Add a database-backed secret resolver (basically identical to the config one, so consider refactoring that) #1887
Comments
github-actions
bot
added
triage
|
I've got most of this implemented, but seems like we need to think through the Router (fka Resolver) vs Provider relationship. There can only be one router, but there can be multiple providers. When Since then, the Router vs Provider relationship has become conflated, with functionality split between the two. See With two separate secret providers for production (either ASM or DB) the assumption of keeping a router up to date with all changes to providers doesn't hold anymore. It seems like things will be a lot cleaner if we either support multiple Routers, or remove the Router notion entirely and keep Resolvers with projectconfig as the only special case. |
|
There should only ever by a single router. In the ASM case this relationship still held true - there was a single router and a single provider. The router should be removed from ASM now that we have a DB router. |
The `--compose` flag writes a completely self-contained Docker compose file that starts PG + ftl-in-a-box. Also: - Modified BuildEngine.Graph() to pull dependencies from the schema as well, because that's all we have in the box. - Added an integration test. > [!WARNING] > Until #1887 is integrated, config/secrets can't be used, and once that lands `ftl box` will need to switch to an alternate config/secret resolver.
Currently we have an ASM resolver + provider in production, which results in all operations hitting ASM, and FTL in production being restricted to a single secret source. By having a database resolver, we can reduce the calls to ASM, and support multiple providers (eg. a local Linux keychain for single-host deploys, inline (needs additional encryption), etc.)
The text was updated successfully, but these errors were encountered: