Search

US-12625944-B2 - Systems and methods for providing containerized applications with updated secret values

US12625944B2US 12625944 B2US12625944 B2US 12625944B2US-12625944-B2

Abstract

A method and system for providing containerized applications with updated secret values has been developed. An update to a secret from a first secret value to a second secret value is detected at a secrets vault. A configuration map associated with the secret is identified. The configuration map includes a first non-secret that is associated with the first secret value. A second non-secret that is associated with the second secret value is generated. The first non-secret is replaced with the second non-secret in the configuration map. The replacement of the first non-secret with the second non-secret in the configuration map results is an event. A reloader issues a restart signal to a containerized application associated with the secret in response to the event. The secret at the containerized application is updated from the first secret value to the second secret value during a restart process.

Inventors

  • Victor Orlov
  • Gulshankumar Shrawankumar Arora

Assignees

  • SALESFORCE, INC.

Dates

Publication Date
20260512
Application Date
20240819

Claims (20)

  1. 1 . A method for providing containerized applications with updated secret values, the method comprising: detecting, by a secret watcher, an update to a first secret from a first secret value to a second secret value at a secrets vault; identifying, by the secret watcher, a first configuration map associated with the first secret, wherein the first configuration map comprises a first non-secret associated with the first secret value; generating, by the secret watcher, a second non-secret associated with the second secret value; and replacing, by the secret watcher, the first non-secret with the second non-secret in the first configuration map, wherein: the replacement of the first non-secret with the second non-secret in the first configuration map results is an event, a reloader issues a restart signal to at least one containerized application associated with the first secret in response to the event, and the first secret at the at least one containerized application is updated from the first secret value to the second secret value during a restart process initiated by the at least one containerized application in response to the restart signal.
  2. 2 . The method of claim 1 , wherein the at least one containerized application comprises a plurality of replica containerized applications associated with the first secret and the reloader issues a restart signal to the plurality of replica containerized applications.
  3. 3 . The method of claim 1 , wherein the generating, by the secret watcher, the second non-secret comprises generating a checksum of the second secret value.
  4. 4 . The method of claim 1 , wherein the at least one containerized application is part of a Kubernetes cluster.
  5. 5 . The method of claim 1 , further comprising monitoring, by the secrets watcher, a first plurality of secrets maintained at the secrets vault to detect updates to secret values of the first plurality of secrets, wherein: the first plurality of secrets are associated with a Kubernetes pod comprising a first plurality of containerized applications, the first plurality of secrets include the first secret, and the first plurality of containerized applications include the at least one containerized application.
  6. 6 . The method of claim 1 , further comprising monitoring, by the secrets watcher, a second plurality of secrets maintained at the secrets vault to detect updates to secret values of the second plurality of secrets, wherein: the second plurality of secrets are associated with a Kubernetes cluster comprising a second plurality of containerized applications, the second plurality of secrets include the first secret, and the second plurality of containerized applications include the at least one containerized application.
  7. 7 . The method of claim 1 , wherein the reloader is a Stakater reloader.
  8. 8 . The method of claim 1 , wherein the first configuration map associated with the first secret is one of a third plurality of configurations maps associated with a third plurality of secrets, wherein updates to the secret values of the third plurality of secrets at the secrets vault is monitored by the secrets watcher and the third plurality of secrets includes the first secret.
  9. 9 . A system for providing containerized applications with updated secret values, the system comprising: at least one processor; and at least one non-transitory machine-readable storage medium that stores instructions configurable to be executed by the at least one processor to: detect an update to a first secret from a first secret value to a second secret value at a secrets vault; identify a first configuration map associated with the first secret, wherein the first configuration map comprises a first non-secret associated with the first secret value; generate a second non-secret associated with the second secret value; and replace the first non-secret with the second non-secret in the first configuration map, wherein: the replacement of the first non-secret with the second non-secret in the first configuration map results is an event, a reloader issues a restart signal to at least one containerized application associated with the first secret in response to the event, and the first secret at the at least one containerized application is updated from the first secret value to the second secret value during a restart process initiated by the at least one containerized application in response to the restart signal.
  10. 10 . The system of claim 9 , wherein the at least one containerized application comprises a plurality of replica containerized applications associated with the first secret and the reloader issues a restart signal to the plurality of replica containerized applications.
  11. 11 . The system of claim 9 , wherein the instructions are configurable to be executed by the at least one processor to generate the second non-secret, the generation of the second non-secret comprising generating a checksum of the second secret value.
  12. 12 . The system of claim 9 , wherein the at least one containerized application is part of a Kubernetes cluster.
  13. 13 . The system of claim 9 , wherein the instructions are configurable to be executed by the at least one processor to monitor a first plurality of secrets maintained at the secrets vault to detect updates to secret values of the first plurality of secrets, wherein: the first plurality of secrets are associated with a Kubernetes pod comprising a first plurality of containerized applications, the first plurality of secrets include the first secret, and the first plurality of containerized applications include the at least one containerized application.
  14. 14 . The system of claim 9 , wherein the instructions are configurable to be executed by the at least one processor to monitor a second plurality of secrets maintained at the secrets vault to detect updates to secret values of the second plurality of secrets, wherein: the second plurality of secrets are associated with a Kubernetes cluster comprising a second plurality of containerized applications, the second plurality of secrets include the first secret, and the second plurality of containerized applications include the at least one containerized application.
  15. 15 . The system of claim 9 , wherein the reloader is a Stakater reloader.
  16. 16 . The system of claim 9 , wherein: the first configuration map associated with the first secret is one of a third plurality of configurations maps associated with a third plurality of secrets, the third plurality of secrets includes the first secret, and the instructions are configurable to be executed by the at least one processor to monitor updates to the secret values of the third plurality of secrets at the secrets vault.
  17. 17 . At least one non-transitory machine-readable storage medium that stores instructions executable by at least one processor, the instructions configurable to cause the at least one processor to perform operations comprising: detecting an update to a first secret from a first secret value to a second secret value at a secrets vault; identifying a first configuration map associated with the first secret, wherein the first configuration map comprises a first non-secret associated with the first secret value; generating a second non-secret associated with the second secret value; and replacing the first non-secret with the second non-secret in the first configuration map, wherein: the replacement of the first non-secret with the second non-secret in the first configuration map results is an event, a reloader issues a restart signal to at least one containerized application associated with the first secret in response to the event, and the first secret at the at least one containerized application is updated from the first secret value to the second secret value during a restart process initiated by the at least one containerized application in response to the restart signal.
  18. 18 . The at least one non-transitory machine-readable storage medium of claim 17 , wherein the at least one containerized application comprises a plurality of replica containerized applications associated with the first secret and the reloader issues a restart signal to the plurality of replica containerized applications.
  19. 19 . The at least one non-transitory machine-readable storage medium of claim 17 , wherein the instructions are configurable to cause the at least one processor to further perform operations comprising generating the second non-secret, the second non-secret comprising a checksum of the second secret value.
  20. 20 . The at least one non-transitory machine-readable storage medium of claim 17 , wherein the at least one containerized application is part of a Kubernetes cluster.

