Question: The secret in the binding, can it be revoked or rotated? about cloud-operators HOT 5 CLOSED

@carltonmason this sounds like a valid use case. There is not currently a way to manage this automatically, although something along this lines might be accomplished with some external tool that deletes and re-creates the binding, forcing the operator to request new credentials from the service and re-create the secret.

from cloud-operators.

One possible approach could be to specify something like a time-to-live in the specs for the binding, so that once that time is reached the credentials are refreshed and the secret is re-generated (need to figure out if it would be better to just update or re-create the secret)

from cloud-operators.

Hi @pdettori . Yes, the current limitation may prevent us from using this cloud operator given our increasing compliance requirements.

I can see how designing such a solution will require some care and security wits given the sensitivity of the secret, who can revoke it or recreate it, etc...

What is the process for getting this considered as an official feature request?

Thanks

from cloud-operators.

Hi @carltonmason, so the feature request is to add a time-to-live in the Binding spec so that it refreshes itself after that time? Please confirm and I will implement it.

from cloud-operators.

@vazirim helped me via Slack. Seems deleting and recreating the binding will create a new secret and thus addresses both my question and requirement. Closing this issue. Thanks

from cloud-operators.