Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
FoundationDB physical backend #4900
This PR implements a FoundationDB physical storage backend for Vault, along with documentation, tests, and build system integration for the FoundationDB Go bindings.
The backend implements the transactional and HA interfaces; locks rely on correct time synchronization of the Vault nodes to operate properly.
The FoundationDB key is built by decorating the item path handed over to the backend by Vault core, to allow for an efficient list operation implementation using a single range read. The backend stores the data using 3 subspaces under a top-level directory:
The shadow copy is expected to eventually go away when a range read operation for keys only will be available. Bookkeeping for sub-levels employs FoundationDB’s atomic operations to reduce transaction conflicts; this is not true of the delete path at present, pending the availability of a decrease-delete-if-0 type of operation.
Caveat: there isn’t a readily available FoundationDB Docker image at this time. This is being worked on (apple/foundationdb#355), but until that lands, you will need to run a FoundationDB server locally to run the tests (https://apple.github.io/foundationdb/getting-started-linux.html).
The test code includes the required setup code for using a Docker image, so a minor touch up should be all that’s needed once a Docker image is available for FoundationDB.
On CGO: FoundationDB language bindings are built on top of the C client library, so I'm afraid CGO is a requirement. Please let me know if I'm mistaken in this regard, and I'll be happy to make the necessary changes.
On the bootstrap changes, this could certainly be done differently. I am not sure the FoundationDB Go bindings can be treated similarly to other Go dependencies though, and any advice here would be appreciated. Due to the code that needs to be generated/built and the CGO nature of the bindings, I don't know that a different approach would necessarily result in a better situation overall; the fdb-go-install script is the supported way to get the job done at the moment. Suggestions on how to make this better are welcome!
@jblache We don't currently offer dynamic builds of Vault. I don't know how much interest there is in FoundationDB as a storage backend but we could probably have a make target like
As for bootstrap, the only things that should be in bootstrap are items necessary for actually building Vault as a whole. If you wanted a separate Makefile in
@jefferai I believe this batch of changes should address your concerns. I've made the backend conditional; the Makefile will enable CGO for all build targets if the backend is enabled, as it is required. By default, the build is exactly as it is today. Attempts to use the backend will fail with a descriptive error message in a build that doesn't have it enabled.
I've removed the Go bindings installation from the bootstrap target and documented that step instead.
Just a note: one of the other Vault team members looked at the code and said LGTM so I didn't examine the code too carefully, just have been looking at overall organization, which I'm happy with now. Going to merge, and I'm hoping you'll be pingable in case people find issues :-)