Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Mongo Token rotation #1089

Open
PuneetPunamiya opened this issue Mar 27, 2024 · 7 comments · May be fixed by #1113
Open

Support for Mongo Token rotation #1089

PuneetPunamiya opened this issue Mar 27, 2024 · 7 comments · May be fixed by #1113
Assignees
@concaf
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@PuneetPunamiya
Copy link
Member

Feature request

As of today to store the attestations to mongodb we need to set MONGO_SERVER_URL as an env to the chains controller. For ref: https://github.com/google/go-cloud/blob/master/docstore/mongodocstore/urls.go#L42-L60

But if the mongo token is rotated then as of today we again need to set the MONGO_SERVER_URL value so that chains controller uses the new value

Hence in order to get the rotated token values, there can be 2 ways

  • mongo server url is injected at a path in chains controller

    • For example using vault with chains where mongo creds are stored in vault, we can add this vault injector annotation vault.hashicorp.com/agent-inject-secret- in the chains controller pod
    • Next we add a mechanism in chains controller where the value of MONGO_SERVER_URL is set, by reading from a file path which is set by the user with a new config called MONGO_SERVER_URL_PATH
    • Whenever the value of the path will be changed the value will be reset for mongo server url

  • mongo server url is mounted via secret / configmap, so that when it's updated, chains updates as well

In bot the cases, the common is reading mongo server url from a path
@PuneetPunamiya PuneetPunamiya added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 27, 2024
@lcarva
Copy link
Contributor

lcarva commented Mar 27, 2024

I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.

If that's the case, I would prefer to not store that in the Chains config for the same reason as #1074.

IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path, to point to the file where the MongoDB Server URL is set?

@concaf
Copy link
Contributor

concaf commented Apr 3, 2024

I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.

you're right, it contains creds to connect to mongoDB.

IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path, to point to the file where the MongoDB Server URL is set?

i agree with this approach - reading from a path is more ... inclusive than reading from a secret due to the following use cases:

  • if someone is mounting this from a kube secret or configmap, they can mount it at signers.kms.auth.token-path
  • if someone is using external kms to fetch mongo server url like the vault agent injector (which mounts the secret at a particular path in the pod where a certain annotation is added), this should work in that use case well

another thing to note is that MONGO_SERVER_URL is not parsed by the chains controller, instead it's read from env by google/go-cloud - which means that MONGO_SERVER_URL needs to be generated on the fly from signers.kms.auth.token-path by chains controller so google/go-cloud can read the up to date value
this also eliminates the need to restart the pod to read the updated value

@concaf
Copy link
Contributor

concaf commented Apr 5, 2024

/assign

@concaf
Copy link
Contributor

concaf commented Apr 5, 2024

@lcarva to configure mongo as a storage backend, i believe there are 2 things that need to be done:

  • set storage.docdb.url to something like mongo://my-db/my-collection
  • set MONGO_SERVER_URL

how about these as new fields?

  • storage.docdb.mongo-server-url
  • storage.docdb.mongo-server-url-path

@lcarva
Copy link
Contributor

lcarva commented Apr 5, 2024

Sure. We can sort out the exact names in the pull request 😉

@concaf
Copy link
Contributor

concaf commented Apr 17, 2024

@lcarva when is the next chains release? i want this to be a part of the next release 🤔

@lcarva
Copy link
Contributor

lcarva commented Apr 17, 2024

We aim for a release every month. But, usually, we go longer than that.

This was referenced Apr 30, 2024
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@concaf concaf

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow supplying MONGO_SERVER_URL via chains-config concaf/chains
3 participants
@lcarva @concaf @PuneetPunamiya