Support for Mongo Token rotation

[PuneetPunamiya]

Feature request

As of today to store the attestations to mongodb we need to set MONGO_SERVER_URL as an env to the chains controller. For ref: https://github.com/google/go-cloud/blob/master/docstore/mongodocstore/urls.go#L42-L60

But if the mongo token is rotated then as of today we again need to set the MONGO_SERVER_URL value so that chains controller uses the new value

Hence in order to get the rotated token values, there can be 2 ways

• mongo server url is injected at a path in chains controller

  • For example using vault with chains where mongo creds are stored in vault, we can add this vault injector annotation vault.hashicorp.com/agent-inject-secret- in the chains controller pod
  • Next we add a mechanism in chains controller where the value of MONGO_SERVER_URL is set, by reading from a file path which is set by the user with a new config called MONGO_SERVER_URL_PATH
  • Whenever the value of the path will be changed the value will be reset for mongo server url

• mongo server url is mounted via secret / configmap, so that when it's updated, chains updates as well

In bot the cases, the common is reading mongo server url from a path

[lcarva]

I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.

If that's the case, I would prefer to not store that in the Chains config for the same reason as #1074.

IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path, to point to the file where the MongoDB Server URL is set?

[concaf]

I'm not too familiar with MongDB, but it sounds like the URL also includes sensitive information, like a token.

you're right, it contains creds to connect to mongoDB.

IIRC, from the KMS case, we talked about adding a new key to the Chains config, e.g. signers.kms.auth.token-path. Could we take the same approach here? Introduce a new Chains config key, e.g. storage.mogodb.url-path, to point to the file where the MongoDB Server URL is set?

i agree with this approach - reading from a path is more ... inclusive than reading from a secret due to the following use cases:

• if someone is mounting this from a kube secret or configmap, they can mount it at signers.kms.auth.token-path
• if someone is using external kms to fetch mongo server url like the vault agent injector (which mounts the secret at a particular path in the pod where a certain annotation is added), this should work in that use case well

another thing to note is that MONGO_SERVER_URL is not parsed by the chains controller, instead it's read from env by google/go-cloud - which means that MONGO_SERVER_URL needs to be generated on the fly from signers.kms.auth.token-path by chains controller so google/go-cloud can read the up to date value
this also eliminates the need to restart the pod to read the updated value

[concaf]

/assign

[concaf]

@lcarva to configure mongo as a storage backend, i believe there are 2 things that need to be done:

• set storage.docdb.url to something like mongo://my-db/my-collection
• set MONGO_SERVER_URL

how about these as new fields?

• storage.docdb.mongo-server-url
• storage.docdb.mongo-server-url-path

[lcarva]

Sure. We can sort out the exact names in the pull request 😉

[concaf]

@lcarva when is the next chains release? i want this to be a part of the next release 🤔

[lcarva]

We aim for a release every month. But, usually, we go longer than that.