-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make store service configurable #8419
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
Removing the store service is great, as it reduces the list of services not having a description about their purpose 🤣 @kobergj |
85cc735
to
8ef66c7
Compare
Ok, means:
|
3cf361e
to
52bad71
Compare
35a839c
to
59bc13e
Compare
59bc13e
to
8b329ae
Compare
8b329ae
to
1af1196
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- How is migration handled in this scenario?
Migration is not needed as the keys are ephemeral and can just be regenerated. |
I forgot to not start the store service by default. will change the default services. |
fail while building ocis binary
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
Co-authored-by: Thomas Müller <[email protected]>
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
9d78a97
to
3e95dfe
Compare
Quality Gate passedIssues Measures |
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
The store service was born out of a misunderstanding ... we need to clean that up. This PR changes the default signing key store to nats, but allows configuring and using the old store service to running existing installations without changes to the deployment (if updating the configuratin).
The change does not need a migration as signing keys are just regenerated on the fly.
I don't know if the web ui will re download the signing key if it expired. I don't think it has a way of detecting that as the browser will handle the download. Maybe they should just forget the signing key ... every 5min? so it is periodically refetched?
I can see the ocis web ui being left open for a long time, so I set the new signing key TTL default to 12h. In the past it never expired, which IMO is a pad practice.
cc @mmattel @wkloucek @kobergj @kulmann