Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root key rotate - core side #7218

Merged
merged 2 commits into from
Apr 19, 2023
Merged

Root key rotate - core side #7218

merged 2 commits into from
Apr 19, 2023

Conversation

jackyalbo
Copy link
Contributor

@jackyalbo jackyalbo commented Feb 27, 2023
edited

Explain the changes

  1. We decided to move key rotation part in core to a daily running process checking if anything is changed with the external root keys file and if so, to re-encrypt the system/systems keys accordingly.
  2. the key files will be under directory /etc/noobaa-server/root_keys. the active root key id will be under /etc/noobaa-server/active_root_key
  3. As trying to support both old format (env-variable) and the new one(a directory mount with no env variable) checks were added to system_server load and also in case of running in the new format and seeing the old format leftovers - those leftovers will get cleaned

in 2nd commit:

  • moving mongodb outside of noobaa tester container (due to issues with the image in M1)
  • like in postgres, mongo will run in its own container and tester will connect to it for DB access.

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

  1. Fixed Automatically comment out mongo-db code in Tests.Dockerfile when using Mac with M1 #7179
  • Doc added/updated
  • Tests added

@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from 67c6ca0 to fa195e0 Compare February 27, 2023 14:39
romayalon
romayalon reviewed Feb 27, 2023
View reviewed changes
Makefile Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Show resolved Hide resolved
src/server/system_services/master_key_manager.js Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated
}

is_root_key(root_key_id) {
return root_key_id && root_key_id.toString() === ROOT_KEY.toString();
}

get_current_root_key_id() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel we should remove the old format or at least merge it so it won't be even more confusing

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still relevant

src/server/system_services/system_server.js Outdated Show resolved Hide resolved
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from 74c3c08 to 766bf44 Compare March 2, 2023 15:37
@jackyalbo
Copy link
Contributor Author

As discussed with @romayalon and @dannyzaken. I'm resolving all the design issues; moving the key_rotator to bg_worker, and waiting for a re-review.

dannyzaken
dannyzaken reviewed Mar 8, 2023
View reviewed changes
Makefile Outdated Show resolved Hide resolved
src/test/unit_tests/coretest.js Outdated Show resolved Hide resolved
src/util/mongo_client.js Outdated Show resolved Hide resolved
src/server/system_services/system_store.js Outdated Show resolved Hide resolved
config.js Outdated Show resolved Hide resolved
src/server/bg_services/key_rotator.js Outdated Show resolved Hide resolved
src/server/bg_services/key_rotator.js Outdated Show resolved Hide resolved
src/server/bg_services/key_rotator.js Outdated Show resolved Hide resolved
src/server/bg_workers.js Show resolved Hide resolved
@jackyalbo jackyalbo mentioned this pull request Mar 12, 2023
Merged
1 task
@baum baum mentioned this pull request Mar 14, 2023
Merged
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from f2d5812 to 6c29fcc Compare March 16, 2023 14:05
romayalon
romayalon reviewed Mar 19, 2023
View reviewed changes
config.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated
}

is_root_key(root_key_id) {
return root_key_id && root_key_id.toString() === ROOT_KEY.toString();
}

get_current_root_key_id() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still relevant

src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
src/server/system_services/master_key_manager.js Outdated Show resolved Hide resolved
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 3 times, most recently from 69d3da6 to ea3ecda Compare March 23, 2023 15:08
@jackyalbo
Root Key rotate - core side
12029e2 
Signed-off-by: jackyalbo <jacky.albo@gmail.com>
@jackyalbo
Addition and fixes for makefile and dockerfiles
65d0f56 
Moving mongo to a docker in the same way we do for Postgres

Signed-off-by: jackyalbo <jacky.albo@gmail.com>
baum
baum approved these changes Apr 18, 2023
View reviewed changes
Copy link
Contributor

@baum baum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jackyalbo jackyalbo merged commit 57b0dde into noobaa:master Apr 19, 2023
5 checks passed
@jackyalbo jackyalbo mentioned this pull request Apr 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romayalon romayalon romayalon left review comments

@baum baum baum approved these changes

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Automatically comment out mongo-db code in Tests.Dockerfile when using Mac with M1
4 participants
@jackyalbo @baum @dannyzaken @romayalon