nomad/.changelog/19350.txt at main - nomad - Gitea: Git with a cup of tea

kemko/nomad

mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00

Files

Tim Gross f1be76b8b8 keyring: replicate RSA private key via GetKey RPC (#19350 )

When we added a RSA key for signing Workload Identities, we added it to the
keystore serialization but did not also add it to the `GetKey` RPC. This means
that when a key is rotated, the RSA key will not come along. The Nomad leader
signs all Workload Identities, but external consumers of WI (like Consul or
Vault) will verify the WI against any of the servers. If the request to verify
hits a follower, the follower will not have the RSA private key and cannot use
the existing ed25519 key to verify WIs with the `RS256` algorithm.

Add the RSA key material to the `GetKey` RPC.

Also remove an extraneous write to disk that happens for each key each time we
restart the Nomad server.

Fixes: #19340

2023-12-07 14:15:08 -05:00

4 lines

93 B

Plaintext

Raw Permalink Blame History

	```release-note:bug
	`keyring: Fixed a bug where RSA keys were not replicated to followers`
	```