Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/8.0] Introduce a read-only mode for data protection keyring consumers #54266

Merged
merged 9 commits into from
Mar 6, 2024
Merged

[release/8.0] Introduce a read-only mode for data protection keyring consumers #54266

merged 9 commits into from
Mar 6, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Feb 29, 2024
edited by amcasey

Backport of #53539 to release/8.0

/cc @amcasey

Introduce a read-only mode for data protection keyring consumers

Summary of the changes (Less than 80 chars)

Description

When multiple app instances consume the same keyring, they all try to rotate it, leading to races. This change introduces an IConfiguration property (usually set as an env var) that puts data protection in a read-only mode. The expectation is that writing will be done by a separate (i.e. non-app-instance) component.

Fixes #52915

Customer Impact

This is required to automatically configure data protection (which is required for horizontal scaling) in Aspire, which will ship on 8.0.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

Does nothing unless a magic environment variable is set, in which case it configures a couple of properties into states that were already possible.

The biggest risk is that it hasn't been tested E2E. Making it available in 8.0 is a pre-requisite for that.

Verification

  • Manual (required)
  • Automated

As mentioned above, final validation won't occur until the E2E scenario is ready.

Packaging changes reviewed?

  • Yes
  • No
  • N/A

amcasey and others added 9 commits February 29, 2024 00:13
@amcasey
Introduce a read-only mode for data protection keyring consumers
d8b6a29 
When multiple app instances consume the same keyring, they all try to rotate it, leading to races.  This change introduces an IConfiguration property (usually set as an env var) that puts data protection in a read-only mode.  The expectation is that writing will be done by a separate (i.e. non-app-instance) component.

Part of #52915
@amcasey
Add simple tests
183d862
@amcasey
Handle an empty path
96af285
@amcasey
Add logging
e974538
@amcasey @Tratcher
Increase positive-case log level
c9ffe1b 
Co-authored-by: Chris Ross <Tratcher@Outlook.com>
@amcasey
Fix style warning
a83815f
@amcasey
Add an AddDataProtection test
b40f9f2
@amcasey
Add a negative AddDataProtection test
b84c559
@amcasey
Use a directory that exists in ConfigureReadOnly_ExplicitRepository
f6f506d
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-dataprotection Includes: DataProtection label Feb 29, 2024
@amcasey
Copy link
Member

amcasey commented Feb 29, 2024

We may eventually backport further, but there's no immediate request for that and it's a feature, rather than a fix.

@amcasey amcasey added the Servicing-consider Shiproom approval is required for the issue label Feb 29, 2024
@adityamandaleeka adityamandaleeka added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Mar 1, 2024
@wtgodbe wtgodbe merged commit 67ee7f1 into release/8.0 Mar 6, 2024
25 checks passed
@wtgodbe wtgodbe deleted the backport/pr-53539-to-release/8.0 branch March 6, 2024 20:58
@dotnet-policy-service dotnet-policy-service bot added this to the 8.0.4 milestone Mar 6, 2024
@claudiaregio claudiaregio mentioned this pull request May 6, 2024
Open
@adityamandaleeka adityamandaleeka mentioned this pull request May 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityamandaleeka adityamandaleeka adityamandaleeka approved these changes

@Rmattmann1221 Rmattmann1221 Rmattmann1221 approved these changes

Assignees
No one assigned
Labels
area-dataprotection Includes: DataProtection Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
8.0.4
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@amcasey @adityamandaleeka @Rmattmann1221 @wtgodbe