Comments (3)
Ok cool. I'll just create a branch/fork and start poking about. Dealing with merge conflicts shouldn't be too bad, it seems adapting to change is the norm at the moment
from schemahero.
This completely makes sense, and is a great idea.
I'd be pretty open to either a flexible alternative auth, or just this one. I do think that if we want to build a more generic abstraction, we should at least design for (at least) 2 other auth systems that could be used to make sure we are building the API properly.
That said, SchemaHero is currently working to ship a v1alpha3, so the API is pretty fluid still and can be changed in future versions without too much effort.
Regarding the CRD spec change:
Agreed, the Database CRD feels like it needs an extension to support this. How about just adding a vault specific key for now, that can be used to get the secrets? Would that be possible with the existing connection string URI would would the connection string need to be optional also?
In the code, the Database object is always available when creating a plan or execution, so this should be pretty straight forward to getting the vault config and injecting it.
Finally, the v1alpha3 (master) right now is still somewhat early with hopes to have a reasonably stable release of it ready at the end of March (planned for the original Kubecon EU). If you want to proceed with this (which would be awesome), just be warned that there's not a lot of refactoring needed here, but there are some rough areas of the new plan/apply approach. We need to create issues for these and get them documented (i'll work on this)
from schemahero.
After an initial spike/POC of this, I'm working on tidying up etc. I was originally thinking of just allowing for the addition of the native Vault annotations (https://www.hashicorp.com/blog/dynamic-database-credentials-with-vault-and-kubernetes/#injecting-secrets-into-kubernetes-deployments) on the Database
CRD and they would be copied down onto the Pod
s that are created for plan/migrate.
However, it makes sense to have the template (https://github.com/hashicorp/consul-template#secret) to inject creds specified in a format that makes sense to SchemaHero
, i.e. in the form of a URI (example here). This annotation is linked to the vault.hashicorp.com/agent-inject-secret-{name}
annotation in that the name
portion needs to match. So perhaps it makes sense that both of these are pre-defined?
This really just leaves 2 of the annotations, one is to enable the Vault agent injector, and one to define which vault role to use for the sidecar. We need a way to trigger the Vault functionality, and specifying a Vault role per Database
will allow for granular permissions by users, which is probably desirable.
So, we could expose these 2 annotations only in the Database
CRD, or extend the ValueFrom struct to contain a VaultSecret
type, that could capture Vault specifics (path to secret, role to use).
Any input would be much appreciated :)
from schemahero.
Related Issues (20)
- SeedData does not support multiline values
- Q&A: Anyone using Schema Hero with Postgraphile?
- Ability to Specify Schema when Generating yaml
- kubectl Get tables returns 'No resources found'
- Postgres; schema switch is not correct HOT 2
- Postgres; foreign key parameters sanitization HOT 2
- Can't use mysql column type "json"
- database controller still exists after deleting database object
- Add support for parametrized datetime column in MySQL
- can't change postgres varchar type to integer
- no longer needed replace line in go.mod
- Cassandra support appears broken HOT 2
- Cassandra + "not implemented" Exception HOT 2
- Seed Data not populating to MYSQL tables HOT 2
- override to default image of schemahero not working
- database connection cannot contain hyphen or underscore HOT 2
- NodeAffinity is hardcoded to `amd64` in Manager and Database_Controller
- Add support for pg_vector
- CNCF TOC annual review due HOT 3
- Add column `AFTER`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from schemahero.