Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring: support prepublishing keys #23577

Merged
merged 4 commits into from
Jul 19, 2024
Merged

keyring: support prepublishing keys #23577

merged 4 commits into from
Jul 19, 2024

Commits on Jul 19, 2024

  1. keyring: support prepublishing keys 

    When a root key is rotated, the servers immediately start signing Workload
Identities with the new active key. But workloads may be using those WI tokens
to sign into external services, which may not have had time to fetch the new
public key and which might try to fetch new keys as needed.

Add support for prepublishing keys. Prepublished keys will be visible in the
JWKS endpoint but will not be used for signing or encryption until their
`PublishTime`. Update the periodic key rotation to prepublish keys at half the
`root_key_rotation_threshold` window, and promote prepublished keys to active
after the `PublishTime`.

This changeset also fixes two bugs in periodic root key rotation and garbage
collection, both of which can't be safely fixed without implementing
prepublishing:

* Periodic root key rotation would never happen because the default
  `root_key_rotation_threshold` of 720h exceeds the 72h maximum window of the FSM
  time table. We now compare the `CreateTime` against the wall clock time instead
  of the time table. (We expect to remove the time table in future work, ref
  #16359)
* Root key garbage collection could GC keys that were used to sign
  identities. We now wait until `root_key_rotation_threshold` +
  `root_key_gc_threshold` before GC'ing a key.
* When rekeying a root key, the core job did not mark the key as inactive after
  the rekey was complete.

Ref: https://hashicorp.atlassian.net/browse/NET-10398
Ref: https://hashicorp.atlassian.net/browse/NET-10280
Fixes: #19669
Fixes: #23528
Fixes: #19368
    @tgross
    tgross committed Jul 19, 2024
    Configuration menu
    Copy the full SHA
    7f8138a View commit details
    Browse the repository at this point in the history

  2. address comments on code review (server-side)

    @tgross
    tgross committed Jul 19, 2024
    Configuration menu
    Copy the full SHA
    0158458 View commit details
    Browse the repository at this point in the history

  3. address comments on code review (command)

    @tgross
    tgross committed Jul 19, 2024
    Configuration menu
    Copy the full SHA
    54cd945 View commit details
    Browse the repository at this point in the history

  4. address comments from code review (docs)

    @tgross
    tgross committed Jul 19, 2024
    Configuration menu
    Copy the full SHA
    cae6cc2 View commit details
    Browse the repository at this point in the history