Description

TECHNICAL FIELD Embodiments of the subject matter described herein relate generally to containerized applications and more particularly, embodiments of the subject matter relate to systems and methods for providing containerized applications with updated secret values. BACKGROUND A Kubernetes cluster includes a group of computing nodes. Each of the computing nodes includes a plurality of pods. Each of the pods includes a plurality of containerized applications. The containerized application may ingest their configuration data at a start time. The configuration data includes secrets. Secrets are credentials that allow the containerized applications to access protected resources and sensitive information. Each secret enables access to a specific protected resource and/or sensitive information. Many containerized applications are provided with the secret values of the secrets specific to the resources and/or sensitive information that the containerized application is allowed to access when the containerized application is restarted. The secret values of the secrets are typically maintained at a secrets vault. The secrets vault may also be referred to as a secrets store. The secret values of the secrets are periodically changed or rotated to ensure compliance with security requirements via a secret values updating process. Currently, updated secret values are often delivered to the Kubernetes cluster via a container storage interface (CSI) secrets store driver as a volume mount. While the CSI mounted volume content may change if a secret value is updated, a running containerized application may not be aware of the secret value change. Accordingly, there is a need in the art for methods and systems for providing containerized applications with updated secret values where updates to secret values of secrets in the secrets database are monitored. The containerized application associated with updated secrets are restarted to ingest the updated secret values responsive to detection of an update to the secret values in the secrets vault. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure will hereinafter be described in conjunction with the following drawing figures, wherein like numerals denote like elements, and wherein: FIG. 1 is a block diagram representation of a system including a system for providing containerized applications with updated secret values in accordance with at least one embodiment; FIG. 2 is a block diagram representation of a system for providing containerized applications with updated secret values in accordance with at least one embodiment; FIG. 3 is a flowchart representation of an exemplary method of providing containerized applications with updated secret values in accordance with at least one embodiment; FIG. 4 is a block diagram representation of an example of an environment in which an on-demand database service can be used in accordance with some implementations; FIG. 5 is a block diagram representation of example implementations of elements of FIG. 4 and example interconnections between these elements according to some implementations; and FIG. 6 is a diagrammatic representation of a machine in an exemplary form of a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. DETAILED DESCRIPTION Referring to FIG. 1, a block diagram representation of a system 100 including a system for providing containerized applications with updated secret values 102 in accordance with at least one embodiment is shown. It should be appreciated that FIG. 1 depicts a simplified representation of the system 100 for purposes of explanation and is not intended to be limiting. The system 100 includes the system for providing containerized applications with updated secret values 102, a secrets vault 104 (also referred to as a “secrets store”), a secrets update system 106, a reloader 108, Kubernetes cluster deployment(s) 110, and a plurality of containerized applications 112. In at least one embodiment, the system for providing containerized applications with updated secret values 102 includes a secrets watcher 114 and a plurality of configuration maps 116 (also referred to as “config maps”). The system 100 may include additional components that facilitate operation of the system 100. A Kubernetes cluster includes a group of computing nodes. Each of the computing nodes includes a plurality of pods. Each of the pods includes a plurality of containerized applications 112. Containerization is a software deployment and runtime process that bundles the code of a containerized application 112 with the files, libraries, and secrets that the containerized application 112 needs to run on any infrastructure. Kubernetes is an open-source container orchestration software that can manage, coordinate, run, restart, shut down, automate management functions, and schedule containerized applications 112 at scale. Secrets