Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring: remove root key GC #15034

Merged
merged 1 commit into from
Oct 25, 2022
Merged

keyring: remove root key GC #15034

merged 1 commit into from
Oct 25, 2022

Conversation

tgross
Copy link
Member

@tgross tgross commented Oct 25, 2022
edited
Loading

While trying to repro #14981 I discovered that the approach we're using to GC keys by timeboxing them based on allocation CreateIndex simply won't work. Allocations would need to have a reference to the key ID that signed their WI. The current check we have is based on allocation index but it's bugged: we can only GC inactive keys newer than the newest allocation, which is useless.

We only rotate keys every 30d by default, so remove the key GC for now until we can come up with a better long-term fix for this problem.

@tgross tgross requested a review from angrycub October 25, 2022 16:07
@tgross tgross force-pushed the b-disable-root-key-gc branch from 96850fb to 04c53bc Compare October 25, 2022 16:10
@tgross tgross added the backport/1.4.x backport to 1.4.x release line label Oct 25, 2022
@tgross tgross marked this pull request as ready for review October 25, 2022 16:15
tgross
tgross commented Oct 25, 2022
View reviewed changes
website/content/docs/configuration/server.mdx
@@ -200,15 +200,11 @@ server {
rejoin the cluster.

- `root_key_gc_interval` `(string: "10m")` - Specifies the interval between
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: I'm intentionally leaving the name here because we'll want to use this interval for GC once we circle back to it, and I don't want to have to add a new interval for that too. Same applies to the name of the core job emitted by the leader.

@tgross tgross added this to the 1.4.2 milestone Oct 25, 2022
angrycub
angrycub approved these changes Oct 25, 2022
View reviewed changes
Copy link
Contributor

@angrycub angrycub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tgross tgross merged commit b583f78 into main Oct 25, 2022
@tgross tgross deleted the b-disable-root-key-gc branch October 25, 2022 21:06
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Oct 25, 2022
Merged
@tgross tgross mentioned this pull request Oct 31, 2022
Closed
tgross added a commit that referenced this pull request Oct 31, 2022
@tgross
Revert "keyring: remove root key GC (#15034)"
e880bce 
This reverts commit b583f78.
But keeps the changelog entry from #15034.
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@angrycub angrycub angrycub approved these changes

Assignees
No one assigned
Labels
backport/1.4.x backport to 1.4.x release line theme/keyring type/bug
Projects
None yet
Milestone
1.4.2
Development

Successfully merging this pull request may close these issues.
2 participants
@tgross @angrycub