How to prevent external-secrets-operator from modifying k8s secrets when it has trouble with the Vault backend?

Question

We're using the latest external secrets operator from external-secrets.io to get secrets from Vault and inject them into kubernetes. We had a situation where a Vault KV engine was upgraded from v1 to v2. This caused External Secrets to no longer be able to find the secrets in Vault, and as a result it replaced the values of all the k8s secrets with Null values (""). Needless to say, this isn't the type of behavior we necessarily want. Is there a way to prevent this from happening - ie. if ESO is having difficulty with Vault, can it be configured to avoid modifying existing k8s secrets?

Tags

This sounds like an issue you should be taking up with the external secrets project, possibly by filing a bug report. We use ESO at my workplace and in our experience if ESO is unable to contact the vault it doesn't touch the Kubernetes secrets. — larsks, Jun 27 '23 at 00:36

score 0 · Answer 1 · answered Jun 28 '23 at 03:43

0

Yes, I was working with an ESO developer this morning and it turns out this is a bug whose fix is being submitted here: https://github.com/external-secrets/external-secrets/pull/2455

answered Jun 28 '23 at 03:43

Michael Martinez

2,693
1
16
19

How to prevent external-secrets-operator from modifying k8s secrets when it has trouble with the Vault backend?

1 Answers1