External MongoDB and Secrets in MongoDB #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains 2 separate changes ...
External MongoDB
This is a copy of a change already in the hashgraph repo, to allow the
DB_HOSTenvvar to contain a full connection string to MongoDB so we can use an external host, use the mongodb+srv protocol, specify username and password, and other connection options.Store Secrets in MongoDB
Allow the
SECRET_MANAGERenvvar to be set toMONGODBto have secrets stored in MongoDB.The rationale for this is that connecting to either of the recommended secrets manager options (AWS or Vault) can be complex if you're deploying outside of AWS/Azure. The option of deploying Vault locally is complex for smaller organizations without dedicated ops support.
Secrets are stored in a
secretscollection in the database.By default the secrets would be plain text, but can be encrypted by setting an encryption key in the
MONGO_ENCRYPTION_KEYenvvar.Some secrets are accessed by the startup logic in various services that executes prior to establishing a connection to the database. These are picked up from the runtime environment by the
MONGODBsecrets management rather than loading them into thesecretstable using a seeding process, as is the approach taken by other secrets handlers.