feat(db-sync): Vault's database secrets engine #70
Conversation
|
Converting to draft since I just hit hashicorp/nomad#15714
|
nrdxp
force-pushed
the
db-sync-vault
branch
6 times, most recently
from
43de833 to
7726ede
Compare
Add an additional function to the loop which renews the lease every two minutes if the credentials are detected to be from Vault's DB backend.
nrdxp
force-pushed
the
db-sync-vault
branch
2 times, most recently
from
c90a6f3 to
65b0e06
Compare
nrdxp
force-pushed
the
db-sync-vault
branch
5 times, most recently
from
b517440 to
01076b4
Compare
|
Okay this is finally ready, working and tested. When a credentials lease hits its max ttl and can no longer be extended the entrypoint will now stop the background db-sync process, grab brand new credentials, and then restart the background db-sync, allowing the job to run indefinitely. Also I added a snippet to exit entirely if db-sync stops unexepectedly, since it has happened before and causes and outage, where now Nomad will simply reschedule and allow the work to continue. |
|
I found out today that with more appropriate SQL creation statements, we can avoid having to manage the lease manually at all, so I can simplify this PR quite a bit before merging, putting in draft til then. |
Adds support to retrieve credentials dynamically from Vault's database secrets engine, assuming the user has enabled and configured it. There is also a new function which renews the credentials lease every two minutes to avoid a situation where the credentials eventually expire.
This change also maintains the legacy path as well.
The link is still private for many, but a real world example of how to configure this nicely in terraform lives here.