-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reactive Datasource: support CredentialsProvider changing values #31873
Conversation
The first commit applies changes to the Reactive Pg Client extension only. I'll update the other reactive SQL client extensions after we've discussed the proposal. |
@vietj can you please take a look (dynamic pool config implementation) @cescoffier @geoand I've made changes so that the credentials provider is invoked on a worker thread, is that fine? The user might be doing blocking calls in the implementation. |
290c0a1
to
b12de93
Compare
Have you seen such use cases or users mentioning this? |
I looked into this because of https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995 I haven't tried myself or seen reproducers. I'm trying to think about uses cases, like password rotation. The changing credentials must come from the disk or a remote system? If the lookup is made synchronously in the credentials provider, the event loop will be blocked. We have two options, I think:
|
I guess we should have it on the worker thread for the time being and if the need arised, look into supporting the |
The call to the credential provider must happen on a worker thread unfortunately (wrong design). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea looks good.
The credential provider must be called on a worker thread, as it may block.
hello, i just verified that this fix seems to be working with this reproducer here (quarkus version 3.0.0.Alpha4): https://github.com/ingmarfjolla/quarkus-reactive. Thanks for working on this! |
the only thing i noticed is that the credential manager (vault in my case) seems to be called multiple times on 7 different event loop threads on startup, so the logs look something like :
|
Thank you @cescoffier
👍
@ingmarfjolla The crendentials provider can be invoked twice on startup by the extension, and then the default 5 max connections may be created immediately if you setup the database (perhaps with Hibernate Reactive) ? A good way to check would be to log a fake error ( |
@cescoffier @geoand about credentials provider API: I took a look at the Vault extension implementation: return vaultDynamicCredentialsManager.getDynamicCredentials(DATABASE_DEFAULT_MOUNT, DEFAULT_REQUEST_PATH,
config.databaseCredentialsRole.get()).await().indefinitely(); Too bad the contract is synchronous because the implementation uses non blocking-APIs. Do you think it is worth tracking in a separate issue? In the meantime, we definitely have to invoke this on a worker thread. |
Yeah, I think we should open an issue about providing a new SPI |
b12de93
to
49cc24f
Compare
Yes, when I found out about the synchronous and blocking nature of the credential provider it was too late :-(. So, yes, please open an issue to switch to a non-blocking API. |
49cc24f
to
4a4a3b9
Compare
The PR is ready for review |
This comment has been minimized.
This comment has been minimized.
4a4a3b9
to
adebae9
Compare
This comment has been minimized.
This comment has been minimized.
The failure looks unrelated |
Yeah, totally unrelated |
I've updated the PR using the new Vert.x API with connect options supplier. |
🎉 |
This comment has been minimized.
This comment has been minimized.
The test failure looks unrelated
|
@kdubb what was the outcome of your experiment vs this? |
@tsegismont Is using the culmination of my original PR's against the vert.x sql client. |
Excellent. @cescoffier are you still good with the latest version of the PR? |
Yes, looks good to me. |
Is there any chance of this being back ported to 2.x? |
-1 as we really don't want to backport features to 2.x |
Can we get one last rebase please so we can make sure CI is fine? |
Instead of: - creating pgConnectOptions after calling the CredentialsProvider on startup - using static pool configuration We: - use dynamic pool configuration - call the Credentials provider every time a new connection must be created
8c9e5ca
to
3e5afbf
Compare
Done |
Thanks! |
@geoand this time it seems the build failed because one job ran out of time. |
Yeah, I doubt it's related. @sberyozkin can you confirm? |
@cescoffier @geoand can we go ahead and merge the PR? |
Thanks @geoand ! |
Thank you for this! |
Instead of:
We:
This PR allows to support use cases like password rotation.
See also https://issues.redhat.com/projects/QUARKUS/issues/QUARKUS-2995