You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In case of a compromised UpstreamCA or self-signed SPIRE cluster, it is important to be able to quickly rotate the trust bundles and SVIDs of all downstream consumers, plus propagate the trust bundle change to any federated trust domains.
If the SPIRE server receives a new upstream root in the ca manager "prepare" step, it will push a new bundle update to all consumers; however, we still need to revoke the old (compromised) upstream root. But because many workloads still rely on the old upstream root, it may be prudent to speed up workload SVID renewal, to start making use of the new root as quickly as possible, so that the old one can be removed more expediently.
In the case of using the UpstreamCA plugin, this renewal may need to be synchronized across clusters.
The text was updated successfully, but these errors were encountered:
In case of a compromised UpstreamCA or self-signed SPIRE cluster, it is important to be able to quickly rotate the trust bundles and SVIDs of all downstream consumers, plus propagate the trust bundle change to any federated trust domains.
If the SPIRE server receives a new upstream root in the ca manager "prepare" step, it will push a new bundle update to all consumers; however, we still need to revoke the old (compromised) upstream root. But because many workloads still rely on the old upstream root, it may be prudent to speed up workload SVID renewal, to start making use of the new root as quickly as possible, so that the old one can be removed more expediently.
In the case of using the UpstreamCA plugin, this renewal may need to be synchronized across clusters.
The text was updated successfully, but these errors were encountered: