Hello friend !
We are running the Vault injector inside Kubernetes.
For now, we have a Kubernetes role with max_ttl to 0 and ttl to 24h for example. It works fine.
The credentials (AWS in this case) will be valid until the pod die. When an update is done, the credentials is revoke, the pod die, and the new pod will have is own new credentials. Good.
But thats not the final goal.
The real goal is to set the max_ttl to 60 minutes (for example), and ttl to 10 minutes.
As the default function of vault-injector is renewing the credentials at 2/3 times of the max_ttl, we want to run a
kubectl rollout restart deployment application.
Is there any solution to do that ?
agent-inject-command-application cannot do that because the kubectl is not available on the container.
The security will be very good with that option. One, we are regularly ensuring that the pod are able to restart without any problems, and secondly, we ensure that credentials are frequently changed.
Any ideas and best practices on that ?