New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase resilience to very low/high TTLs #1115
Conversation
- Lowered TTL check related timers to 5 seconds. - Capped preparation/activation lifetimes to 30 days and 7 days, respectively Signed-off-by: Andrew Harding <azdagron@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @azdagron!
Looks good. I have a small comment.
pkg/agent/manager/config.go
Outdated
@@ -48,7 +48,7 @@ func New(c *Config) (*manager, error) { | |||
} | |||
|
|||
if c.RotationInterval == 0 { | |||
c.RotationInterval = 60 * time.Second | |||
c.RotationInterval = 5 * time.Second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we can export svid.defaultInterval and use it here?
pkg/agent/svid/rotator_config.go
Outdated
@@ -17,7 +17,7 @@ import ( | |||
"github.com/sirupsen/logrus" | |||
) | |||
|
|||
const defaultInterval = 60 * time.Second | |||
const defaultInterval = 5 * time.Second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we may export this const to be used in the manager package?
…ence Signed-off-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Andrew Harding <azdagron@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
When TTLs are very low (i.e. lower than ~2x the internal timers that check for expiration) then the agent or server can miss its chance for renewal. The current timers are set to 30 seconds, which makes it hard to use low TTLs for testing/demo purposes. This PR drops the timers down to 5 seconds.
When CA TTLs are very high, SPIRE server prepares and activates much to early. For example, if the CA TTL is one year, a new one will be prepared at six months and activated with two months remaining. This change caps the preparation/activation time to 30 and 7 days from expiration, respectively.