Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-4319

MongoDB credentials don't rotate

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Tekton Chains
    • None
    • False
    • None
    • False

      Description of problem:

      When using tekton chains with the mongo db storage, the connection URI is stored in an environment variable (as per the documentation: https://github.com/tektoncd/chains/blob/main/docs/config.md#mongodb).

      When we rotate the mongo db credentials, the connection will fail, but an error is simply logged and the signing fail. Since this is critical, we believe the pod should crash and restart instead of just continuing to run like there was no problem.

      Having the pod restart would also allow it to pickup the update environment variable. 

      If for some reason the pod should not restart, we would need a mechanism to rotate the mongo db credentials on a regular basis.

      Version-Release number of selected component (if applicable):

          Operator 1.8

      How reproducible:

          Change the Mongo DB credentials while chains is running.

      Steps to Reproduce:

          1. Configure Tekton Chains to use the Mongo DB store
          2. Once Chains is up an running change the Mongo DB password in Mongo.
          

      Actual results:

          An entry indicating that the signing failed can be found if we dig into the Chains logs.

      Expected results:

          The pod should stop working since the signing (a critical operation) cannot be performed anymore.

      Additional info:

          

            lmohanty@redhat.com Lalatendu Mohanty
            rg44868 Remy Greinhofer (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: