Vault Operator resyncing secret when VaultStaticSecret hmacSecretData field has been set to false

[bunniseng]

Describe the bug

Vault operator is performing drift detection and resyncing the secret when setting hmacSecretData = false

To Reproduce
Steps to reproduce the behavior:

1. Create a VaultStaticSecret resource with hmacSecretData set to false
2. Once the secret is synced, update the hmacSecretData and reset back to false
3. Delete leading vault operator

Application deployment:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: test
  namespace: test
spec:
  destination:
    create: true
    name: test
    overwrite: false
  hmacSecretData: false
  mount: test
  path: test
  refreshAfter: 0s
  type: kv-v2
  vaultAuthRef: test

Expected behavior
When hmacSecretData is set to false, vault operator does not resync the secret in any event.

Environment

• Kubernetes version: 1.26
• vault-secrets-operator version: 0.6.0

[benashz]

Hi @bunniseng, I don't think that VSO supports the use case you have laid out in this issue. The example VaultStaticSecret will be synced once per leader election. So in step 3, when VSO starts up in a new Pod it will reconcile all configured VaultStaticSecrets, this is necessary to ensure that cluster state matches what is in Vault. I think what you might be looking for is a sync once feature?

Thanks,

Ben

[bunniseng]

Thanks for coming back so quickly on this. Yes a sync once capability is what I was hoping to achieve and would like to have implemented.

As for the documentation for the hmacSecretData field:

"
HMACSecretData determines whether the Operator computes the HMAC of the Secret's data.

The MAC value will be stored in the resource's Status.SecretMac field, and will be used for drift detection
and during incoming Vault secret comparison.

Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault.
"
I feel the description is a little misleading, it implies that setting the field to false would disable consistency reconciliation, perhaps an update on the documentation would be good too to make it a bit more clear what the field does in all situations.