Closed PuneetPunamiya closed 2 months ago
I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.
If that's the case, I would prefer to not store that in the Chains config for the same reason as #1074.
IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path
. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path
, to point to the file where the MongoDB Server URL is set?
I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.
you're right, it contains creds to connect to mongoDB.
IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path, to point to the file where the MongoDB Server URL is set?
i agree with this approach - reading from a path is more ... inclusive than reading from a secret due to the following use cases:
signers.kms.auth.token-path
another thing to note is that MONGO_SERVER_URL
is not parsed by the chains controller, instead it's read from env by google/go-cloud - which means that MONGO_SERVER_URL
needs to be generated on the fly from signers.kms.auth.token-path
by chains controller so google/go-cloud can read the up to date value
this also eliminates the need to restart the pod to read the updated value
/assign
@lcarva to configure mongo as a storage backend, i believe there are 2 things that need to be done:
storage.docdb.url
to something like mongo://my-db/my-collection
MONGO_SERVER_URL
how about these as new fields?
storage.docdb.mongo-server-url
storage.docdb.mongo-server-url-path
Sure. We can sort out the exact names in the pull request :wink:
@lcarva when is the next chains release? i want this to be a part of the next release 🤔
We aim for a release every month. But, usually, we go longer than that.
Feature request
As of today to store the attestations to mongodb we need to set
MONGO_SERVER_URL
as an env to the chains controller. For ref: https://github.com/google/go-cloud/blob/master/docstore/mongodocstore/urls.go#L42-L60But if the mongo token is rotated then as of today we again need to set the
MONGO_SERVER_URL
value so that chains controller uses the new valueHence in order to get the rotated token values, there can be 2 ways
mongo server url is injected at a path in chains controller
vault.hashicorp.com/agent-inject-secret-
in the chains controller podmongo server url is mounted via secret / configmap, so that when it's updated, chains updates as well
In bot the cases, the common is reading mongo server url from a path