-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secrets/database: advanced TTL management for static roles #22484
Conversation
Build Results: |
CI Results: |
// TODO(JM): don't allow seconds in production, this is helpful for | ||
// development/testing though | ||
parser := cron.NewParser( | ||
cron.Second | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.DowOptional, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cron.Second | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.DowOptional, | |
cron.Second | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow, |
* handle mutual exclusion of rotation fields * fix import
* adv ttl mgmt: add rotation_window field * do some rotation_window validation and add unit tests
#22341) * general cleanup and refactor rotation type checks * make NextRotationTime account for the rotation type * add comments
* add unit tests to handle mutual exclusion * revert rotation_test.go and add missing test case to path_roles_test.go
* support manual rotation for schedule based roles * update description and naming
* consider rotation window ensure rotations only occur within a rotation window for schedule-based rotations * use helper method to set priority in rotateCredential * fix bug with priority check * remove test for now * add and remove comments
* update read static-creds endpoint to include correct resp data * return rotation_window if set * update
25968ca
to
4fa0f54
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! Nice job on this @fairclothjm and @MilenaHC! 🚀
} else if rotationScheduleChanged { | ||
next := role.StaticAccount.Schedule.Next(lvr) | ||
b.logger.Debug("init priority for Schedule", "lvr", lvr, "next", next) | ||
item.Priority = role.StaticAccount.Schedule.Next(lvr).Unix() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: any good reason to not use next.Unix()
?
_, rotationPeriodChanged := data.Raw["rotation_period"] | ||
_, rotationScheduleChanged := data.Raw["rotation_schedule"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious if there is a difference between these values from data.Raw
and rotationPeriodOk
/ rotationScheduleOk
from above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, good catch!
rotationSchedule := data.Get("rotation_schedule").(string) | ||
rotationScheduleOk := rotationSchedule != "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I might be missing something but curious if there is a reason GetOk
didn't work for rotation_schedule
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line was added a bit later when we realized we needed the boolean. Will update, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Had a couple questions :)
@@ -127,6 +128,13 @@ func Backend(conf *logical.BackendConfig) *databaseBackend { | |||
b.connections = syncmap.NewSyncMap[string, *dbPluginInstance]() | |||
b.queueCtx, b.cancelQueueCtx = context.WithCancel(context.Background()) | |||
b.roleLocks = locksutil.CreateLocks() | |||
|
|||
// TODO(JM): don't allow seconds in production, this is helpful for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we going to remove supporting seconds altogether or are we going to add some safeguards so they can still be run in our CI tests but users can't add them in production? From the tests set up below, I can definitely see us keeping seconds around just for our testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, also just saw Milena's PR to only allow seconds in testing, so this comment should be resolved when that PR is merged 😅
@austingebauer @vinay-gopalan Thanks for the reviews! I am going to address your comments in a follow up PR. |
This PR enables schedule-based auto-rotation of static roles for the Database Secrets engine. This rotation mechanism will be “embedded” in the Database Secrets engine and will not be reusable by other engines. In particular, this approach allows for exclusion windows (e.g. market hours) in which automatic rotations will not occur.
We add a new field
rotation_schedule
to the create static role endpoint. This field can be set with a cron-style string that will define the schedule on which rotations should occur:Additionally, we add a new
rotation_window
field on the create static role endpoint. It will be optional whenrotation_schedule
is set and disallowed whenrotation_period
is set. This field can be set with a time duration string with a minimum of 1 hour. Therotation_window
will define the window of time in which rotations are allowed to occur starting from a givenrotation_schedule
: