I’m working on a Vault Plugin Backend, and that plugin requires software to be installed alongside vault.
The way I see, the plugin would have to make use of exec.Command APIs in go to shell out to a binary that’s installed on the system. The 2 ways that I see this working out are:
- Installation of the software occurs at plugin backend installation time.
- Using the main, or init Go functionality to ensure that the software is installed appropriately.
I guess what I’m looking for is feedback on my approach, and/or if there are already common patterns here for plugins that require additional software to run.
Hi Skyler!
I can’t think of any previously established plugins that have gone too far down that path. The closest thing is the Oracle plugin. Because of the Oracle Instant Client library needing to be installed out-of-band, we chose to deal with it in the simplest of ways - by expecting the user to do it on their own.
I think the ways you’re suggesting may also be quite good; I have no idea how complex it would be to test it on varying operating systems, though, or if that needs to be a factor for you.
In my opinion, as long as you can support the use case you need, it’s all fair game.
-Becca
1 Like
Thanks! This is really great feedback, it’s good to know there wasn’t something glaring that I had overlooked.
Great!
Oh, I think I should comment on this too:
- Installation of the software occurs at plugin backend installation time.
- Using the main, or init Go functionality to ensure that the software is installed appropriately.
If you decide to go that route, I’m thinking 2 would be the better approach. The “Factory” method for plugins is called once on the leader in a cluster, and it may also be called once on followers if they become leaders. Whereas with 1, I wonder if that would only be called once and then in failover scenarios, new machines wouldn’t have the software. I also do wonder, if you used method 2 and the machines started failing over back and forth, you might end up on a machine that already had it so attempting to blindly install something afresh could fail.
Anyways, suffice to say, if you do choose one of those methods, I would recommend testing such failover scenarios in a clustered environment.
Awesome this is great looking forward to more complex implementations of vault infrastructure.
@tyrannosaurus-becks this must mean that all plugin operations always come from the leader? I.e. plugin backend requests can never be satisfied from a follower?
The above makes sense to me as we generally always have HA Proxy in front of vault redirecting requests to the leader.
Hi! Hm, whether followers serve requests depends on the type of replication in use. With performance replication they could serve reads but not writes.