Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Refactoring Applications for Dynamic Secrets

Refactoring Applications for Dynamic Secrets

Originally presented at DevOpsDays NYC 2023


An application uses a database password that should change every thirty days. However, it does need to change, your application must go offline to reload configuration and use the new password. Can an application change passwords or credentials with minimal downtime?

In this session, you will learn how to architect and refactor an application to handle dynamic secrets like passwords, tokens, or secrets. This demo-driven session progressively refactors a Java application to reload when a database password changes and identifies patterns for applications running in both virtual machines and containers on Kubernetes.

No matter which programming language you are familiar with, you’ll be able to apply the patterns from this session to retrieving secrets across different applications and platforms.

Rosemary Wang

June 06, 2023

More Decks by Rosemary Wang

Other Decks in Technology


  1. © HASHICORP 3 Environment Variables or File Secrets ## Environment

    Variables > PG_PASSWORD=secret!123 <application command> ## File (Encrypted) > cat secret.properties.encrypted | \ base64 -d > secret.properties spring.datasource.password=secret!123 > <application command>
  2. © HASHICORP 😀Low refactor 😕Runtime-specific 🔐Secret may be plaintext 8

    😀Minimize disruption 😕Refactor/test code 🔐Secret in memory 😀Low refactor 😕Separate process 🔐Secret in file Controller SDK Agent Agent + Reload Automatic Reload 😀Minimize disruption 😕Framework-specific 🔐Secret in file