Revise RPC credentials handling #1623

a-palchikov · 2020-05-28T09:54:50Z

Current Result

There are two types of RPC credentials:

installs/expands/leaves - stored in the system repository with a fixed age of 10yrs/20yrs (CA)
upgrades - stored in the cluster-specific package repository with a fixed age of 1yrs/5yrs (CA) but with rotation with each operation

Expected Result

Unify both types of credentials - i.e. use either one consistently
Extend the cluster controller with the ability to verify and automatically rotate RPC credentials

Design doc: https://docs.google.com/document/d/1KVWEnLVXoExWHrq_Hm4gAJcU1ECiuQrj7k0F6rIzRJ0/edit#

upgrade operation. Revise "system rotate-rpc-creds" to be able to use it on any affected cluster and not necessarily based on 5.5.47-dev.x. Updates #1623

* Rotate RPC credentials used for install/expand/leave operations on each upgrade operation. Revise "system rotate-rpc-creds" to be able to use it on any affected cluster and not necessarily based on 5.5.47-dev.x. Updates #1623 * Address review comments * Address review comments * Create the RPC credentials backup package in cluster repository and assign it the operation label so it gets automatically removed. Also, upsert the package to be able to overwrite the contents and labels. Co-authored-by: Roman Tkachenko <[email protected]>

r0mant · 2020-06-03T21:14:44Z

@a-palchikov Looks like with these changes (#1629) the rollback of /init phase screws up rpc creds package completely:

ubuntu@node-1:~/upgrade$ sudo ./gravity plan execute --phase=/init
Wed Jun  3 21:10:13 UTC	Executing "/init/node-1" locally
Wed Jun  3 21:10:15 UTC	Executing phase "/init" finished in 2 seconds
ubuntu@node-1:~/upgrade$
ubuntu@node-1:~/upgrade$
ubuntu@node-1:~/upgrade$ sudo ./gravity plan rollback --phase=/init
Wed Jun  3 21:10:19 UTC	Rolling back "/init/node-1" locally
Wed Jun  3 21:10:20 UTC	Rolling back phase "/init" finished in 1 second
ubuntu@node-1:~/upgrade$
ubuntu@node-1:~/upgrade$
ubuntu@node-1:~/upgrade$ sudo ./gravity plan execute --phase=/init
Wed Jun  3 21:10:25 UTC	Executing "/init/node-1" locally
Wed Jun  3 21:10:25 UTC	Executing phase "/init" finished in now
[ERROR]: failed to update RPC credentials
	failed to read package gravitational.io/rpcagent-secrets:0.0.1
		object not found

r0mant · 2020-06-18T23:29:44Z

Done in 5.5, forward-ports are tracked in #1740.

a-palchikov added kind/enhancement New feature or request priority/0 High priority labels May 28, 2020

a-palchikov assigned gravitational-jenkins May 28, 2020

a-palchikov changed the title ~~Reconciler loop for RPC credentials~~ Revise RPC credentials handling May 28, 2020

r0mant added this to the Gravity Reliability Engineering Improvements milestone May 28, 2020

a-palchikov mentioned this issue May 29, 2020

[5.5.x] rotate RPC credentials on cluster upgrade #1629

Merged

4 tasks

a-palchikov mentioned this issue Jun 4, 2020

[5.5.x] do not delete the RPC backup package when updating credentials package #1658

Merged

4 tasks

r0mant mentioned this issue Jun 18, 2020

Tracking back/forward ports #1740

Closed

14 tasks

r0mant closed this as completed Jun 18, 2020

wadells unassigned gravitational-jenkins Apr 16, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Revise RPC credentials handling #1623

Revise RPC credentials handling #1623

a-palchikov commented May 28, 2020 •

edited

Loading

r0mant commented Jun 3, 2020

r0mant commented Jun 18, 2020

Revise RPC credentials handling #1623

Revise RPC credentials handling #1623

Comments

a-palchikov commented May 28, 2020 • edited Loading

Current Result

Expected Result

r0mant commented Jun 3, 2020

r0mant commented Jun 18, 2020

a-palchikov commented May 28, 2020 •

edited

Loading