Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring: fix missing GC config, don't rotate on manual GC #15009

Merged
merged 2 commits into from
Oct 24, 2022
Merged

keyring: fix missing GC config, don't rotate on manual GC #15009

merged 2 commits into from
Oct 24, 2022

Conversation

tgross
Copy link
Member

@tgross tgross commented Oct 21, 2022
edited
Loading

For #14981

The configuration knobs for root keyring garbage collection are present in the consumer and present in the user-facing config, but we missed the spot where we copy from one to the other. Fix this so that users can set their own thresholds.

The root key is automatically rotated every ~30d, but the function that does both rotation and key GC was wired up such that nomad system gc caused an unexpected key rotation. Split this into two functions so that nomad system gc cleans up old keys without forcing a rotation, which will be done periodically or by the nomad operator root keyring rotate command.

@tgross
keyring: fix missing GC config, don't rotate on manual GC
c099139 
The configuration knobs for root keyring garbage collection are present in the
consumer and present in the user-facing config, but we missed the spot where we
copy from one to the other. Fix this so that users can set their own thresholds.

The root key is automatically rotated every ~30d, but the function that does
both rotation and key GC was wired up such that `nomad system gc` caused an
unexpected key rotation. Split this into two functions so that `nomad system gc`
cleans up old keys without forcing a rotation, which will be done periodially
or by the `nomad operator root keyring rotate` command.
@tgross tgross requested a review from angrycub October 21, 2022 18:27
@tgross tgross mentioned this pull request Oct 21, 2022
Merged
@tgross tgross added the backport/1.4.x backport to 1.4.x release line label Oct 21, 2022
@tgross
Copy link
Member Author

tgross commented Oct 21, 2022

Includes the changelog entry from #14987

@tgross tgross added this to the 1.4.2 milestone Oct 21, 2022
@tgross tgross mentioned this pull request Oct 21, 2022
Closed
shoenig
shoenig approved these changes Oct 21, 2022
View reviewed changes
Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tgross tgross merged commit 1965307 into main Oct 24, 2022
@tgross tgross deleted the b-keyring-gc branch October 24, 2022 12:43
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Oct 24, 2022
Merged
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shoenig shoenig shoenig approved these changes

@angrycub angrycub Awaiting requested review from angrycub

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees
No one assigned
Labels
backport/1.4.x backport to 1.4.x release line theme/keyring type/bug
Projects
None yet
Milestone
1.4.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tgross @shoenig