Skip to content

Operator Reconciliation reverts rotated root Credential in Database Secret Engine leading to lost Credentials #339

Description

@DerCakeman

This seems to be a regression of Issue #131 .

Vault-operator: v0.8.49, deployed with Helm.
Vault: openbao v2.5.5
K8s: 1.36.2

On operator / Pod restart of the vault-config-operator it reconciles it's CR and writes the DatabaseSecretEngineConfig newly to openbao leading to a DatabaseSecretEngine that holds the original (outdated) root Password.

Additionally the Docs reference 'verfyConnection' defaulting to 'true', while the operator doesn't verify the connection before writing the new Config. Setting verfiyConnections: true explicitly solves the problem of losing credentials, then the operator goes into 'reconcileFailed' state as expected since the password auth (with the initial root password) fails.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions