After doing some research I have found a way that might work for automatic vault token rotation without the need to restart Percona and potential down time.
There are a few important facts that this solution is based on:
-
If a Vault token is revoked while the Percona server with TDE is running, the data is still decrypted and accessible. This is because the only time Percona needs to get the master decryption key stored in Vault is when the server is first started to decrypt the data. For the rest of the the session, the data is decrypted.
-
Running the commands below causes Percona to read the keyring_vault.conf file again and implements any changes in the file, such as the token being changed. With reference to the previous point, the period between uninstalling and reinstalling the plugin will not result in downtime because a client will still have complete access to the data.
mysql> UNINSTALL PLUGIN keyring_vault;
mysql> INSTALL PLUGIN keyring_vault SONAME 'keyring_vault.so';
Implementation:
- Activate AppRole authentication on HashiCorp Vault Server
- Create a new role that is linked to the policy needed to access Vault KV secrets engine and generate the Role ID and Secret ID
- Install Vault Agent and configure Auto-Auth with the Role ID and and Secret ID
- Create a cron job that will automatically tell Vault Agent to generate a new Vault token and set the token value in keyring_vault.conf to the new token
- In MySQL, create a new event that automatically uninstalls and reinstalls the keyring_vault plugin and enable Event Scheduler