temporal-operator icon indicating copy to clipboard operation
temporal-operator copied to clipboard
verified publisher icon alexandrevilain

Add support for external credentials providers like Hashicorp Vault

Open alexandrevilain opened this issue 3 years ago • 2 comments

User can handle databases secrets from others sources than kubernetes secret, like vault. Most of the external credentials providers provides secrets to pods using sidecars + volume by writing secret to a file. The operator should provide a way for users to use credentials comming from files.

The main issue I see is that the operator can't connect itself on the database to setup and maintain schema up-to-date to follow version upgrades.

Some strategies can be adopted:

  • If the users want to use an external credential provider, the operator does not reconcile persistence schemas. If the user has to do database migrations by itself, the operator has less interest ...
  • If the user uses an external credential provider, it should provide credentials for jobs and the operator spawn jobs running migrations. It seems hacky and It forces the operator to maintain two ways of running db migrations.
  • Maybe someone has another idea ..

alexandrevilain avatar Aug 03 '22 16:08 alexandrevilain

Maybe the solution is to refactor how the operator reconciles the persistence. For now, the operator connects itself to the provided datastores and run the migrations.

Maybe the operator should only spawn jobs running temporal's "official" schema migrations tools. Using this solution the end user can provides credentials to the migrations jobs using the tool of his choice.

alexandrevilain avatar Aug 03 '22 16:08 alexandrevilain

BTW, External Secrets Operator can fetch secrets from vault and create secrets at cluster https://external-secrets.io/latest/provider/hashicorp-vault/

DodgeCamaro avatar Jun 27 '23 09:06 DodgeCamaro