In some setup it might be needed to restart the Vault Statefulset when secrets, external to the operator control, are changed.

Some Examples include:

  • Cert-Manager managing a public Certificate for vault using let’s Encrypt Starting with version 0.11 of cert-manager no label is available anymore so use the watchedSecretsAnnotations field
  • Cloud IAM Credentials created with an external tool ( like terraform ) to allow vault to interact with the cloud services

The Operator can watch a set of secrets in the namespace of the Vault resource using either a list of labels selector or an annotations selector. The Operator can update the statefulset, triggering a rolling restart, when the content of any of those secrets changes.

How to configure labels selectors

  - vault-letsencrypt-cert
  - gcp vault

  - vault-letsencrypt-cert

in the example above a restart would be trigger if:

  • secret with label vault-letsencrypt-cert change in contents
  • secret with label gcp AND vault change in contents
  • secret with annotation vault-letsencrypt-cert change in contents

The operator will control the restart of the statefulset by adding an annotation to the spec.template of the vault resource

kubectl get -n vault statefulset vault -o json | jq .spec.template.metadata.annotations
  "": "/metrics",
  "": "9102",
  "": "true",
  "": "ff1f1c79a31f76c68097975977746be9b85878f4737b8ee5a9d6ee3c5169b0ba"