Reputation: 21
How to use Vault dynamic secretes and inject them as Environment Variables to Kubernetes deployment?
We run a Vault cluster (Deployed by helm) and some microservices all on k8s. Our MongoDB atlas connection string configured as ENV on microservices deployment. We want to continue using ENV without changing the code to read the vault config file. So, we tried the examples from here:
https://www.vaultproject.io/docs/platform/k8s/injector/examples
The injection to ENV works but when the vault rotates the credentials we need to recreate the pod that it will inject again to the ENV.
I would like to know How we may use the functionality of dynamic secrets in Vault with ENV on k8s. If you have any suggestions.
Thanks
Upvotes: 0
Views: 1540
Answers (1)
Reputation: 8595
If you are using an environment variable to inject a secret, you will need to recreate the pod whenever the secret changes (as you've found), because the environment variable is only generated at startup of the pod - it is not possible to change an environment variable for a running application. If you want your application to support credentials that change while it is running, you will need to add support for that to your application I'm afraid (and change from using an env var to reading the details from the file when required).
Upvotes: 2
Related Questions
- HashiCorp Vault to populate kubernetes secrets
- Injecting vault secrets into Kubernetes Pod Environment variable
- How to inject a Vault Secret into a Pod as an Environment Variable without overriding the Entrypoint of the Image?
- How to add vault secrets to kubernetes env vars?
- sourcing vault secrets file with lifecycle.postStart and readinessProbe
- Inject vault secret into K8s configmap
- Injecting Vault secrets into a few Kubernetes Clusters
- How to inject vault and consume hashicorp vault secrets?
- In Kubernetes, Expose secrets in file as environment variables
- How to inject secrets from vault to Kubernetes pods