Springboot Java Demo - reloads rotated secrets without restarting by secrets provider for k8s as cronjob

[quincycheng]

Request for a new public Conjur project in CyberArk GitHub

Current project source: https://github.com/quincycheng/springboot-k8s-secret-reload-provider-as-a-cronjob

Current maintainer: Quincy Cheng, @quincycheng

Desired project URL: https://github.com/cyberark/springboot-k8s-secrets-provider-as-cronjob

Brief description of project: Springboot Java Demo, that reloads rotated secrets of Oracle database without restarting app container by using secrets provider for k8s as cronjob

Anticipated certification level: Certified

[izgeri]

See the comment here: https://github.com/cyberark/conjur-template/issues/23#issuecomment-771093087

[quincycheng]

@izgeri maybe I've overused the word "demo". my bad.

So this is a new deployment approach for secrets provider for k8s, as a crontab. And also it can be served as a guideline or example on decoupling Conjur with Springboot apps, so the developers don't need to learn anything about Conjur.

[izgeri]

@quincycheng is this something you can contribute directly to the secrets provider project? We are currently reviewing our Kubernetes integration and looking for ways to simplify it and centralize functionality if possible - this seems like it could fit well as a contribution to our existing project.

Could it live as an example workflow in the Secrets Provider project? We're adding examples folders to a few of our projects that contain realistic e2e flows for people to try out, to see different ways that the project would work. I'm open to other suggestions too - I would just like to explore the options so that we don't extend the sprawl of Kubernetes solutions if we can avoid it.

[quincycheng]

Personally I got no preference. The only concern that I can think of is the usage of secrets provider as cronjob is currently not supported. Not sure if the content of this repo will be approved over there. @izgeri your call please.

[izgeri]

I think I am proposing two things:

• Add cronjob support to the Secrets Provider project.

  • You would file an issue in the project that explains what you are asking for and why, and a sketch of how you will add the support - this provides a chance to have a conversation with the team about your plan before you submit an implementation for review. This approach actually will get the most value out of the work you have done, because customers can use Secrets Provider as a cronjob once your code is merged - any other approach we take to share your code will mean that users are not able to benefit from your work as much!

• Add an examples folder to Secrets Provider that includes a Springboot Java Demo that reloads rotated secrets of an Oracle database without restarting app container. Alternatively, we could create a conjurdemos standalone repo for this - but since it's a demo for Secrets Provider, I think there's some value to having the example in the repo itself.

What do you think about these suggestions? Do they make sense?