It would be important to adapt the application code in order to detect that the secret file changed on disk and reload + establish a new SQL connection. I would then play with the Vault settings to see if you can overlap the secret creation with the TTL in order to keep existing queries from finishing in time (drain old connections) and have all new queries go through the new connection with the new secret.

@@MarcelDempers it seems possible but would make a millisec downtime I think, since there'll be a transition period between old connection and new connection. But, thanks for the answer! Hope you make a video about the database static roles!

This is why you would drain old connections (let queries finish) and open new connection with the new secret. Having the old and new credential TTL overlap allows a smooth transition. Similar to how you drain web server traffic when doing a rolling deployment. I've worked with folks who have implemented this successfully with other databases so depends how you configure it

@@MarcelDempers Got it, many thanks!

Can you please send me repo without tls .. thanks for advance

"mkdir /vault/data/core: permission denied" states your vault process cannot access its data folder. All volumes are mounted as root by default. In the video, we ensure ownership to the vault user with an init container and chmod'ing /vault/data

@@MarcelDempers Can you please let me know in which video you ensure ownership to the vault user with an init container

It might be in the first one of the Vault series kzbin.info/aero/PLHq1uqvAteVtq-NRX3yd1ziA_wJSBu3Oj

@@MarcelDempers Thanks a lot yar..

i need some thing else also, can we do unseal process via shell script is that possible to do.

Applications can only get their inputs from either environment variables or from files. For example, TLS certificates are stored on file and use Linux file permissions to secure it so only your application process is allowed to read that file. You can store your password in a Kubernetes secret if running in K8s and inject it into your java properties file at runtime or store the entire file as a K8s secret. Or resort to getting your credentials from ENV variables and not store it in the java properties file. Passwords are generally stored in configs, so it's not unusual to do so. If you are are concerned about it, there are ways to encrypt passwords before storing them in configs too. In this video, Vault simply automates the credential rotation and automates writing it to file. If you want to go one step further and not store your credential in file, you can use the Vault SDK and write Java code to pull the secrets from Vault and authenticate using K8s service account. Hope that helps