Kubernetes - How to dynamically refresh secrets without restarting pod
You can define a TTL on your kv secret by specifying a TTL value. For example :
vault kv put infrastructure/nginx ttl=1m Password1=PasswordUpdated1 Password2=PasswordUpdated2
will expire your infrastructure/nginx secret every minute. Vault sidecar will automatically check for a new value and refresh the file into your pods.
root@LAP-INFO-28:/mnt/c/Users/cmonsieux/Desktop/IAC/kubernetes/yaml/simplePod# k logs nginx-69955d8744-mwhmf vault-agent -n web renewal process 2020-09-06T07:16:42.867Z [INFO] sink.file: token written: path=/home/vault/.vault-token 2020-09-06T07:16:42.867Z [INFO] template.server: template server received new token 2020/09/06 07:16:42.867793 [INFO] (runner) stopping 2020/09/06 07:16:42.867869 [INFO] (runner) creating new runner (dry: false, once: false) 2020/09/06 07:16:42.868051 [INFO] (runner) creating watcher 2020/09/06 07:16:42.868101 [INFO] (runner) starting 2020-09-06T07:16:42.900Z [INFO] auth.handler: renewed auth token 2020/09/06 07:18:26.268835 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass" 2020/09/06 07:19:18.810479 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass" 2020/09/06 07:24:41.189868 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass" 2020/09/06 07:25:36.095547 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass" 2020/09/06 07:29:11.479051 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass" 2020/09/06 07:31:00.715215 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"root@LAP-INFO-28:/mnt/c/Users/cmonsieux/Desktop/IAC/kubernetes/yaml/simplePod# k exec -it pod/nginx-69955d8744-mwhmf -n web -- cat /vault/secrets/nginx.passPassword1: PasswordUpdated1Password2: PasswordUpdated2ttl: 1m