Use vault secret operator with Grafana Loki

On my deployment we use Loki and we want to use Vault to keep S3 credentials.
I’ve found this option: Storing s3 accessKeyID and secretAccessKey securely - #3 by hibaos - Grafana Loki - Grafana Labs Community Forums
By using this way, secrets are available on the namespace, but once Loki is installed, seem the secret controlled by another friend name GrafanaAgent and now the secret look like that:

apiVersion: v1
kind: Secret
  labels: secret-sync grafana-agent-operator vault-secrets-operator
  name: loki-secrets
  namespace: loki
  - apiVersion:
    kind: VaultStaticSecret
    name: vault-kv-app
  - apiVersion:
    blockOwnerDeletion: true
    kind: GrafanaAgent
    name: loki
type: Opaque

Look like Loki use CRD named GrafanaAgent which takes control of the secret when the loki helm chart is installed.
Then my vault secret getting error:

(combined from similar events): Failed to update k8s secret: invalid owner label,, present=true invalid ownerReferences, refs=[]v1.OwnerReference{v1.OwnerReference{APIVersion:"", Kind:"VaultStaticSecret", Name:"vault-kv-app", UID:"9ed64b84-1ec8-4cf1-8e80-1ce29bc89b86", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}, v1.OwnerReference{APIVersion:"", Kind:"GrafanaAgent", Name:"loki", UID:"b658e0ed-e9e9-49ae-a119-24297b9c479a", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(0xc000999699)}} not the owner of the destination Secret loki/loki-secrets

How I can add an owner? or avoid this situation?

Hi @david-nano,

I believe If you set spec.destination.create = false on your VaultStaticSecret CR, and create the destination secret in advance, you can avoid this situation. VSO expects to be the only owner for Secrets that it created. Please let us know if that helps.

See Vault Secrets Operator API Reference | Vault | HashiCorp Developer for more details.