Automate Secret Updates in Argo CD from Vault without Manual Deletion

[presotto-m]

Is your feature request related to a problem? Please describe.
I'm experiencing an issue when updating a secret in Vault. Argo CD doesn't automatically detect the change. The update is only applied if I manually delete the old secret and run a sync in Argo CD, forcing it to recreate the secret and fetch the updated information from Vault.

Describe the solution you'd like
I would like Argo CD to automatically detect changes to secrets stored in Vault and apply the updates without the need for manual deletion and synchronization.

Describe alternatives you've considered
One alternative would be to use a webhook, similar to the one already used to listen for changes in GitHub. This webhook could be configured to monitor changes in Vault secrets and trigger an automatic update in Argo CD whenever a modification is detected.

Additional context
Currently, the manual process of deletion and synchronization delays the application of important updates and increases the risk of inconsistencies. Automation for this process would be ideal.

[bbetter173]

I'm not overly familiar with the plugin but I did notice that the docs have this to say:

If you want to load in a new value from your Secret Manager without making any new code changes you must use the Hard-Refresh concept in Argo CD. This can be done in two ways. You can either use the UI and select the Hard Refresh button which is located within the Refresh Button.

Source: https://argocd-vault-plugin.readthedocs.io/en/stable/usage/#refreshing-values-from-secrets-managers

[pre]

We are performing the ArgoCD Application > Hard Refresh whenever we need to refresh the value from Vault immediately.

There is no need to delete any resources. A webhook couldn't suit our usecase because we don't have any mapping in our repository of which ArgoCD Application(s) should be updated when a value in Vault is changed.

[ygormutti]

It would be nice to have a webhook or some kind of integration when updating secrets in Vault, because not necessarily the people who maintain the secrets on Vault are not the same that maintain the Kubernetes infra.

[pre]

The mechanism to get from ”Vault key X changed” to ”refresh Application A but not any other Applications” is unclear to me.