-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Mongo Token rotation #1089
Comments
I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token. If that's the case, I would prefer to not store that in the Chains config for the same reason as #1074. IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. |
you're right, it contains creds to connect to mongoDB.
i agree with this approach - reading from a path is more ... inclusive than reading from a secret due to the following use cases:
another thing to note is that |
/assign |
@lcarva to configure mongo as a storage backend, i believe there are 2 things that need to be done:
how about these as new fields?
|
Sure. We can sort out the exact names in the pull request 😉 |
@lcarva when is the next chains release? i want this to be a part of the next release 🤔 |
We aim for a release every month. But, usually, we go longer than that. |
Feature request
As of today to store the attestations to mongodb we need to set
MONGO_SERVER_URL
as an env to the chains controller. For ref: https:/google/go-cloud/blob/master/docstore/mongodocstore/urls.go#L42-L60But if the mongo token is rotated then as of today we again need to set the
MONGO_SERVER_URL
value so that chains controller uses the new valueHence in order to get the rotated token values, there can be 2 ways
mongo server url is injected at a path in chains controller
vault.hashicorp.com/agent-inject-secret-
in the chains controller podmongo server url is mounted via secret / configmap, so that when it's updated, chains updates as well
In bot the cases, the common is reading mongo server url from a path
The text was updated successfully, but these errors were encountered: