code review: drop deprecated state

nomad/core_sched.go

@@ -935,14 +935,9 @@ func (c *CoreScheduler) rootKeyGC(eval *structs.Evaluation) error {
 			continue // don't GC recent keys
 		}
 
-		// don't GC a key that's deprecated, that's encrypted a variable or
-		// signed a live workload identity
-		inUse := false
-		if !keyMeta.Deprecated() {
-			inUse, err = c.snap.IsRootKeyMetaInUse(keyMeta.KeyID)
-			if err != nil {
-				return err
-			}
+		inUse, err := c.snap.IsRootKeyMetaInUse(keyMeta.KeyID)
+		if err != nil {
+			return err
 		}
 		if inUse {
 			continue
@@ -1030,40 +1025,6 @@ func (c *CoreScheduler) variablesRekey(eval *structs.Evaluation) error {
 			return err
 		}
 
-		// we've rotated this key's variables, but we need to ensure it hasn't
-		// been used to sign any live workload identities before it's safe to
-		// mark as deprecated
-		inUse, err := c.snap.IsRootKeyMetaInUse(keyMeta.KeyID)
-		if err != nil {
-			return err
-		}
-
-		keyMeta = keyMeta.Copy()
-		if inUse {
-			keyMeta.SetInactive()
-		} else {
-			keyMeta.SetDeprecated()
-		}
-
-		key, err := c.srv.encrypter.GetKey(keyMeta.KeyID)
-		if err != nil {
-			return err
-		}
-		req := &structs.KeyringUpdateRootKeyRequest{
-			RootKey: &structs.RootKey{
-				Meta: keyMeta,
-				Key:  key,
-			},
-			Rekey: false,
-			WriteRequest: structs.WriteRequest{
-				Region:    c.srv.config.Region,
-				AuthToken: eval.LeaderACL},
-		}
-		if err := c.srv.RPC("Keyring.Update",
-			req, &structs.KeyringUpdateRootKeyResponse{}); err != nil {
-			c.logger.Error("root key update failed", "error", err)
-			return err
-		}
 	}
 
 	return nil

nomad/core_sched_test.go

@@ -2472,23 +2472,18 @@ func TestCoreScheduler_RootKeyGC(t *testing.T) {
 	require.NotNil(t, key0, "expected keyring to be bootstapped")
 	require.NoError(t, err)
 
-	// insert an "old" deprecated key
-	key1 := structs.NewRootKeyMeta()
-	key1.SetDeprecated()
-	require.NoError(t, store.UpsertRootKeyMeta(500, key1, false))
-
 	// insert an "old" inactive key
-	key2 := structs.NewRootKeyMeta()
-	key2.SetDeprecated()
-	require.NoError(t, store.UpsertRootKeyMeta(600, key2, false))
+	key1 := structs.NewRootKeyMeta()
+	key1.SetInactive()
+	require.NoError(t, store.UpsertRootKeyMeta(600, key1, false))
 
 	// insert an "old" and inactive key with a variable that's using it
-	key3 := structs.NewRootKeyMeta()
-	key3.SetInactive()
-	require.NoError(t, store.UpsertRootKeyMeta(700, key3, false))
+	key2 := structs.NewRootKeyMeta()
+	key2.SetInactive()
+	require.NoError(t, store.UpsertRootKeyMeta(700, key2, false))
 
 	variable := mock.VariableEncrypted()
-	variable.KeyID = key3.KeyID
+	variable.KeyID = key2.KeyID
 
 	setResp := store.VarSet(601, &structs.VarApplyStateRequest{
 		Op:  structs.VarOpSet,
@@ -2497,26 +2492,27 @@ func TestCoreScheduler_RootKeyGC(t *testing.T) {
 	require.NoError(t, setResp.Error)
 
 	// insert an "old" key that's inactive but being used by an alloc
-	key4 := structs.NewRootKeyMeta()
-	key4.SetInactive()
-	require.NoError(t, store.UpsertRootKeyMeta(800, key4, false))
+	key3 := structs.NewRootKeyMeta()
+	key3.SetInactive()
+	require.NoError(t, store.UpsertRootKeyMeta(800, key3, false))
 
 	// insert the allocation using key3
 	alloc := mock.Alloc()
 	alloc.ClientStatus = structs.AllocClientStatusRunning
-	alloc.SigningKeyID = key4.KeyID
+	alloc.SigningKeyID = key3.KeyID
 	require.NoError(t, store.UpsertAllocs(
 		structs.MsgTypeTestSetup, 850, []*structs.Allocation{alloc}))
 
 	// insert an "old" key that's inactive but being used by an alloc
-	key5 := structs.NewRootKeyMeta()
-	key5.SetInactive()
+	key4 := structs.NewRootKeyMeta()
+	key4.SetInactive()
 	require.NoError(t, store.UpsertRootKeyMeta(900, key4, false))
 
-	// insert the allocation using key3
+	// insert the dead allocation using key4
 	alloc2 := mock.Alloc()
-	alloc2.ClientStatus = structs.AllocClientStatusRunning
-	alloc2.SigningKeyID = key5.KeyID
+	alloc2.ClientStatus = structs.AllocClientStatusFailed
+	alloc2.DesiredStatus = structs.AllocDesiredStatusStop
+	alloc2.SigningKeyID = key4.KeyID
 	require.NoError(t, store.UpsertAllocs(
 		structs.MsgTypeTestSetup, 950, []*structs.Allocation{alloc2}))
 
@@ -2525,9 +2521,9 @@ func TestCoreScheduler_RootKeyGC(t *testing.T) {
 	tt.Witness(1000, time.Now().UTC().Add(-1*srv.config.RootKeyGCThreshold))
 
 	// insert a "new" but inactive key
-	key6 := structs.NewRootKeyMeta()
-	key6.SetInactive()
-	require.NoError(t, store.UpsertRootKeyMeta(1500, key6, false))
+	key5 := structs.NewRootKeyMeta()
+	key5.SetInactive()
+	require.NoError(t, store.UpsertRootKeyMeta(1500, key5, false))
 
 	// run the core job
 	snap, err := store.Snapshot()
@@ -2544,25 +2540,21 @@ func TestCoreScheduler_RootKeyGC(t *testing.T) {
 
 	key, err = store.RootKeyMetaByID(ws, key1.KeyID)
 	require.NoError(t, err)
-	require.Nil(t, key, "old deprecated key should have been GCd")
-
-	key, err = store.RootKeyMetaByID(ws, key2.KeyID)
-	require.NoError(t, err)
 	require.Nil(t, key, "old and unused inactive key should have been GCd")
 
-	key, err = store.RootKeyMetaByID(ws, key3.KeyID)
+	key, err = store.RootKeyMetaByID(ws, key2.KeyID)
 	require.NoError(t, err)
 	require.NotNil(t, key, "old key should not have been GCd if still in use")
 
-	key, err = store.RootKeyMetaByID(ws, key4.KeyID)
+	key, err = store.RootKeyMetaByID(ws, key3.KeyID)
 	require.NoError(t, err)
 	require.NotNil(t, key, "old key used to sign a live alloc should not have been GCd")
 
-	key, err = store.RootKeyMetaByID(ws, key5.KeyID)
+	key, err = store.RootKeyMetaByID(ws, key4.KeyID)
 	require.NoError(t, err)
 	require.Nil(t, key, "old key used to sign a terminal alloc should have been GCd")
 
-	key, err = store.RootKeyMetaByID(ws, key6.KeyID)
+	key, err = store.RootKeyMetaByID(ws, key5.KeyID)
 	require.NoError(t, err)
 	require.NotNil(t, key, "new key should not have been GCd")
 
@@ -2631,18 +2623,6 @@ func TestCoreScheduler_VariablesRekey(t *testing.T) {
 	}, time.Second*5, 100*time.Millisecond,
 		"variable rekey should be complete")
 
-	iter, err := store.RootKeyMetas(memdb.NewWatchSet())
-	require.NoError(t, err)
-	for {
-		raw := iter.Next()
-		if raw == nil {
-			break
-		}
-		keyMeta := raw.(*structs.RootKeyMeta)
-		if keyMeta.KeyID != newKeyID {
-			require.True(t, keyMeta.State == structs.RootKeyStateInactive)
-		}
-	}
 }
 
 func TestCoreScheduler_FailLoop(t *testing.T) {

nomad/encrypter.go

@@ -471,11 +471,6 @@ START:
 				}
 
 				keyMeta := raw.(*structs.RootKeyMeta)
-				if keyMeta.Deprecated() {
-					// this key has been marked as deprecated following a full
-					// rekey, so it can be ignored.
-					continue
-				}
 				if key, err := krr.encrypter.GetKey(keyMeta.KeyID); err == nil && len(key) > 0 {
 					// the key material is immutable so if we've already got it
 					// we can move on to the next key

nomad/structs/keyring.go

@@ -51,10 +51,14 @@ type RootKeyMeta struct {
 type RootKeyState string
 
 const (
-	RootKeyStateInactive   RootKeyState = "inactive"
-	RootKeyStateActive                  = "active"
-	RootKeyStateRekeying                = "rekeying"
-	RootKeyStateDeprecated              = "deprecated"
+	RootKeyStateInactive RootKeyState = "inactive"
+	RootKeyStateActive                = "active"
+	RootKeyStateRekeying              = "rekeying"
+
+	// RootKeyStateDeprecated is, itself, deprecated and is no longer in
+	// use. For backwards compatibility, any existing keys with this state will
+	// be treated as RootKeyStateInactive
+	RootKeyStateDeprecated = "deprecated"
 )
 
 // NewRootKeyMeta returns a new RootKeyMeta with default values
@@ -103,14 +107,10 @@ func (rkm *RootKeyMeta) SetInactive() {
 	rkm.State = RootKeyStateInactive
 }
 
-// Deprecated indicates that variables encrypted with this key
-// have been rekeyed
-func (rkm *RootKeyMeta) Deprecated() bool {
-	return rkm.State == RootKeyStateDeprecated
-}
-
-func (rkm *RootKeyMeta) SetDeprecated() {
-	rkm.State = RootKeyStateDeprecated
+// Inactive indicates that this key is no longer being used to encrypt new
+// variables or workload identities.
+func (rkm *RootKeyMeta) Inactive() bool {
+	return rkm.State == RootKeyStateInactive || rkm.State == RootKeyStateDeprecated
 }
 
 func (rkm *RootKeyMeta) Stub() *RootKeyMetaStub {