Hello - I am trying to understand what happens after a password change when the application that is hosted within k8s use CSI mount volume for fetching secrets ? Does the conjur secrets provider daemonset periodically polls conjur if secret value changes?? or the application needs to redeployed to pull the recent password ?
My understanding is that the application needs to be redeployed to read the new password, but please correct me if am wrong. In that case then i am hoping the files will be overwritten with new password value.
Hi @senko -
The feature you are referencing is called auto-rotation. It is briefly mentioned in our docs where we recommend enabling it when installing the CSI secrets store driver helm chart: Conjur Provider for Secrets Store CSI Driver
This is part of the core Secrets Store CSI Driver implementation where it is an alpha feature, but it should be compatible with the Conjur provider. Enabling it would result in the Conjur provider polling every 2 minutes for updated secrets values, and updating the mounted files. The relevant helm config keys are enableSecretRotation and rotationPollInterval