-
Notifications
You must be signed in to change notification settings - Fork 83
Add rotation harness and rotate token signing keys #1597
Conversation
This adds a new service, rotation, which handles key and rotation events. It's designed to be invoked via Cloud Scheduler and has its own locking and time intervals. It's conceptually similar to the cleanup job. This also adds the database schema and example rotation for token signing keys. Note that this code is NOT in use in main code paths yet.
/assign @whaught It'd be good to get 2 LGTMs on this |
Port string `env:"PORT,default=8080"` | ||
|
||
RateLimit uint64 `env:"RATE_LIMIT,default=60"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was unused
@@ -93,6 +96,7 @@ func (c *Controller) HandleCleanup() http.Handler { | |||
OK: false, | |||
Errors: []error{fmt.Errorf("too early")}, | |||
}) | |||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an existing nasty bug in the cleanup server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need an entry in builders/build.yaml to be able to create /sevice_rotation.tf?
Done |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikehelmick, sethvargo, whaught The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This adds a new service, rotation, which handles key and rotation events. It's designed to be invoked via Cloud Scheduler and has its own locking and time intervals. It's conceptually similar to the cleanup job.
This also adds the database schema and example rotation for token signing keys. Note that this code is NOT in use in main code paths yet.
There's some TODOs in the code assigned to me. I intend to do those in follow-up PRs where all of this will be wired together.
Part of #1569
Release Note
/assign @mikehelmick