pi-cluster icon indicating copy to clipboard operation
pi-cluster copied to clipboard

Published 20 hours ago verified publisher icon ricsanfre

pi-cluster secrets rotation

Open ricsanfre opened this issue 8 months ago • 0 comments

Scope

Add a mechanism to rotate secrets and enable POD's hot-reloading of credentials

Alternatives

  • Secrets Rotation:

    • Vautl KV does not support automatic rotation of static shared secrets. See Vault secrets rotation. CI/CD pipeline should be used for updating the stored secrets in KV. External Secrets Operator will automatically synchronize corresponding Kubernetes Secrets with the updated values in the KV store. Vault does support dynamic secrets, which are generated on demand and are unique to a client

  • Secrets change awareness:

    • Secrets Store CSI integrated with Vault Enable mechanism to mount secrets coming from Vault into PODs, using Secret Store CSI driver Secrets will be available as tmpf volumes mounted in PODs Is hot reloading supported?

    • Staker Reloader Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig

    • Vault Agent can be used to automatically inject secrets into the PODs

    • Kubernetes Secrets mounted as Volumes + Vault If a secret is mounter as a POD volume, the corresponding file containing the secret should be automatically updated. Application need to have a mechanism to detect file changes and update the secret)

References

ricsanfre avatar Jun 12 '24 15:06 ricsanfre