The dynamic database credentials are very helpful, however we are running an app that doesn’t do renewal of these creds itself. We accomplish this through the nomad
template stanza, with the
with secret tag.
Now we also have
splay defined there, as we don’t like our web servers to be restarted all at the same time. But my question is: is there a delay between vault revoking the lease of those credentials (thus triggering the restart) and the actual revocation? If not, then the splay attribute isn’t actually usable, as my app would already be denied database access.
And is there any way to tune the delay, to accomodate a certain splay?