VSS: Add requeue configuration flags

controllers/vaultstaticsecret_controller.go

@@ -49,6 +49,9 @@ type VaultStaticSecretReconciler struct {
 	ClientFactory               vault.ClientFactory
 	SecretDataBuilder           *helpers.SecretDataBuilder
 	HMACValidator               helpers.HMACValidator
+	HMACHorizon                 time.Duration
+	MinRefreshAfter             time.Duration
+	DefaultRefreshAfter         time.Duration
 	referenceCache              ResourceReferenceCache
 	GlobalTransformationOptions *helpers.GlobalTransformationOptions
 	BackOffRegistry             *BackOffRegistry
@@ -99,14 +102,16 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 
 	var requeueAfter time.Duration
 	if o.Spec.RefreshAfter != "" {
-		d, err := parseDurationString(o.Spec.RefreshAfter, ".spec.refreshAfter", 0)
+		d, err := parseDurationString(o.Spec.RefreshAfter, ".spec.refreshAfter", r.MinRefreshAfter)
 		if err != nil {
 			logger.Error(err, "Field validation failed")
 			r.Recorder.Eventf(o, corev1.EventTypeWarning, consts.ReasonVaultStaticSecret,
 				"Field validation failed, err=%s", err)
 			return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil
 		}
 		requeueAfter = computeHorizonWithJitter(d)
+	} else if r.DefaultRefreshAfter > 0 {
+		requeueAfter = computeHorizonWithJitter(r.DefaultRefreshAfter)
 	}
 
 	r.referenceCache.Set(SecretTransformation, req.NamespacedName,
@@ -153,8 +158,7 @@ func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		// we want to ensure that requeueAfter is set so that we can perform the proper drift detection during each reconciliation.
 		// setting up a watcher on the Secret is also possibility, but polling seems to be the simplest approach for now.
 		if requeueAfter == 0 {
-			// hardcoding a default horizon here, perhaps we will want to make this value public?
-			requeueAfter = computeHorizonWithJitter(time.Second * 60)
+			requeueAfter = computeHorizonWithJitter(r.HMACHorizon)
 		}
 
 		// doRolloutRestart only if this is not the first time this secret has been synced

main.go

@@ -137,6 +137,9 @@ func main() {
 	var uninstall bool
 	var preDeleteHookTimeoutSeconds int
 	var minRefreshAfterHVSA time.Duration
+	var hmacHorizonVSS time.Duration
+	var minRefreshAfterVSS time.Duration
+	var defaultRefreshAfterVSS time.Duration
 	var globalTransformationOpts string
 	var globalVaultAuthOpts string
 	var backoffInitialInterval time.Duration
@@ -173,6 +176,12 @@ func main() {
 		"Pre-delete hook timeout in seconds")
 	flag.DurationVar(&minRefreshAfterHVSA, "min-refresh-after-hvsa", time.Second*30,
 		"Minimum duration between HCPVaultSecretsApp resource reconciliation.")
+	flag.DurationVar(&hmacHorizonVSS, "hmac-horizon-vss", time.Second*60,
+		"Duration between VaultStaticSecret resource reconciliation, when using HMAC.")
+	flag.DurationVar(&minRefreshAfterVSS, "min-refresh-after-vss", 0,
+		"Minimum duration between VaultStaticSecret resource reconciliation.")
+	flag.DurationVar(&defaultRefreshAfterVSS, "default-refresh-after-vss", 0,
+		"Global default for refreshAfter of VaultStaticSecret resources. Set to 0 to disable.")
 	flag.StringVar(&globalTransformationOpts, "global-transformation-options", "",
 		fmt.Sprintf("Set global secret transformation options as a comma delimited string. "+
 			"Also set from environment variable VSO_GLOBAL_TRANSFORMATION_OPTIONS. "+
@@ -449,6 +458,9 @@ func main() {
 		Recorder:                    mgr.GetEventRecorderFor("VaultStaticSecret"),
 		SecretDataBuilder:           secretDataBuilder,
 		HMACValidator:               hmacValidator,
+		HMACHorizon:                 hmacHorizonVSS,
+		MinRefreshAfter:             minRefreshAfterVSS,
+		DefaultRefreshAfter:         defaultRefreshAfterVSS,
 		ClientFactory:               clientFactory,
 		BackOffRegistry:             controllers.NewBackOffRegistry(backoffOpts...),
 		GlobalTransformationOptions: globalTransOptions,