Updating a secret stored in 1Password and VaultSecret#
Secrets that are stored in 1Password are synchronized into Vault using the installer/generate_secrets.py script.
Once they are in Vault, they are accessible to Vault Secrets Operator, which responds to creation of any
VaultSecret resources in Kubernetes by grabbing the current value of the secret data in Vault.
Vault Secrets Operator reconciles any changes as well by comparing Vault’s state with that of any
VaultSecret resources every 60 seconds.
This reconciliation process can take some time of time, so you may not see changes reflected until several minutes have passed.
Note for operators: This automatic reconciliation is not enabled by default.
It is explicitly turned on by setting the
vault.reconciliationTime key in the Helm chart, which needs to be done in every deployed environment of the Vault Secrets Operator.
So, if you want to make any changes to a
VaultSecret’s data, you’ll need to:
Make the changes in 1Password
Wait a few minutes for automatic reconciliation
In the future, you will be able to run phalanx secrets sync instead of installer/update_secrets.sh to update the secrets in Vault. This support is currently being developed.
These steps may have to be done for you by a Phalanx environment administrator depending on how permissions in Vault and any underlying secrets store are handled for your environment.
If automatic reconciliation doesn’t seem to be working, you can force it to take place by deleting the
Secret that is associated with the
Secret will have the same name as its parent
Once you delete the
Secret, the Vault Secrets Operator should detect the deletion and recreate it quickly.