purgeUnmanagedConfig does not purge secrets engines' configuration

[aabdala]

When using for example the aws secrets engine, deleting configuration entries for that secrets engine when enabling purgeUnmanagedConfig does not seem to be deleting them from vault.

From what I've seen in this code it seems to me that either the whole secrets engine is removed if it is not present in the config, or it is left/tuned and existing and new configuration entries are upserted, but the diffing to remove the ones not present in the config anymore does not seem to be implemented.

As an example, having configured the following (trimmed down for brevity)

  externalConfig:
    secrets:
    - description: AWS secret backend.
      path: aws/
      type: aws
      configuration:
        roles:
        - credential_type: assumed_role
          name: role-1
          role_arns:
          - arn:aws:iam::1234567890:role/role-1
        - credential_type: assumed_role
          name: role-2
          role_arns:
          - arn:aws:iam::1234567890:role/role-2

After deleting the item for role-2 from the Vault CR configuration, a vault read aws/roles/role-2 would still return successfully.

This was tested with bank-vaults version 1.15.8 and vault version 1.10.4

/kind bug

[akijakya]

Hey @aabdala, thanks for using bank-vaults, also sorry for the delay. This sounds more like a feature request for me! 🙂 If you find time to implement it, we would be happy to review and include this feature, i.e. purging unmanaged roles, but even it not, I think this has a place on the roadmap!

[ebdekock]

This would be a great feature for declaratively managing vault! Plus one

[ebdekock]

Bump

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.