kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 02:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bfe81772119f431fc75271d20aa7ca4fa3c1921
nomad/website/content/docs/commands/operator/root/keyring-rotate.mdx
Tim Gross 2f4353412d keyring: support prepublishing keys (#23577) 
When a root key is rotated, the servers immediately start signing Workload
Identities with the new active key. But workloads may be using those WI tokens
to sign into external services, which may not have had time to fetch the new
public key and which might try to fetch new keys as needed.

Add support for prepublishing keys. Prepublished keys will be visible in the
JWKS endpoint but will not be used for signing or encryption until their
`PublishTime`. Update the periodic key rotation to prepublish keys at half the
`root_key_rotation_threshold` window, and promote prepublished keys to active
after the `PublishTime`.

This changeset also fixes two bugs in periodic root key rotation and garbage
collection, both of which can't be safely fixed without implementing
prepublishing:

* Periodic root key rotation would never happen because the default
  `root_key_rotation_threshold` of 720h exceeds the 72h maximum window of the FSM
  time table. We now compare the `CreateTime` against the wall clock time instead
  of the time table. (We expect to remove the time table in future work, ref
  https://github.com/hashicorp/nomad/issues/16359)
* Root key garbage collection could GC keys that were used to sign
  identities. We now wait until `root_key_rotation_threshold` +
  `root_key_gc_threshold` before GC'ing a key.
* When rekeying a root key, the core job did not mark the key as inactive after
  the rekey was complete.

Ref: https://hashicorp.atlassian.net/browse/NET-10398
Ref: https://hashicorp.atlassian.net/browse/NET-10280
Fixes: https://github.com/hashicorp/nomad/issues/19669
Fixes: https://github.com/hashicorp/nomad/issues/23528
Fixes: https://github.com/hashicorp/nomad/issues/19368
2024-07-19 13:29:41 -04:00

59 lines
1.8 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: 'Commands: operator root keyring rotate'
description: |
Rotate encryption key
---
# Command: operator root keyring rotate
The `operator root keyring rotate` command generates a new encryption key for
all future variables.
If ACLs are enabled, this command requires a management token.
## Usage
```plaintext
nomad operator root keyring rotate [options]
```
## General Options
@include 'general_options.mdx'
## Rotate Options
- `-full`: Decrypt all existing variables and re-encrypt with the new key. This
command will immediately return and the re-encryption process will run
asynchronously on the leader.
- `-now`: Publish the new key immediately without prepublishing. One of `-now`
or `-prepublish` must be set.
- `-prepublish`: Set a duration for which to prepublish the new key
(ex. "1h"). The currently active key will be unchanged but the new public key
will be available in the JWKS endpoint. Multiple keys can be prepublished and
they will be promoted to active in order of publish time, at most once every
[`root_key_gc_interval`][]. One of `-now` or `-prepublish` must be set.
- `-verbose`: Enable verbose output
## Examples
```shell-session
$ nomad operator root keyring rotate -now
Key State Create Time Publish Time
f19f6029 active 2022-07-11T19:14:36Z <none>
$ nomad operator root keyring rotate -now -verbose
Key State Create Time Publish Time
53186ac1-9002-c4b6-216d-bb19fd37a791 active 2022-07-11T19:14:47Z <none>
$ nomad operator root keyring rotate -prepublish 1h
Key State Create Time Publish Time
7f15e4e9 active 2022-07-11T19:15:10Z 2022-07-11T20:15:10Z
```
[`root_key_gc_interval`]: /nomad/docs/configuration/server#root_key_gc_interval
Reference in New Issue View Git Blame Copy Permalink