mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
2f4353412d
When a root key is rotated, the servers immediately start signing Workload Identities with the new active key. But workloads may be using those WI tokens to sign into external services, which may not have had time to fetch the new public key and which might try to fetch new keys as needed. Add support for prepublishing keys. Prepublished keys will be visible in the JWKS endpoint but will not be used for signing or encryption until their `PublishTime`. Update the periodic key rotation to prepublish keys at half the `root_key_rotation_threshold` window, and promote prepublished keys to active after the `PublishTime`. This changeset also fixes two bugs in periodic root key rotation and garbage collection, both of which can't be safely fixed without implementing prepublishing: * Periodic root key rotation would never happen because the default `root_key_rotation_threshold` of 720h exceeds the 72h maximum window of the FSM time table. We now compare the `CreateTime` against the wall clock time instead of the time table. (We expect to remove the time table in future work, ref https://github.com/hashicorp/nomad/issues/16359) * Root key garbage collection could GC keys that were used to sign identities. We now wait until `root_key_rotation_threshold` + `root_key_gc_threshold` before GC'ing a key. * When rekeying a root key, the core job did not mark the key as inactive after the rekey was complete. Ref: https://hashicorp.atlassian.net/browse/NET-10398 Ref: https://hashicorp.atlassian.net/browse/NET-10280 Fixes: https://github.com/hashicorp/nomad/issues/19669 Fixes: https://github.com/hashicorp/nomad/issues/23528 Fixes: https://github.com/hashicorp/nomad/issues/19368
137 lines
3.7 KiB
Go
137 lines
3.7 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package command
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/hashicorp/nomad/api"
|
|
"github.com/posener/complete"
|
|
)
|
|
|
|
// OperatorRootKeyringRotateCommand is a Command
|
|
// implementation that rotates the variables encryption key.
|
|
type OperatorRootKeyringRotateCommand struct {
|
|
Meta
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) Help() string {
|
|
helpText := `
|
|
Usage: nomad operator root keyring rotate [options]
|
|
|
|
Generate a new encryption key for all future variables.
|
|
|
|
If ACLs are enabled, this command requires a management token.
|
|
|
|
General Options:
|
|
|
|
` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `
|
|
|
|
Keyring Options:
|
|
|
|
-full
|
|
Decrypt all existing variables and re-encrypt with the new key. This command
|
|
will immediately return and the re-encryption process will run
|
|
asynchronously on the leader.
|
|
|
|
-now
|
|
Publish the new key immediately without prepublishing. One of -now or
|
|
-prepublish must be set.
|
|
|
|
-prepublish
|
|
Set a duration for which to prepublish the new key (ex. "1h"). The currently
|
|
active key will be unchanged but the new public key will be available in the
|
|
JWKS endpoint. Multiple keys can be prepublished and they will be promoted to
|
|
active in order of publish time, at most once every root_key_gc_interval. One
|
|
of -now or -prepublish must be set.
|
|
|
|
-verbose
|
|
Show full information.
|
|
`
|
|
|
|
return strings.TrimSpace(helpText)
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) Synopsis() string {
|
|
return "Rotates the root encryption key"
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) AutocompleteFlags() complete.Flags {
|
|
return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
|
|
complete.Flags{
|
|
"-full": complete.PredictNothing,
|
|
"-now": complete.PredictNothing,
|
|
"-prepublish": complete.PredictNothing,
|
|
"-verbose": complete.PredictNothing,
|
|
})
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) AutocompleteArgs() complete.Predictor {
|
|
return complete.PredictNothing
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) Name() string {
|
|
return "root keyring rotate"
|
|
}
|
|
|
|
func (c *OperatorRootKeyringRotateCommand) Run(args []string) int {
|
|
var rotateFull, rotateNow, verbose bool
|
|
var prepublishDuration time.Duration
|
|
|
|
flags := c.Meta.FlagSet("root keyring rotate", FlagSetClient)
|
|
flags.Usage = func() { c.Ui.Output(c.Help()) }
|
|
flags.BoolVar(&rotateFull, "full", false, "full key rotation")
|
|
flags.BoolVar(&rotateNow, "now", false, "immediately rotate without prepublish")
|
|
flags.BoolVar(&verbose, "verbose", false, "")
|
|
flags.DurationVar(&prepublishDuration, "prepublish", 0, "prepublish key")
|
|
|
|
if err := flags.Parse(args); err != nil {
|
|
return 1
|
|
}
|
|
|
|
args = flags.Args()
|
|
if len(args) != 0 {
|
|
c.Ui.Error("This command requires no arguments.")
|
|
c.Ui.Error(commandErrorText(c))
|
|
return 1
|
|
}
|
|
|
|
client, err := c.Meta.Client()
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error creating nomad cli client: %s", err))
|
|
return 1
|
|
}
|
|
|
|
if !rotateNow && prepublishDuration == 0 || rotateNow && prepublishDuration != 0 {
|
|
c.Ui.Error(`
|
|
One of "-now" or "-prepublish" must be used.
|
|
|
|
If a key has been leaked use "-now" to force immediate rotation.
|
|
|
|
Otherwise please use "-prepublish <duration>" to ensure the new key is not used
|
|
to sign workload identities before JWKS endpoints are updated.
|
|
`)
|
|
return 1
|
|
}
|
|
|
|
publishTime := int64(0)
|
|
if prepublishDuration > 0 {
|
|
publishTime = time.Now().UnixNano() + prepublishDuration.Nanoseconds()
|
|
}
|
|
|
|
resp, _, err := client.Keyring().Rotate(
|
|
&api.KeyringRotateOptions{
|
|
Full: rotateFull,
|
|
PublishTime: publishTime,
|
|
}, nil)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
return 1
|
|
}
|
|
c.Ui.Output(renderVariablesKeysResponse([]*api.RootKeyMeta{resp}, verbose))
|
|
return 0
|
|
}
|