Refactoring Applications for Dynamic Secrets

June 06, 2023

29

Refactoring Applications for Dynamic Secrets

Originally presented at DevOpsDays NYC 2023

---

An application uses a database password that should change every thirty days. However, it does need to change, your application must go offline to reload configuration and use the new password. Can an application change passwords or credentials with minimal downtime?

In this session, you will learn how to architect and refactor an application to handle dynamic secrets like passwords, tokens, or secrets. This demo-driven session progressively refactors a Java application to reload when a database password changes and identifies patterns for applications running in both virtual machines and containers on Kubernetes.

No matter which programming language you are familiar with, you’ll be able to apply the patterns from this session to retrieving secrets across different applications and platforms.

Rosemary Wang

June 06, 2023

Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang

Can You Test Your Infrastructure as Code?

1

11

Multi-Account, Multi-Region, Multi-Runtime

1

13

Building a multi-account, multi-runtime service-oriented architecture

0

9

Choose Your Own Abstraction: Iterating on Developer Experience

0

13

Break Glass, Repair Fast, Reconcile Automation

2

24

Building a Developer Platform? Ask these questions.

0

10

From Cloud-Hosted to Cloud-Native

0

44

Catching Commits to Secure Infrastructure as Code

1

39

Minimum Secure Pipeline

0

63

Other Decks in Technology

See All in Technology

Google Cloud の AI を支える裏側のインフラを垣間見る！

0

360

ChatworkのSRE部って実は半分くらいPlatform Engineering部かもしれない

0

160

20分で完全に理解するGrafanaダッシュボード

3

690

FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点

kenichirokimura

1

530

競技としてのKaggle、役に立つKaggle

4

1.9k

一生覚えておきたい「システム開発＝コミュニケーション」〜初めての実務案件振り返りLT〜

1

170

チームでロジカルシンキングに改めて向き合っている話〜学習環境と実践⽅法〜

3

2.8k

LayerXにおけるLLMプロダクト開発の今までとこれから

1

410

DevOpsメトリクスとアウトカムの接続にトライ！開発プロセスを通して計測できるメトリクスの活用方法

2

240

APIファーストなプロダクトマネジメントの実践〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform

0

110

GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model

7

1.4k

ServiceNow Knowledge Learning Rise up

0

210

Featured

See All Featured

The Pragmatic Product Professional

25

5.8k

A designer walks into a library…

pauljervisheath

200

23k

Easily Structure & Communicate Ideas using Wireframe

187

16k

Building an army of robots

300

41k

GraphQLの誤解/rethinking-graphql

50

9.2k

Designing for humans not robots

248

25k

Designing for Performance

601

67k

実際に使うSQLの書き方徹底解説 / pgcon21j-tutorial

121

39k

Intergalactic Javascript Robots from Outer Space

266

26k

Fontdeck: Realign not Redesign

paulrobertlloyd

76

4.9k

10 Git Anti Patterns You Should be Aware of

648

58k

Understanding Cognitive Biases in Performance Measurement

7

1k

Transcript

© 2023 HASHICORP 1 Refactoring Applications for Dynamic Secrets DevOpsDays
NYC | June 6, 2023
© 2023 HASHICORP 2 Developer Advocate at HashiCorp she/her @joatmon08
joatmon08.github.io Rosemary Wang
© HASHICORP 3 Environment Variables or File Secrets ## Environment
Variables > PG_PASSWORD=secret!123 <application command> ## File (Encrypted) > cat secret.properties.encrypted | \ base64 -d > secret.properties spring.datasource.password=secret!123 > <application command>
© HASHICORP 4 30 days
© HASHICORP 5 1 day?
© HASHICORP 6 Automatic reload
© HASHICORP 7 Controller SDK Agent Agent + Reload Automatic
Reload
© HASHICORP 😀Low refactor 😕Runtime-specific 🔐Secret may be plaintext 8
😀Minimize disruption 😕Refactor/test code 🔐Secret in memory 😀Low refactor 😕Separate process 🔐Secret in file Controller SDK Agent Agent + Reload Automatic Reload 😀Minimize disruption 😕Framework-specific 🔐Secret in file
© HASHICORP 9 github.com/ hashicorp-dev-advocates/ workshop-vault-for-developers
© 2023 HASHICORP 10 Rosemary Wang @joatmon08 Thank you!