Secret Management in Kubernetes with HashiCorp Vault and Dynamic PostgreSQL Credentials


I’m currently developing a Proof of Concept (POC) focused on enhancing secret management within a Kubernetes environment, utilizing HashiCorp Vault for dynamic secret generation. Our setup includes a Kubernetes cluster hosting 30 services as deployments, all of which interact with a PostgreSQL database. Traditionally, we’ve manually managed database user credentials, integrating them into our services via Kubernetes secrets.

In my recent implementation, I explored generating PostgreSQL user credentials dynamically, with Vault Injector responsible for injecting these credentials directly into the pods. However, this approach has prompted several questions regarding its efficiency and reliability:

  1. How does the system handle secret rotation within the database? Specifically, will the pods automatically restart to incorporate the new secrets?
  2. Is there an alternative strategy where Vault can generate unique database credentials for each pod upon creation, ensuring that each pod’s DB credentials are distinct and lifecycle-synchronized?

I appreciate any insights or experiences you can share regarding these queries.
Thank you in advance.

1. Vault doesn’t automatically restart pods for secret rotation. Instead, Vault Agent Injector updates secrets inside pods without needing a restart. Your applications must be designed to dynamically reload these updated credentials.
2. Yes, Vault can generate unique credentials for each pod upon its creation. This is done using dynamic secret engines, with credentials’ lifecycle tied to the pod’s lifecycle. Applications should be configured to request and use these credentials, which are managed and revoked by Vault, ensuring security and compliance.