You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a mechanism to rotate secrets and enable POD's hot-reloading of credentials
Alternatives
Secrets Rotation:
Vautl KV does not support automatic rotation of static shared secrets. See Vault secrets rotation. CI/CD pipeline should be used for updating the stored secrets in KV. External Secrets Operator will automatically synchronize corresponding Kubernetes Secrets with the updated values in the KV store.
Vault does support dynamic secrets, which are generated on demand and are unique to a client
Secrets change awareness:
Secrets Store CSI integrated with Vault
Enable mechanism to mount secrets coming from Vault into PODs, using Secret Store CSI driver
Secrets will be available as tmpf volumes mounted in PODs
Is hot reloading supported?
Staker Reloader
Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig
Vault Agent can be used to automatically inject secrets into the PODs
Kubernetes Secrets mounted as Volumes + Vault
If a secret is mounter as a POD volume, the corresponding file containing the secret should be automatically updated. Application need to have a mechanism to detect file changes and update the secret)
Scope
Add a mechanism to rotate secrets and enable POD's hot-reloading of credentials
Alternatives
Secrets Rotation:
Vault does support dynamic secrets, which are generated on demand and are unique to a client
Secrets change awareness:
Secrets Store CSI integrated with Vault
Enable mechanism to mount secrets coming from Vault into PODs, using Secret Store CSI driver
Secrets will be available as tmpf volumes mounted in PODs
Is hot reloading supported?
Staker Reloader
Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig
Vault Agent can be used to automatically inject secrets into the PODs
Kubernetes Secrets mounted as Volumes + Vault
If a secret is mounter as a POD volume, the corresponding file containing the secret should be automatically updated. Application need to have a mechanism to detect file changes and update the secret)
References