-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP Implement rotation of service-account signing key #9556
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: johngmyers The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hand-waving, the advantage of the keyset approach is that we don't have to implement logic for each key, and the relationship between the keys in the set is (maybe) easier than the With using multiple VFS files, we might have to be careful about atomicity of filesystem updates, whereas the keyset is a single file so should be easier to reason about... We could alternatively add a Whichever approach we choose, I think we should also try to tackle rotation of the CA certificate in the same pattern (or explicitly choose to follow a different pattern). |
kubernetes/kubernetes#91070 has a sketch of what has to happen between key rotations. It's unfortunate the serviceaccount controller doesn't regenerate the tokens on a key change. It's normal to have either current/next without previous or previous/current without next and the code needs to know the difference. So a simple ordering of keys in a keyset is insufficient. As you can see, the rotation code handles atomicity issues by doing checks and updates in a particular order. It does rely on VFS committing an operation before returning. The previous/current/next pattern could work for CAs, though the need to distribute trust further can complicate things. Another thing that can be done with CAs is to have the older CAs issue the newer ones. |
@johngmyers: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@johngmyers: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I did another rotate command here. I also tried to look at the usefulness of multiple id-per-keypair, but couldn't find a good way of making that work for this purpose. See #10516. |
I think we need to add a concept of "next" (or "current") to the keyset code, so we can tell whether it is the newest or second newest key that should be used to mint things. I remember from looking at the keyset code earlier that the requirement that key ids be numeric was troublesome, but perhaps we can just add metadata for identifying the "current" key. I also remember the legacy on-disk format being troublesome, especially since the legacy format was authoritative. |
I remember the keystore interface lacking methods for atomically updating multiple key versions in a keyset. |
since I made this comment, I made the keyset implementation work well for me. It allows for graceful rotation of the CA without risk of breaking the cluster if one has to break the rotation. I believe the same approach can be used here. Once #10516 has been vetted, I am happy to try that approach with the signing key. |
Superseded by #11204 |
Needs documentation, but this is the basic idea.
The multiple-id-per-keypair design of VFS isn't useful because I can't identify the subkeys as being next, previous, or current. It only seems to be making calling the VFS API unnecessarily complicated. Any objections to my removing that feature?
/kind feature