Seems like right now, the only way to pass database credentials is through a Kubernetes secret, that is then referenced by datastore.uriSecret. While this works with static credentials, it fails when using dynamic credentials that are generated by a database secret engine like Vault (since they are newly generated each time).
Seems like right now, the only way to pass database credentials is through a Kubernetes secret, that is then referenced by datastore.uriSecret. While this works with static credentials, it fails when using dynamic credentials that are generated by a database secret engine like Vault (since they are newly generated each time).
Vault provides a vault-injector for Kubernetes that retrieves the secrets and can make them available on a file path in the following ways: https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples
But, for this, the app should support reading credentials from a path. Is this something that can be easily supported by FGA?
An alternative could be to read the values from environment variables but then, you'll have to allow passing the
commandandargsparameters to correctly export the variables before starting the service. https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example