Hello friend !
We are running the Vault injector inside Kubernetes.
For now, we have a Kubernetes role with max_ttl to 0 and ttl to 24h for example. It works fine.
The credentials (AWS in this case) will be valid until the pod die. When an update is done, the credentials is revoke, the pod die, and the new pod will have is own new credentials. Good.
But thats not the final goal.
The real goal is to set the max_ttl to 60 minutes (for example), and ttl to 10 minutes.
As the default function of vault-injector is renewing the credentials at 2/3 times of the max_ttl, we want to run a kubectl rollout restart deployment application.
Is there any solution to do that ?
The agent-inject-command-application cannot do that because the kubectl is not available on the container.
The security will be very good with that option. One, we are regularly ensuring that the pod are able to restart without any problems, and secondly, we ensure that credentials are frequently changed.
Any ideas and best practices on that ?
Thanks!
Mouglou
This video is exactly what we do. But the tutorial stops just before an important part!
How to manage the application when the database credentials are rotated?
Because just use the kill -HUP signal for example will kill the app, and then the restart counter will be incremented… So not cool!
So we need a solution when the credentials are going to expire.
Find a way to restart the pod/deployment before the max_tll is reached (as we run on Kubernetes)
Hope someone can help!
Hi,
Some updates.
It really doesn’t work well. I create a new docker image by following the same step as default.
I just add a section to download curl, and then download the kubectl binary.
But then when I add this annotation:
vault.hashicorp.com/agent-inject-command-db.properties: kubectl rollout restart deployment application
But it runs within a loop. My first pod is creating, generating his own credentials, then the command is called, so create another pod, which creates his own credentials, etc… So I don’t see any other option to be able to do that…
Please help us! How can we ask a rollout restart when 80% of the max_tll is reached? Or how can we just restart the pod ? or even the container without starting to increment the restart counter?
Seems to be the logical next step for pods security with the injector!
Thanks for your help !!
