Secret rotation and Hard-Refresh requirement #224
Comments
|
@r0bj unfortunately we are at the mercy of Argo CD on this one as the plugin won’t run again unless a dry run happens. Something that you could do is look to capture when something changes in your secret manager via a hook or something and then trigger the hard refresh with the CLI in an automated way. I am sure there are other ways to handle it but the short story of it is, there is really nothing our plugin can do on this, nor do I think it is the responsibility of the plugin. Until Argo CD introduces a different mechanism or some other way to handle this, there is not really anything we can do. @jkayani any thoughts? |
|
Agreed with Jake, this is partly because of how Argo CD works. You can try either:
|
|
Thanks for sharing your thoughts on this. |
Is your feature request related to a problem? Please describe.
In order to rotate secret, after secret is changed in vault we need to use Hard-Refresh in Argo CD. This is fine for simple deployments but to be able to use it at scale (let's say hundreds of apps) we need some way to automate the process.
Ideally would be to periodically execute Hard-Refresh so secret can be rotated without human intervention. There is issue related to this problem and corresponding PR:
argoproj/argo-cd#4002
argoproj/argo-cd#4678
Do you maybe have any experience or workaround for this issue, maybe some settings related to cache expiration in argocd?
Describe the solution you'd like
Rotation secrets without needing to manual Hard-Refresh would be really helpful.
The text was updated successfully, but these errors were encountered: