Hey all, I have one more question! I’ve been able to mostly integrate Kong with Vault for both TLS now. (Thanks, @JackGPT, for getting me over the last mile!) and Vault Secrets Operator for Dynamic DB Password management.
I am seeing one last “error,” which is frustrating. I currently have a password TTL of 30 minutes. The VSO reloads the Kong control plane whenever the password rotates to use the new secret. However, this brings Kong down for quite some time, causing internal communication issues as follows:
2024/12/26 02:53:46 [error] 2552#0: *1328 [kong] api_helpers.lua:363 authentication exchange unsuccessful, client: ::1, server: kong_admin, request: "GET /consumers?size=1000&tags=managed-by-ingress-controller HTTP/2.0", host: "localhost:8444"
2024/12/26 02:53:46 [error] 2552#0: *1328 [kong] api_helpers.lua:363 authentication exchange unsuccessful, client: ::1, server: kong_admin, request: "GET /snis?size=1000&tags=managed-by-ingress-controller HTTP/2.0", host: "localhost:8444"
2024/12/26 02:53:46 [error] 2552#0: *1328 [kong] api_helpers.lua:363 authentication exchange unsuccessful, client: ::1, server: kong_admin, request: "GET /licenses?size=1000&tags=managed-by-ingress-controller HTTP/2.0", host: "localhost:8444"
I believe I’ve traced the authentication issues to Kong struggling to reconnect to the database. During this time, the manager becomes completely inaccessible until it reloads or I refresh the secret by deleting and re-applying with kubectl delete -f and kubectl apply -f
kong-cp-kong-b6d4b5979-j4w4p 1/2 Running 2 (21m ago) 22m
I’m not sure if this is the appropriate way to configure the vault to use dynamic secrets or if there is a more preferred way. I’ve run across this doc: HashiCorp Vault - Kong Gateway - v3.9.x | Kong Docs, but it doesn’t seem to handle the database password rotation only kvv2 implementation.