kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
192d70cee7f2fbc50f6062178f2dbd4765e9d817
nomad/command/operator_root_keyring.go
Tim Gross 2f4353412d keyring: support prepublishing keys (#23577) 
When a root key is rotated, the servers immediately start signing Workload
Identities with the new active key. But workloads may be using those WI tokens
to sign into external services, which may not have had time to fetch the new
public key and which might try to fetch new keys as needed.

Add support for prepublishing keys. Prepublished keys will be visible in the
JWKS endpoint but will not be used for signing or encryption until their
`PublishTime`. Update the periodic key rotation to prepublish keys at half the
`root_key_rotation_threshold` window, and promote prepublished keys to active
after the `PublishTime`.

This changeset also fixes two bugs in periodic root key rotation and garbage
collection, both of which can't be safely fixed without implementing
prepublishing:

* Periodic root key rotation would never happen because the default
  `root_key_rotation_threshold` of 720h exceeds the 72h maximum window of the FSM
  time table. We now compare the `CreateTime` against the wall clock time instead
  of the time table. (We expect to remove the time table in future work, ref
  https://github.com/hashicorp/nomad/issues/16359)
* Root key garbage collection could GC keys that were used to sign
  identities. We now wait until `root_key_rotation_threshold` +
  `root_key_gc_threshold` before GC'ing a key.
* When rekeying a root key, the core job did not mark the key as inactive after
  the rekey was complete.

Ref: https://hashicorp.atlassian.net/browse/NET-10398
Ref: https://hashicorp.atlassian.net/browse/NET-10280
Fixes: https://github.com/hashicorp/nomad/issues/19669
Fixes: https://github.com/hashicorp/nomad/issues/23528
Fixes: https://github.com/hashicorp/nomad/issues/19368
2024-07-19 13:29:41 -04:00

91 lines
2.2 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package command
import (
"fmt"
"strings"
"github.com/mitchellh/cli"
"github.com/posener/complete"
"github.com/hashicorp/nomad/api"
)
// OperatorRootKeyringCommand is a Command implementation
// that handles querying, rotating, and removing root
// encryption keys from a keyring.
type OperatorRootKeyringCommand struct {
Meta
}
func (c *OperatorRootKeyringCommand) Help() string {
helpText := `
Usage: nomad operator root keyring [options]
Manages encryption keys used for storing variables and signing workload
identities. This command may be used to examine active encryption keys
in the cluster, rotate keys, add new keys from backups, or remove unused keys.
If ACLs are enabled, all subcommands requires a management token.
Rotate the encryption key:
$ nomad operator root keyring rotate
List all encryption key metadata:
$ nomad operator root keyring list
Remove an encryption key from the keyring:
$ nomad operator root keyring remove <key ID>
Please see individual subcommand help for detailed usage information.
`
return strings.TrimSpace(helpText)
}
func (c *OperatorRootKeyringCommand) Synopsis() string {
return "Manages root encryption keys"
}
func (c *OperatorRootKeyringCommand) AutocompleteFlags() complete.Flags {
return c.Meta.AutocompleteFlags(FlagSetClient)
}
func (c *OperatorRootKeyringCommand) AutocompleteArgs() complete.Predictor {
return complete.PredictNothing
}
func (c *OperatorRootKeyringCommand) Name() string {
return "root keyring"
}
func (c *OperatorRootKeyringCommand) Run(args []string) int {
return cli.RunResultHelp
}
// renderVariablesKeysResponse is a helper for formatting the
// keyring API responses
func renderVariablesKeysResponse(keys []*api.RootKeyMeta, verbose bool) string {
length := fullId
if !verbose {
length = 8
}
out := make([]string, len(keys)+1)
out[0] = "Key|State|Create Time|Publish Time"
i := 1
for _, k := range keys {
publishTime := ""
if k.PublishTime > 0 {
publishTime = formatUnixNanoTime(k.PublishTime)
}
out[i] = fmt.Sprintf("%s|%v|%s|%s",
k.KeyID[:length], k.State, formatUnixNanoTime(k.CreateTime), publishTime)
i = i + 1
}
return formatList(out)
}
Reference in New Issue View Git Blame Copy Permalink