Conversation
weiminyu
requested review from
CydeWeys and
ptkach
and removed request for
ptkach
weiminyu
force-pushed
the
sql-cred-store
branch
from
fd3da66 to
b74d007
Compare
CydeWeys
left a comment
CydeWeys
left a comment
There was a problem hiding this comment.
"The automatic password rotation feature has been dropped." -- can you give me more information on this?
@CydeWeys made 1 comment.
Reviewable status: 0 of 2 files reviewed, all discussions resolved.
weiminyu
left a comment
weiminyu
left a comment
There was a problem hiding this comment.
It was a proposal of mine back in 2020. The SqlCredentialStore class was the first step, but the remaining work is substantial, and we never had the time to complete it. Moreover, based on operational experience since then I don't think this is worth doing.
See go/dr-sql-password-rotation
@weiminyu made 1 comment.
Reviewable status: 0 of 2 files reviewed, all discussions resolved.
CydeWeys
left a comment
CydeWeys
left a comment
There was a problem hiding this comment.
@CydeWeys made 1 comment.
Reviewable status: 0 of 2 files reviewed, all discussions resolved.
The current SQL credential store was designed to support automatic password rotation without any disruption to the applications. For that goal, the credentials are stored with one level of indirection, and the secret name of the actual credential data may change automatically. The automatic password rotation feature has been dropped. In the meantime, the need arises that we use sidecar SQL proxy to get around the Enterprise Plus edition's post-maintenance reconnection failures by the socket factory library. This is hampered by the indirection in storage. This PR removes the indirection. This change is transparent to the rest of the code base. We will manually populate the secret manager with the new secrets in all environments after submissiion of this PR.
weiminyu
force-pushed
the
sql-cred-store
branch
from
b74d007 to
e40bc8b
Compare
2 participants
The current SQL credential store was designed to support automatic password rotation without any disruption to the applications. For that goal, the credentials are stored with one level of indirection, and the secret name of the actual credential data may change automatically.
The automatic password rotation feature has been dropped. In the meantime, the need arises that we use sidecar SQL proxy to get around the Enterprise Plus edition's post-maintenance reconnection failures by the socket factory library. This is hampered by the indirection in storage.
This PR removes the indirection. This change is transparent to the rest of the code base. We will manually populate the secret manager with the new secrets in all environments after submissiion of this PR.
This change is