Use Isilon keychain to access backing store

Summary: We recently had a sev S290626 where Isilon team rotated all S3 access keys for their clients, which broke our backup sync jobs. Lets read the access keys from the source of thruth, which Isilon team may rotate themsleves. And also lets read the keys periodically so we won't need to restart services if the rotation happens. I also spotted a bug where instead of `region_name` the smc tier were passed, but since Isilon don't verify region it was working fine, anyway let's fix it too. Reviewed By: HarveyHunt Differential Revision: D39057471 fbshipit-source-id: 543a0a5be5903778899d31d04863226b831b5776
2024-10-05 22:37:37 +03:00 · 2022-09-06 01:42:31 -07:00 · 2022-09-06 01:42:31 -07:00 · 61a98d07d8
commit 61a98d07d8
parent 947a1f0e66
4 changed files with 8 additions and 1 deletions
--- a/configerator/structs/scm/mononoke/repos/repos.thrift
+++ b/configerator/structs/scm/mononoke/repos/repos.thrift
@ -1,4 +1,4 @@
-// @generated SignedSource<<cf41059408c794c4062dbfad43ce03ee>>
+// @generated SignedSource<<fcbf799169f08ef5f483699d67847629>>
 // DO NOT EDIT THIS FILE MANUALLY!
 // This file is a mechanical copy of the version in the configerator repo. To
 // modify it, edit the copy in the configerator repo instead and copy it over by
@ -313,6 +313,8 @@ struct RawBlobstoreS3 {
  // Limit the number of concurrent operations to S3
  // blobstore.
  5: optional i32 num_concurrent_operations;
+  // Name of the secret within the group
+  6: optional string secret_name;
 } (rust.exhaustive)

 // Configuration for a single blobstore. These are intended to be defined in a
--- a/eden/mononoke/blobstore/factory/src/blobstore.rs
+++ b/eden/mononoke/blobstore/factory/src/blobstore.rs
@ -499,6 +499,7 @@ fn make_blobstore_put_ops<'a>(
                region_name,
                endpoint,
                num_concurrent_operations,
+                secret_name,
            } => {
                #[cfg(fbcode_build)]
                {
@ -506,6 +507,7 @@ fn make_blobstore_put_ops<'a>(
                        fb,
                        bucket,
                        keychain_group,
+                        secret_name,
                        region_name,
                        endpoint,
                        blobstore_options.put_behaviour,
--- a/eden/mononoke/metaconfig/parser/src/convert/storage.rs
+++ b/eden/mononoke/metaconfig/parser/src/convert/storage.rs
@ -199,6 +199,7 @@ impl Convert for RawBlobstoreConfig {
                    .num_concurrent_operations
                    .map(|x| x.try_into())
                    .transpose()?,
+                secret_name: raw.secret_name,
            },
            RawBlobstoreConfig::UnknownField(f) => {
                return Err(anyhow!("unsupported blobstore configuration ({})", f));
--- a/eden/mononoke/metaconfig/types/src/lib.rs
+++ b/eden/mononoke/metaconfig/types/src/lib.rs
@ -881,6 +881,8 @@ pub enum BlobConfig {
        endpoint: String,
        /// Limit the number of concurrent operations to S3 blobstore.
        num_concurrent_operations: Option<usize>,
+        /// Name of the secret key within the keychain group
+        secret_name: Option<String>,
    },
 }