Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca: reduce the number of places we store root CA certs #11346

Open
dnephin opened this issue Oct 18, 2021 · 0 comments
Open

ca: reduce the number of places we store root CA certs #11346

dnephin opened this issue Oct 18, 2021 · 0 comments
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/internal-cleanup Used to identify tech debt, testing improvements, code refactoring, and non-impactful optimization

Comments

@dnephin
Copy link
Contributor

dnephin commented Oct 18, 2021

The CAManager stores the root and intermediate certs in a number of places:

  1. provider.ActiveRoot, and provider.ActiveIntermediate - currently in both primary and secondary, however addressing ca: Support separate Vault providers per DC #11159 would make ActiveRoot only apply in a primary and reduce one extra copies in the secondary
  2. CAMananger.providerRoot - stores a copy that seems to be saved at the same time (but in slightly different ways) as the state store copy
  3. state.Store - stores a copy that is persisted through raft and made available to other servers (not just the leader)
  4. CAMananger.primaryRoots - (only in the secondary) stores another copy of the primary roots, which are already available in all the previous 3 places.

Storing the root in so many places can very easily lead to bugs, especially when the lifecycle or contents of these structs is subtly different. If we can reduce the number of places we store this data it becomes much easier to reason about the behaviour of the system.
@dnephin dnephin added theme/internal-cleanup Used to identify tech debt, testing improvements, code refactoring, and non-impactful optimization theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Oct 18, 2021
@dnephin dnephin mentioned this issue Oct 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/internal-cleanup Used to identify tech debt, testing improvements, code refactoring, and non-impactful optimization
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dnephin