i followed and implemeted it. but when I am trying to consume the dynamic username and password generated by vso. it is giving - FATAL: password authentication failed for user .
Thanks for the video 😊 As per the video in case of dynamic secrets whether we will get any downtime if credential will expire for related application and pods will redeploy with new credentials? Do we need to automate any logic to fetch new credentials for the application before expiry or VSO will take care?
1. There wont be "downtime" b/c the VSO does a rollout restart on the deployments. So it will bring up 1 pod at a time, wait for it to be ready ( using the probes) and then bring down a pod at a time. Also, VSO renews the secret lease around 67%, but you can tweak that value if you need to so you don't have to worry about the secret expiration. developer.hashicorp.com/vault/docs/platform/k8s/vso/api-reference#vaultdynamicsecretspec
Great content. wonder why you don't have subs in millions. One question, I am finding it difficult to understand the concept of renewal lease. I know that the creds will be renewed at 67% of ttl but when the leased is renewed and username and password is changed to new random username and password in the vault database engine. Will the VSO create new secret type resource "postgres" in kubernetes?
Appreciate the compliment! So when vault will renew the creds, it will create a new username and password in postgres database and return it to the vault agent. The old creds will still be valid for another 27% of the remaining duration. Vso then just updates the kubernetes secret object which contains the encoded credentials and restarts the deployment
@@cookncode its, fantastic knowledge sharing, contents are so easy to follow, I’m a bit confused: could you clarify if old credentials that are still valid with 27% of their duration remaining will automatically be removed from the database like AWS RDS postgres once they expire, or will they remain and need to be removed manually, also suggest 27% means 27% of 24h
awesome. awesome. it helped me a lot to close my long pending activities related to vault. expecting some sessions on Udemy or another platform.
i followed and implemeted it. but when I am trying to consume the dynamic username and password generated by vso. it is giving - FATAL: password authentication failed for user .
Thanks for the video 😊
As per the video in case of dynamic secrets whether we will get any downtime if credential will expire for related application and pods will redeploy with new credentials?
Do we need to automate any logic to fetch new credentials for the application before expiry or VSO will take care?
1. There wont be "downtime" b/c the VSO does a rollout restart on the deployments. So it will bring up 1 pod at a time, wait for it to be ready ( using the probes) and then bring down a pod at a time.
Also, VSO renews the secret lease around 67%, but you can tweak that value if you need to so you don't have to worry about the secret expiration.
developer.hashicorp.com/vault/docs/platform/k8s/vso/api-reference#vaultdynamicsecretspec
Great content. wonder why you don't have subs in millions. One question, I am finding it difficult to understand the concept of renewal lease. I know that the creds will be renewed at 67% of ttl but when the leased is renewed and username and password is changed to new random username and password in the vault database engine. Will the VSO create new secret type resource "postgres" in kubernetes?
Appreciate the compliment!
So when vault will renew the creds, it will create a new username and password in postgres database and return it to the vault agent. The old creds will still be valid for another 27% of the remaining duration.
Vso then just updates the kubernetes secret object which contains the encoded credentials and restarts the deployment
@@cookncode its, fantastic knowledge sharing, contents are so easy to follow, I’m a bit confused: could you clarify if old credentials that are still valid with 27% of their duration remaining will automatically be removed from the database like AWS RDS postgres once they expire, or will they remain and need to be removed manually, also suggest 27% means 27% of 24h
@@accountfortesting6321
Vault will take care of it eventually so you don’t have to delete them manually