I am using Amazon AWS and our project uses MySQL databases. So far we are self hosting them, but we want to move that out of the instances (few production workloads each running it's own MySQL db) and use Amazon provided ones.
What I have right now is that each server has it's own mysql root password and then creates new user with new random password that is used for user.
MySQL state uses credentials set up in /etc/salt/minion
The problem I want to avoid is having a common root password of shared DB instance that is stored in text and shared within all production instances even thought they only need to know their own.
the mysql state does allow right now to manually set connection credentials for each state, meaning I can template that based on grains or pillar. That would somewhat work since I could just create each instance credentials and manually distribute them. But that's not the salt way is it?
So I could have an event fire to master asking to check/create credentials, but there is no way to respond/stop state there is it?
I cant set up a slave in mysql instance since it's just an interface I am allowed to access to.
So I could also salt the master and have within master configuration a state that would go over a list of minions and check credentials. Then fire it off with an event and reactor and hope that this will finish always faster than rest of the deployment. Or is there a simpler way to keep some data secret from the minion but effectively use it?
Aucun commentaire:
Enregistrer un commentaire