-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault Support #7233
Vault Support #7233
Conversation
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
* Switch to forked vaultlib; for fixed token renewal Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
@aquarapid can you look into the unit_race test failure? |
Yeah, I see now that I have the mutex handling screwed up. I'll rework. |
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Signed-off-by: Jacques Grove <[email protected]>
Can you please give more context on this feature, either here or on #7232? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The idea (and implmentation) is relatively simple: We re-use the existing static (file) credentials format for both vtgate MySQL credentials (app -> vtgate) and for vttablet MySQL credentials (vttablet -> MySQL), but we want to store it securely in HashiCorp Vault, so that the passwords (or hashes of passwords in the case of vtgate) is never stored on file on the hosts. The way we do this is to utilize 2 features of Vault:
Lastly, the important part here is that the token (or secret ID; depending on which you are using) are typically short-lived, and need to be renewed. So we have support for that as well. Lastly, we also cache the Vault secret returned to us in memory of vtgate/vttablet ; since Vault is not designed for the QPS that might result if we access every time we need to authenticate a client. |
Cherry pick version of #7233 for release-9.0
Sounds awesome! Thanks so much for elaborating! |
@aquarapid I understand correctly that this implementation is not how vault databases plugin work. To simplify, this is - instead of local json file, it is stored in vault kv ? |
Description
Vault support for storing both:
Related Issue(s)
#7232
Checklist
Deployment Notes
Impacted Areas in Vitess
Components that this PR will affect:
-db-credentials-server
with the non-default valuevault
and/or-mysql_auth_server_impl
with the non-default valuevault
); there will be no impact on existing functionality; i.e. the code paths are essentially unchanged.