SPIKE: Research ways to update / rotate credentials for Software Factory #45
Comments
|
Some notes: Secret manager Integration for rotation is not available in gov cloud with RDS As far as I can tell a custom lambda is required for elasticache as there is no "integration" either. To manage such an integration would require enabling lambda in the account as well as custom code to support the rotation procedures and preventing application downtime and kubeapi access from the lambda to update the secrets and bounce the pods to pick up the new ones. Seems like sonarqube doenst work with irsa without using a community wrapper that was single dev, years ago not updated (hopefully there's a better option) There are problems with using IRSA for postgres databases We should honestly look at pepr for anything we cannot do with IRSA i would rather not have to maintain lambdas, images and build processes, etc. |
|
Pepr itself may be able to have IRSA if we wanted as well: https://github.com/defenseunicorns/zarf-init-aws |
Racer159
changed the title
|
For GitLab's RDS implementation here are the service accounts that would be impacted in the
Note For more information on how GitLab interacts with databases through its Helm chart see the GitLab documentation on connecting to external databases. Would at least be a good starting point to kick this off |
|
@Racer159 please open an issue with UDS Core |
|
defenseunicorns/uds-core#354 - looks like they have a very similar issue that could be generalized. |
Is your feature request related to a problem? Please describe.
As Ezra I want a way to rotate secrets consistently so that I can easily rotate creds for applications.
Describe the solution you'd like
We should explore different ways to do this:
zarf tools update-creds?Additional context
This should be simple from a user perspective and ideally be a one-stop-shop to do this.
The text was updated successfully, but these errors were encountered: