re-enable root keyring garbage collection #15088
Comments
|
Draft PR is up #15092 |
|
Closed by #15092 |
|
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In #15034 we removed root keyring GC so that we wouldn't leave orphaned Workload Identities that could no longer be verified. Currently Workload Identities are expired on the basis of allocation lifespan -- once an allocation is terminal, the WI is no longer valid.
But the plan is to allow third-parties to validate Workload Identities by checking the server's public key. At this point, we'll need WIs to have expiration timers so that the third-party can know whether a WI claim is still valid without having to hit the Nomad API (once the third-party has the public key, of course). At that point, we'll need to have a mechanism to rotate already-signed WIs the same way we do for things like Vault bearer tokens. That should let us safely GC root keys because we'll definitively know they can't have signed a WI older than t minutes/hours/days (whatever we set the expiration to).
(cc @angrycub @mikenomitch as a heads up)
The text was updated successfully, but these errors were encountered: