Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-21679: add rotate secret backup feature to admin API #1540

Merged
merged 20 commits into from
Jan 12, 2024
Merged

ROX-21679: add rotate secret backup feature to admin API #1540

merged 20 commits into from
Jan 12, 2024

Conversation

johannes94
Copy link
Contributor

@johannes94 johannes94 commented Dec 19, 2023
edited
Loading

Description

When secrets are rotated on data plane cluster side (e.g. leaf certs of central) they are not automatically updated in the backup of fleet-manager. This PR adds an admin API endpoint to trigger that rotation. Once we implement better working rotation mechanisms we should also address automating the backup rotation.

Checklist (Definition of Done)

  • Unit and integration tests added
  • Added test description under Test manual
  • Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
  • CI and all relevant tests are passing
  • Add the ticket number to the PR title if available, i.e. ROX-12345: ...
  • Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
  • Add secret to app-interface Vault or Secrets Manager if necessary
  • RDS changes were e2e tested manually
  • Check AWS limits are reasonable for changes provisioning new resources

Test manual

  • Local fleet-manager & fleetshard-sync setup with infractl cluster
  • Create central with create-central.sh
  • Wait for full creation flow
  • Call the new API
rhoas login --auth-url=https://auth.redhat.com/auth/realms/EmployeeIDP 
export OCM_TOKEN=$(rhoas authtoken)
./scripts/fmcurl "rhacs/v1/admin/centrals/$central_id/rotate-secrets" -XPOST -d '{"reset_secret_backup": true}'

make db/psql
Verify that secrets are deleted, and backup get restored after some time when FS reconciles.

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup OCM_OFFLINE_TOKEN=<ocm-offline-token> OCM_ENV=development
make verify lint binary test test/integration

vladbologa
vladbologa reviewed Dec 21, 2023
View reviewed changes
Copy link
Contributor

@vladbologa vladbologa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I'd approve but please mention in the "Test manual" if it was E2E tested.

@johannes94 johannes94 force-pushed the jmalsam/rotate-secret-backup branch from 54ce7d2 to 813603a Compare January 10, 2024 14:37
@johannes94 johannes94 changed the title add rotate secret backup feature to admin API ROX-21679: add rotate secret backup feature to admin API Jan 11, 2024
@johannes94
Copy link
Contributor Author

/test e2e

kovayur
kovayur approved these changes Jan 12, 2024
View reviewed changes
Copy link
Contributor

@kovayur kovayur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci openshift-ci bot added the lgtm label Jan 12, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, kovayur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@johannes94 johannes94 merged commit 8bd40f3 into main Jan 12, 2024
9 checks passed
@johannes94 johannes94 deleted the jmalsam/rotate-secret-backup branch January 12, 2024 09:40
johannes94 added a commit that referenced this pull request Jan 18, 2024
@johannes94
ROX-21679: add rotate secret backup feature to admin API (#1540)
d08a4f8 
* add rotate secret backup feature to admin API

* add e2e test for secret backup rotation

* should always reconcile if secretsstored is empty

* fix hash test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vladbologa vladbologa vladbologa left review comments

@kovayur kovayur kovayur approved these changes

Assignees

@kovayur kovayur

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@johannes94 @kovayur @vladbologa @openshift-merge-robot