I want to have a sidecar manage secret rotation, which requires the app container to restart in order to force it to pick up the updated credentials.
How can a sidecar force a container within the same pod to restart or the whole pod to restart?
Detailed explanation:
- Services of different tech stacks need to start using secrets. Secrets can either be injected via CI/CD or fetched at runtime from AWS Secrets Manager.
- Secrets need to be rotated every 3 months for security compliance reasons.
- Secrets are only used once at startup to create the related client. Since they are not used continuously, they are not naturally refreshed if updated at source storage.
- To minimise per-service development time, custom logic within each service to refresh the secrets should be avoided or minimised
There is a following pattern to rotate secrets without need to restart containers if you are running apps in EKS or ECS.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/rotate-credentials-without-restarting-containers.html