Should CP disconnect DP when token is expired or revoked?

[jakubdyszkiewicz]

Description

Right now we authenticate the DP on the first DiscoveryRequest. Assuming that NodeID between DiscoveryRequest is stable, we don't need to authenticate it again.

With this PR kumahq/kuma#3376 we introduced expiration and revocation.

I think we should disconnect DP when the token is revoked but what about the expired token?

[lahabana]

Revocation and expiration should be the same.
Right approach is closing the connection straight away.

We probably also should expose data to the dataplane-insight that shows signing key serial number and expiration date.

[github-actions]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

[gregoryhunt]

I would like to bring this issue back to life. I think it is important for a healthy mesh.

[lahabana]

@jakubdyszkiewicz is this fixed now?

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[jakubdyszkiewicz]

Partially fixed by kumahq/kuma#4685

We now auth with every single DiscoveryRequest, so CP will disconnect DPP with a revoked or expired token on the next DiscoveryRequest. That means that if there is no new config, DPP can still be connected for some time before it happens.

What we should consider is whether we want to immediately disconnect DPP whose token expired or the token we just revoked. Technically dropping the connection immediately does not change much from the DPP perspective. Even if we drop the connection sooner, Envoy will still have the config.

[jakubdyszkiewicz]

Triage: let's add to docs that you need to disconnect DP from CP https://kuma.io/docs/2.1.x/security/dp-auth/#token-revocation

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.