You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In metal-stack there are multiple kinds of secrets that do expire. But currently there is no uniform or automated way of managing these. Some do get rotated while running, some need to be rolled manually, some do so during deployments (or at least this is one idea we had).
Regarding all of these, there are multiple ideas, all with their own pros and cons.
Approach
Pros
Cons
Rotate on Deploy
Less common failure
Still requires deployment, customer specific pipelines
Alerts prior expiration
Transparency, suitable for external secrets
Still requires rotation
Rotate in Clients
Automated
Requires metal-apiserver, not reflected by k8s secrets
While it isn't possible to solve all of these with the same approach, I think it makes sense to have a discussion around these and how we want to handle those cases.
What do you think? Once we found our preferred approach for each use case, we could apply it to all matching secrets in a uniform way.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
metal-stack
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
In metal-stack there are multiple kinds of secrets that do expire. But currently there is no uniform or automated way of managing these. Some do get rotated while running, some need to be rolled manually, some do so during deployments (or at least this is one idea we had).
This topic came up in multiple issues:
Regarding all of these, there are multiple ideas, all with their own pros and cons.
While it isn't possible to solve all of these with the same approach, I think it makes sense to have a discussion around these and how we want to handle those cases.
What do you think? Once we found our preferred approach for each use case, we could apply it to all matching secrets in a uniform way.
Beta Was this translation helpful? Give feedback.
All reactions