How versioned secrets can help with auto-restart message pumps #160
Replies: 4 comments 11 replies
-
I haven't used this background job so no "real" experience here, but the way you describe it seems like supporting versioned secrets is the way to go. |
Beta Was this translation helpful? Give feedback.
-
Do we really need a "restart"? - What do you actually mean with that? Can't we just update the config? - Or do you mean re-initialing the connection? |
Beta Was this translation helpful? Give feedback.
-
I was going to type something, but now I'm thinking: How does versioned secrets resolve this issue ? |
Beta Was this translation helpful? Give feedback.
-
The background job is imo more usable then the versioned secrets feature. Suppose you have a client-secret that is rolled. The new secret is added in KeyVault (the secret is updated with a new version). KeyVault raises an event, and the background job is triggered. We can make sure that our components that use this specific secret, are notified and do the necessary things to use the new version of the secret, making sure that our component continues to work seamlessly. With the versioned secrets feature, on the other hand, our component has the ability to retrieve x versions of the secret. Typically, we'll use the first secret to connect to a resource, and if that doesn't work, we'll use the version before that etc... |
Beta Was this translation helpful? Give feedback.
-
We have released something called 'versioned secrets' in our Arcus Security library, which makes sure that multiple versions of a secret are taken into account when requesting a secret. This can come in handy when you want to rotate keys and don't want downtime (as you can rely on the second key).
The background jobs repo has a job that listens for 'secret new version created' events and uses this to restart the message pump, but, with this new versioned secrets, that may not be necessary anymore if we support versioned secrets in our message pumps.
Comments? @pim-simons @fgheysels @gverstraete @meersschautarnaud
Beta Was this translation helpful? Give feedback.
All reactions