pod restart required to detect a new/updated secret with label 'sealedsecrets.bitnami.com/sealed-secrets-key: active'

[lknite]

Which component:
controller

Is your feature request related to a problem? Please describe.
If I create/update a key/secret for sealed secrets to use, with the appropriate label (see above), sealed secrets should pick up on that new key. Instead, I have to delete the sealed-secrets pod before it will notice the secret.

Imagine the secret is being created via an external-secret so it may not exist when the sealed-secrets pod is started. At some point, the external-secret may be updated, and sealed-secrets will not notice the secret has been updated.

Describe the solution you'd like
sealed secrets could have a controller thread which watches for changes to secrets and handles loading/updating them as appropriate

Describe alternatives you've considered

• using reloader/skater to delete the sealed-secrets pod to force a reload
• i used an initContainer to wait for the secret to appear, before starting allowing the pod to load ... this was good but didn't handle the use case where the secret was updated

Additional context
we shouldn't have to rely on a third-party solution

[agarcia-oss]

Hi @lknite Yes, this is a known behaviour of the Sealed Secrets controller as described in the manual key management section of the README.

NOTE SealedSecret controller currently does not automatically pick up manually created, deleted or relabeled sealing keys. An admin must restart the controller before the effect will apply.

Observing changes in the sealing secret is not currently in the product roadmap (since the default controller logic is to self-manage directly its own keys), but it can be a useful feature for users managing their own keys.

If you want to collaborate with a PR, we'll be happy to review your contribution!
Regards