I have referenced a couple of documents on credentials rotation, such as https://learn.hashicorp.com/tutorials/vault/database-creds-rotation. I failed to find any of them mentioning how to avid breaking the running client services. So I looking for help here.
From the documentations and also I did a trial, Vault rotates the password for the static role exactly following the rotation period. So, I have a puzzle: suppose I have quite many microservices running and each of them gets the secrets (managed by the Vault with static role) and then holds the connection to the DBs. Indeed, each service should periodically reload the secret based on the TTL value returned from the Vault. However, there is no “buffer” time or not overlap between the old and new password timelines. So, this really makes me puzzled: How to make the running service not breaking during the password rotation since at a point password is changed without any buffer?