K
Q

K8S synchronization between deployments which use the same secret

11/21/2019

In my k8s cluster I have two deployments: one for generating JWTs using a given key-pair and another one for validating JWTs using the same key-pair.
Both deployments using the same k8s secret which contains the key/pair.
When I want to revoke/update that key pair, how do I create consistency between the deployments? Practically, I want that all the generated JWTs will be validated although there are two different microservices, and not necessarily all the pods of both microservices will be updated at once for using the new keys.
How do I prevent such false alarms of validation failures?

-- Yosi Karl
kubernetes

Similar Questions

Kubernetes mountPath with dot (.) in foldername
SQL script isn't running Kubernetes, but runs fine using just Docker
Failed to create SubnetManager: asn1: structure error: tags don't match
Is it possible to stream GKE logs to multiple GCP project StackDrivers
How to switch user(su) in docker command
Permissions for Document Files in Kubernetes Pod, with Separate Nginx and FPM Containers
Can sub folder of a persistent volume claim have different permissions per claiming pod?
GKE ingress resource returns 404 although it is connected to a service

2 Answers

11/21/2019

In your Helm chart or Kustomize manifest, set a hash of the contents of the secret as an annotation on pod template, that will automatically trigger a re-deployment when the contents of the secret changes.

Alternatively your software could detect the changes in the files and reload them.

-- coderanger
Source: StackOverflow
11/21/2019

It is impossible to have a generic solution for this problem: you must coordinate all the parties yourself.

The common solution is to issue a new secret and let all the participants to accept both.

Then after some time to stop issuing the old version and remove it from everywhere.

-- zerkms
Source: StackOverflow