address comments on code review (command)

command/operator_root_keyring_rotate.go

@@ -37,11 +37,16 @@ Keyring Options:
     will immediately return and the re-encryption process will run
     asynchronously on the leader.
 
+  -now
+    Publish the new key immediately without prepublishing. One of -now or
+    -prepublish must be set.
+
   -prepublish
     Set a duration for which to prepublish the new key (ex. "1h"). The currently
     active key will be unchanged but the new public key will be available in the
     JWKS endpoint. Multiple keys can be prepublished and they will be promoted to
-    active in order of publish time, at most once every root_key_gc_interval.
+    active in order of publish time, at most once every root_key_gc_interval. One
+    of -now or -prepublish must be set.
 
   -verbose
     Show full information.
@@ -58,6 +63,7 @@ func (c *OperatorRootKeyringRotateCommand) AutocompleteFlags() complete.Flags {
 	return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
 		complete.Flags{
 			"-full":       complete.PredictNothing,
+			"-now":        complete.PredictNothing,
 			"-prepublish": complete.PredictNothing,
 			"-verbose":    complete.PredictNothing,
 		})
@@ -72,12 +78,13 @@ func (c *OperatorRootKeyringRotateCommand) Name() string {
 }
 
 func (c *OperatorRootKeyringRotateCommand) Run(args []string) int {
-	var rotateFull, verbose bool
+	var rotateFull, rotateNow, verbose bool
 	var prepublishDuration time.Duration
 
 	flags := c.Meta.FlagSet("root keyring rotate", FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.BoolVar(&rotateFull, "full", false, "full key rotation")
+	flags.BoolVar(&rotateNow, "now", false, "immediately rotate without prepublish")
 	flags.BoolVar(&verbose, "verbose", false, "")
 	flags.DurationVar(&prepublishDuration, "prepublish", 0, "prepublish key")
 
@@ -98,6 +105,18 @@ func (c *OperatorRootKeyringRotateCommand) Run(args []string) int {
 		return 1
 	}
 
+	if !rotateNow && prepublishDuration == 0 || rotateNow && prepublishDuration != 0 {
+		c.Ui.Error(`
+One of "-now" or "-prepublish" must be used.
+
+If a key has been leaked use "-now" to force immediate rotation.
+
+Otherwise please use "-prepublish <duration>" to ensure the new key is not used
+to sign workload identities before JWKS endpoints are updated.
+`)
+		return 1
+	}
+
 	publishTime := int64(0)
 	if prepublishDuration > 0 {
 		publishTime = time.Now().UnixNano() + prepublishDuration.Nanoseconds()

website/content/docs/commands/operator/root/keyring-rotate.mdx

@@ -28,22 +28,25 @@ nomad operator root keyring rotate [options]
   command will immediately return and the re-encryption process will run
   asynchronously on the leader.
 
+- `-now`: Publish the new key immediately without prepublishing. One of `-now`
+  or `-prepublish` must be set.
+
 - `-prepublish`: Set a duration for which to prepublish the new key
   (ex. "1h"). The currently active key will be unchanged but the new public key
   will be available in the JWKS endpoint. Multiple keys can be prepublished and
   they will be promoted to active in order of publish time, at most once every
-  [`root_key_gc_interval`][].
+  [`root_key_gc_interval`][]. One of `-now` or `-prepublish` must be set.
 
 - `-verbose`: Enable verbose output
 
 ## Examples
 
 ```shell-session
-$ nomad operator root keyring rotate
+$ nomad operator root keyring rotate -now
 Key       State   Create Time           Publish Time
 f19f6029  active  2022-07-11T19:14:36Z  <none>
 
-$ nomad operator root keyring rotate -verbose
+$ nomad operator root keyring rotate -now -verbose
 Key                                   State   Create Time           Publish Time
 53186ac1-9002-c4b6-216d-bb19fd37a791  active  2022-07-11T19:14:47Z  <none>