Percona Hashicorp Encryption Token Renewal

Hi All,

I’m doing a POC with Ansible everything is working so far, but I’m struggling with the encryption it works but I don’t know how to resolve an specific issue, the issue is with the token expiration, the documentation doesn’t mention this particular issue about the token expiring and the drawback of that, the only token that do not expire in hashicorp are the root tokens and is big risk and without a root token means that we would lost communication with the vault we would require to inject the token on keyring conf file again and restart the database I saw a post regarding this.

Sorry to ask but there is no any other way to achieve this with the Hashicorp vault plugin?

Thank you.

Thank you @LukeYangJMA I did it based on this, I wrote an ansible playbook which install hashicorp vault crete the vault agent service, enables the encryption, an small shell script that changes the token value in the keyring_vault.conf.

The only required is the event scheduler uninstall/install the keyvault plugin.

Another question that I have regarding this Use the keyring component or keyring plugin - Percona Server for MySQL

“Only one keyring plugin should be enabled at a time. Enabling multiple keyring plugins is not supported and may result in data loss.”

Each secret_mount_point must be used by only one server. If multiple servers use the same secret_mount_point, the behavior is unpredictable.

I assume this means that only one server will do this operation and hold the keyconf and will be in charge for the encryption.