Page MenuHomeDevCentral
Create Task
Maniphest T1770

Drop credentials from MySQL containers' environment
Open, NormalPublic
Actions

Description

Instead of publishing MySQL root password in environment as documented in MySQL container image, we could generate a temporary one, then use it to set the stable one from Vault.

For that, I'd suggest the following plan:

  1. A flag-as-file ./auth_configured, not set as first, means a root password is already configured
  2. We remove any credential from environment
  3. At container launch, if .auth_configured is missing, a random temporary password is generated, set for MySQL and configured in a launcher: mysql -hlocalhost -uroot -p<generated password>
  4. After container has been launched, if ./auth_configured is missing, a script is run by Salt to use the launcher: docker exec <instance> ./mysql-wrapper to do three things:
    • update root password, as set in Vault
    • delete the wrapper
    • touch .auth_configured

Event Timeline

dereckson triaged this task as Normal priority.Feb 9 2023, 21:55
dereckson created this task.
dereckson moved this task from Backlog to Servers config on the Salt board.
dereckson added a subscriber: fauve.
dereckson added a project: Operations sprints (Ignite Alkane Propulsion).May 6 2023, 14:53

[ Those tasks have been identified as suitable for the next operations sprint. ]

dereckson moved this task from Backlog to Backlog - Docker on the Operations sprints (Ignite Alkane Propulsion) board.May 6 2023, 15:55
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator