Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auth token rotation for the activeGate #805

Merged
merged 13 commits into from
Jun 3, 2022
Merged

Add auth token rotation for the activeGate #805

merged 13 commits into from
Jun 3, 2022

Conversation

luhi-DT
Copy link
Collaborator

@luhi-DT luhi-DT commented Jun 1, 2022
edited

Description

This change introduces the activeGate auth token rotation support. It adds the functionality that auth tokens are created with an expiration Time (60 days) and also it adds the ability to automatically rotate the tokens if they are older than 30 days.
Additionally I introduced a mechanism to restart the activeGate if the content of the auth token secret (new Auth Token) changes, by adding the auth token content to the activeGate hash annotation.

How can this be tested?

  1. Create an API Token with the correct permission activeGateTokenManagement.create
  2. Create a Dynakube that also creates an activeGate and add feature.dynatrace.com/enable-activegate-authtoken: "true" to it
  3. check if the activeGate gets the correct secret mounted and check the logs of the activeGate if it uses the created auth Token
  4. Delete the auth-token secret in the operator namespace and check if the activeGate is restarted, when the new auth token is created
  5. Wait for 30 days (or modify it when testing it and lower the rotation interval) and check if the auth token gets automatically deleted and recreated again. Additionally the activeGate pod should be restarted and get the new auth Token mounted

Checklist

  • Unit tests have been updated/added
  • PR is labeled accordingly

@luhi-DT luhi-DT added the core Changes to core functionality of the Operator label Jun 1, 2022
meik99
meik99 suggested changes Jun 1, 2022
View reviewed changes
config/deploy/kubernetes/kubernetes-all.yaml Show resolved Hide resolved
config/helm/chart/default/templates/Common/operator/role-operator.yaml Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/reconciler.go Outdated Show resolved Hide resolved
src/controllers/activegate/reconciler/statefulset/statefulset.go Outdated Show resolved Hide resolved
src/controllers/dynakube/activegate/secrets/authtoken_reconciler.go Show resolved Hide resolved
@luhi-DT luhi-DT marked this pull request as ready for review June 1, 2022 11:07
@luhi-DT luhi-DT requested a review from a team as a code owner June 1, 2022 11:07
0sewa0
0sewa0 previously approved these changes Jun 1, 2022
View reviewed changes
mjgrzybek
mjgrzybek previously approved these changes Jun 2, 2022
View reviewed changes
@meik99 meik99 dismissed stale reviews from mjgrzybek and 0sewa0 via 4c07917 June 2, 2022 14:06
@meik99 meik99 dismissed their stale review June 2, 2022 14:08

issues were addressed

0sewa0
0sewa0 previously approved these changes Jun 2, 2022
View reviewed changes
@chrismuellner chrismuellner enabled auto-merge (squash) June 3, 2022 07:27
@meik99
Merge branch 'master' into feature/support-ag-auth-token-rotation
6f6da21 
# Conflicts:
#	src/controllers/certificates/certificate_secret.go
#	src/kubeobjects/secret.go
@meik99 meik99 disabled auto-merge June 3, 2022 07:39
@meik99 meik99 enabled auto-merge (squash) June 3, 2022 08:19
@meik99 meik99 merged commit 00374d9 into master Jun 3, 2022
@meik99 meik99 deleted the feature/support-ag-auth-token-rotation branch June 3, 2022 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0sewa0 0sewa0 0sewa0 approved these changes

@meik99 meik99 meik99 left review comments

@mjgrzybek mjgrzybek mjgrzybek left review comments

Assignees
No one assigned
Labels
core Changes to core functionality of the Operator
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@luhi-DT @meik99 @0sewa0 @mjgrzybek