Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Add verification certificate key auto rotation #1614

Merged
merged 6 commits into from
Jan 16, 2021
Merged

Add verification certificate key auto rotation #1614

merged 6 commits into from
Jan 16, 2021

Conversation

mikehelmick
Copy link
Contributor

Fixes #1567

Proposed Changes

  • UI to enable/disable
  • Auto rotate job

New enable screen
image

Confirmation dialog
image

Status when enabled
image

New keys are created in inactive state to allow for propagation of public key
image

Release Note

Allow for realm admins to enable automatic verification certificate key rotation. Keys are rotated every 30 days, and given 1h soak time for upstream key servers to pull public keys via public key discovery.

@googlebot googlebot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Jan 16, 2021
@mikehelmick
Copy link
Contributor Author

/retest

whaught
whaught reviewed Jan 16, 2021
View reviewed changes
pkg/controller/rotation/handle_rotate.go Show resolved Hide resolved
pkg/controller/rotation/handle_verification_rotate.go Outdated Show resolved Hide resolved
pkg/controller/rotation/rotation.go Outdated Show resolved Hide resolved
terraform/service_rotation.tf
resource "google_cloud_scheduler_job" "realm-key-rotation-worker" {
name = "realm-key-rotation-worker"
region = var.cloudscheduler_location
schedule = "2,32 * * * *"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2,32... those are oddly specific minutes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

offsetting it from the token rotation (which is every 5 minutes)

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikehelmick, whaught

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [mikehelmick,whaught]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit 5416698 into google:main Jan 16, 2021
@sethvargo sethvargo mentioned this pull request Jan 16, 2021
Merged
sethvargo
sethvargo reviewed Jan 16, 2021
View reviewed changes
pkg/database/database_util.go
@@ -277,6 +277,8 @@ func (i *TestInstance) NewDatabase(tb testing.TB, cacher cache.Cacher) (*Databas
tb.Fatalf("failed to load database configuration: %s", err)
}
db.keyManager = keys.TestKeyManager(tb)
db.config.CertificateSigningKeyRing = "certificates"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduced a data race

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 18, 2021
@mikehelmick mikehelmick deleted the issue1567 branch January 19, 2021 15:57
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sethvargo sethvargo sethvargo left review comments

@whaught whaught whaught approved these changes

Assignees

@whaught whaught

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proposal: Automatically rotate verification certificate signing keys
5 participants
@mikehelmick @google-oss-robot @sethvargo @whaught @googlebot