feat(credential): set default encryption key #981
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/build_test |
|
Workflow started at 7/8/2025, 4:14:33 PM. View Actions Run. |
|
No GraphQL schema changes detected. |
|
No OpenAPI schema changes detected. |
|
CI build and push: At least one test failed ❌ |
|
CI build and push: All tests pass ✅ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Welcome to Cryostat! 👋
Before contributing, make sure you have:
mainbranch[chore, ci, docs, feat, fix, test]To recreate commits with GPG signature
git fetch upstream && git rebase --force --gpg-sign upstream/mainRelated to cryostatio/cryostat-operator#1134
Description of the change:
Uses a default value of
default_keyfor thepgcryptofunctions used in theCredentialkeyring table. Normally when deploying Cryostat withcryostat-db, theencrypt.keydatabase configuration parameter should be set and this key will be used to symmetrically encrypt/decrypt the credentials in the keyring. However, in cases where it is not possible to set such configuration parameters and where relaxed data security may be acceptable, then Cryostat should be able to cope with the database not having anencrypt.keyconfiguration parameter.Without this change, attempting to hook up Cryostat to a database instance which does not have an
encrypt.keyconfig results in the Credential table being completely unusable, which would preclude any usage of stored credentials - including Cryostat Agent registration.When deploying Cryostat alongside
cryostat-db, or any other database instance which does have theencrypt.keyconfiguration parameter set, then this will still use that key. In the case ofcryostat-dbthis is normally done using an environment variable, and the Cryostat Operator or Helm Chart automatically sets up the database and Cryostat deployments to share this value via a Secret.