Kubernetes - Generally acceptable ways to read secrets

Any idea what are generally accepted practices/integration points to read secrets (be it Secret or something provided externally)? I’m wondering if there is any benefit in pushing company to switch from Secrets mounted as Env vars to something else in apps (there is at least Ruby on Rails, Elixir Phoenix and some NodeJS apps)

Mount secrets as files?

Vault is fairly standard

Yes it is… somehow I’ve never gone too deep into it myself. We use Vault but not really inside k8s, how do you protect the Vault access key or do you use ServiceAccount tokens to authenticate with Vault?

You can have a service that updates the secrets from vault within the containers. When the secrets changes, the mounted secrets will change too. When this is done, the application containers has to either reload it’s configuration file (it has to watch env var or config file) OR your config change are backward compatible i.e. if you change a password, the old password will still work for a couple of days so this gives you time for all pods to restart.

Env vars can’t really be updated for a running process from outside that process

Ok well you can do it with gdb but … just don’t :slightly_smiling_face:

Damn, it is so generally accepted idea that the whole SIG has standarized on it https://secrets-store-csi-driver.sigs.k8s.io/ and it’s even in v1 already