Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pi-cluster secrets rotation #445

Open
ricsanfre opened this issue Jun 12, 2024 · 0 comments
Open

pi-cluster secrets rotation #445

ricsanfre opened this issue Jun 12, 2024 · 0 comments

Comments

@ricsanfre
Copy link
Owner

Scope

Add a mechanism to rotate secrets and enable POD's hot-reloading of credentials

Alternatives

  • Secrets Rotation:

    • Vautl KV does not support automatic rotation of static shared secrets. See Vault secrets rotation. CI/CD pipeline should be used for updating the stored secrets in KV. External Secrets Operator will automatically synchronize corresponding Kubernetes Secrets with the updated values in the KV store.
      Vault does support dynamic secrets, which are generated on demand and are unique to a client
  • Secrets change awareness:

    • Secrets Store CSI integrated with Vault
      Enable mechanism to mount secrets coming from Vault into PODs, using Secret Store CSI driver
      Secrets will be available as tmpf volumes mounted in PODs
      Is hot reloading supported?

    • Staker Reloader
      Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig

    • Vault Agent can be used to automatically inject secrets into the PODs

    • Kubernetes Secrets mounted as Volumes + Vault
      If a secret is mounter as a POD volume, the corresponding file containing the secret should be automatically updated. Application need to have a mechanism to detect file changes and update the secret)

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant