-
Notifications
You must be signed in to change notification settings - Fork 209
Conversation
CLA assistant check
All committers have signed the CLA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: you can use PathBuf, it implements Deserialize.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: when you have so many args of the same type, the caller can get confused and pass the wrong one. Couple ways around this:
- Define a struct that keeps those as its own fields and make this method use
&self. - Combine the args into a
struct, so the caller has to do something like this:
struct Args<'a> { addr: &'a str, role_id: &'a str, } approve_login(&Args { addr: "localhost", role_id: "1234" }).await?;
levkk
commented
May 4, 2026
Really cool, thanks for implementing this! I'm still reviewing, will get back to you with more comments if any asap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: consider importing functions and structs, e.g.:
use tokio::fs::read_to_string; read_to_string(&path).await?;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reloading the config (RELOAD admin command) will erase these I think. You may want to run the vault loop externally and fetch credentials from an in-memory cache instead, using the database and user as key.
Great start. A few comments on style and one important architectural issue: the vault credentials are loaded on boot only, but pgdog config is dynamic and can be reloaded without restarting, I think the current implementation will reset the credentials when this happens.
Fixed my incorrect merge conflict fix in 884f14e6391a69b11b8da22ca074ca62e5e36190 (you should be able to cherry-pick it from #960).
larrywax
commented
May 6, 2026
Great start. A few comments on style and one important architectural issue: the vault credentials are loaded on boot only, but pgdog config is dynamic and can be reloaded without restarting, I think the current implementation will reset the credentials when this happens.
Fixed my incorrect merge conflict fix in
884f14e6391a69b11b8da22ca074ca62e5e36190(you should be able to cherry-pick it from #960).
Ah I see, was not aware of it. Makes sense, thanks!
3d52f90 to
d3ac996
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you may want to reload the connection pools if and only if the credentials actually changed. I think vault would rotate them every 15min or so (not sure), but this would log it every second and reload the pools once per second too? Please let me know if I misunderstood.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't implemented credentials refresh yet. For now, we fetch a new set of credentials every time they are close to expiration.
This will only log the error and then wait rotation_interval seconds to refresh the credentials and reload the connections. The backoff kicks in only when we fail to get credentials from vault.
Perhaps spawning a single task that refreshes credentials in a loop is not ideal for error handling, it would probably be better to spawn a task for each pool
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I agree. You can spawn per-pool tasks in monitor.rs (feel free to create a separate module under backend::pool).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure about moving the tasks into backend::pool? I'm trying to implement it, but I’m not sure if calling reload_from_existing from this point in the code is 'correct.' Also, this way I’d have to 'leak' some Vault details into the underlying structures
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good point. I forgot that Pool is immutable, so reloading it from there isn't right. We recently added a cache for AWS IAM and Azure Worload Identity tokens, maybe that's a good place for Vault credentials refreshing too? Check it out: https://github.com/pgdogdev/pgdog/blob/main/pgdog/src/backend/pool/token_cache.rs
d3ac996 to
4c76f84
Compare
Draft implementation as discussed in #938