+                    ttl:
+                      description: TTL is the time-to-live of the dynamic secret in
+                        seconds
+                      type: string
+                  type: object
+                type: array
               lastGeneration:
                 description: LastGeneration is the Generation of the last reconciled
                   resource.