spring-cloud-vault icon indicating copy to clipboard operation
spring-cloud-vault copied to clipboard
verified publisher icon spring-cloud

Enable use of dynamic database credentials beyond max-tty

Open shitikanth opened this issue 11 months ago • 2 comments

The problem: Currently there is no way to use dynamic credentials using spring-cloud-vault-config-databases beyond the max lease time. The recommendation online seems to be to just let your container become unhealthy and let a new one replace it.

Proposed solution: VaultConfigDatabaseBootstrapConfiguration::DatabaseSecretBackendMetadataFactory::forDatabase can return a LeasingSecretBackendMetadata with lease mode set to ROTATE instead of a plain SecretBackendMetadata.

This would ensure that the lease gets rotated at expiry and the relevant database properties get updated. The responsibility of how to use the updated properties to update the connection pool can be left to the user.

shitikanth avatar Feb 18 '25 03:02 shitikanth

Introducing ROTATE creates the expectation of credential propagation into the actual components as Spring Cloud Vault is built on top of Spring Boot. Right now, configuration properties objects aren't refreshed from Spring Boot and there is no propagation into Mongo Client, a connection pool, etc.

mp911de avatar Feb 18 '25 07:02 mp911de

Would it be sufficient to document this limitation explicitly and give examples for how to setup the propagation for common use cases?

shitikanth avatar Feb 19 '25 03:02 shitikanth