Hello,
I’m currently developing a Proof of Concept (POC) focused on enhancing secret management within a Kubernetes environment, utilizing HashiCorp Vault for dynamic secret generation. Our setup includes a Kubernetes cluster hosting 30 services as deployments, all of which interact with a PostgreSQL database. Traditionally, we’ve manually managed database user credentials, integrating them into our services via Kubernetes secrets.
In my recent implementation, I explored generating PostgreSQL user credentials dynamically, with Vault Injector responsible for injecting these credentials directly into the pods. However, this approach has prompted several questions regarding its efficiency and reliability:
- How does the system handle secret rotation within the database? Specifically, will the pods automatically restart to incorporate the new secrets?
- Is there an alternative strategy where Vault can generate unique database credentials for each pod upon creation, ensuring that each pod’s DB credentials are distinct and lifecycle-synchronized?
I appreciate any insights or experiences you can share regarding these queries.
Thank you in advance.