Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Source token signing keys from the database #1602

Merged
merged 8 commits into from
Jan 15, 2021
Merged

Source token signing keys from the database #1602

merged 8 commits into from
Jan 15, 2021

Conversation

sethvargo
Copy link
Member

@sethvargo sethvargo commented Jan 15, 2021
edited
Loading

Fixes #1569

Release Note

**Potentially breaking!** Source token signing keys from the database. This completes the move of system token signing keys from environment variables to the database. This change attempts to be backward compatible, but server are encouraged to test changes in an isolated environment before upgrading production systems.

/assign @mikehelmick

@google-cla google-cla bot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Jan 15, 2021
sethvargo
sethvargo commented Jan 15, 2021
View reviewed changes
pkg/controller/rotation/handle_rotate.go
if age, max := time.Now().UTC().Sub(existing.CreatedAt), c.config.TokenSigningKeyMaxAge; age < max {
logger.Debugw("token signing key does not require rotation", "age", age, "max", max)
return
if existing != nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This allows the rotator to create the first key if it does not exist

@sethvargo sethvargo force-pushed the sethvargo/wire branch 3 times, most recently from 7a2460c to 5978ea4 Compare January 15, 2021 15:11
@sethvargo
Copy link
Member Author

@mikehelmick updated, PTAL

@sethvargo
Copy link
Member Author

@mikehelmick PTAL

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikehelmick, sethvargo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [mikehelmick,sethvargo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit ec0d7a6 into main Jan 15, 2021
@google-oss-robot google-oss-robot deleted the sethvargo/wire branch January 15, 2021 23:47
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@mikehelmick mikehelmick mikehelmick approved these changes

@whaught whaught Awaiting requested review from whaught

Assignees

@mikehelmick mikehelmick

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proposal: automatically rotate verification token keys
3 participants
@sethvargo @google-oss-robot @mikehelmick