Add taint upstream authority #64
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
3 tasks
Signed-off-by: Marcos Yacob <[email protected]>
| // will perform proactive rotations of any key material related to | ||
| // the tainted authority. The result of this action will be observed | ||
| // cluster-wide. | ||
| // It is important to change active upstream authority before taiting it, |
There was a problem hiding this comment.
Suggested change
| // It is important to change active upstream authority before taiting it, | |
| // It is important to change active upstream authority before tainting it, |
| // the tainted authority. The result of this action will be observed | ||
| // cluster-wide. | ||
| // It is important to change active upstream authority before taiting it, | ||
| // since taint will force the rotation of any bundle that is using |
There was a problem hiding this comment.
Suggested change
| // since taint will force the rotation of any bundle that is using | |
| // since tainting will force the rotation of any bundle that is using |
| // It is important to change active upstream authority before taiting it, | ||
| // since taint will force the rotation of any bundle that is using | ||
| // the old upstream authority. | ||
| // It receive the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. |
There was a problem hiding this comment.
Suggested change
| // It receive the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. | |
| // It receives the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. |
| // the old upstream authority. | ||
| // It receive the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. | ||
| // | ||
| // If a X.509 upstream authority does not exist or it is active, a FailedPrecondition |
There was a problem hiding this comment.
Suggested change
| // If a X.509 upstream authority does not exist or it is active, a FailedPrecondition | |
| // If an X.509 upstream authority does not exist or it is active, a FailedPrecondition |
| // RevokeX509UpstreamAuthority revokes the previously active X.509 upstream authority by | ||
| // removing it from the bundle and propagating this update throughout | ||
| // the cluster. | ||
| // It receive the subject key ID an old X.509 upstream authority. |
There was a problem hiding this comment.
Suggested change
| // It receive the subject key ID an old X.509 upstream authority. | |
| // It receives the subject key ID of the authority's CA certificate of the upstream X.509 authority to revoke. |
| @@ -192,6 +236,7 @@ message RevokeX509AuthorityResponse { | |||
| AuthorityState revoked_authority = 1; | |||
| } | |||
|
|
|||
|
|
|||
Signed-off-by: Marcos Yacob <[email protected]>
azdagron
reviewed
Aug 6, 2024
Comment on lines
67
to
68
| // If upstream authority is configured, local authorities can not be tainted, | ||
| // a FailedPrecondition error will be returned. |
There was a problem hiding this comment.
Suggested change
| // If upstream authority is configured, local authorities can not be tainted, | |
| // a FailedPrecondition error will be returned. | |
| // If an upstream authority is configured then local authorities cannot be tainted, | |
| // and a FailedPrecondition error will be returned. |
| // | ||
| // If a previously active X.509 authority does not exist (e.g. if one | ||
| // has been prepared but not activated yet), a FailedPrecondition | ||
| // error will be returned. | ||
| rpc TaintX509Authority(TaintX509AuthorityRequest) returns (TaintX509AuthorityResponse); | ||
|
|
||
| // TaintX509UpstreamAuthority marks the provided upstream authority as | ||
| // being tainted. SPIRE Agents observing an authority to be tainted |
There was a problem hiding this comment.
Suggested change
| // being tainted. SPIRE Agents observing an authority to be tainted | |
| // being tainted. SPIRE Agents observing a tainted authority |
| // will perform proactive rotations of any key material related to | ||
| // the tainted authority. The result of this action will be observed | ||
| // cluster-wide. | ||
| // It is important to change active upstream authority before taiting it, |
There was a problem hiding this comment.
Suggested change
| // It is important to change active upstream authority before taiting it, | |
| // It is important to change to a new active upstream authority before tainting the old one, |
| // It is important to change active upstream authority before taiting it, | ||
| // since tainting will force the rotation of any bundle that is using | ||
| // the old upstream authority. | ||
| // It receives the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. |
There was a problem hiding this comment.
Suggested change
| // It receives the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. | |
| // The X.509 authority to taint is identified using the provided X.509 Subject Key Identifier (or SKID) of the old X.509 authority. |
| // the old upstream authority. | ||
| // It receives the X.509 Subject Key Identifier (or SKID) of an old X.509 authority. | ||
| // | ||
| // If an X.509 upstream authority does not exist or it is active, a FailedPrecondition |
There was a problem hiding this comment.
Suggested change
| // If an X.509 upstream authority does not exist or it is active, a FailedPrecondition | |
| // If an X.509 upstream authority is not configured, or the identified upstream X.509 authority is active, a FailedPrecondition |
| // RevokeX509UpstreamAuthority revokes the previously active X.509 upstream authority by | ||
| // removing it from the bundle and propagating this update throughout | ||
| // the cluster. | ||
| // It receives the subject key ID of the authority's CA certificate of the |
There was a problem hiding this comment.
Suggested change
| // It receives the subject key ID of the authority's CA certificate of the | |
| // The X.509 authority to revoke is identified using the provided subject key ID of the authority's CA certificate. |
Signed-off-by: Marcos Yacob <[email protected]>
azdagron
reviewed
Aug 7, 2024
| @@ -62,13 +62,31 @@ service LocalAuthority { | |||
| // will perform proactive rotations of any key material related to | |||
| // the tainted authority. The result of this action will be observed | |||
| // cluster-wide. | |||
| // It can receive the public key of an old X.509 authority. | |||
| // It can receive the authority ID of an old X.509 authority. | |||
There was a problem hiding this comment.
Suggested change
| // It can receive the authority ID of an old X.509 authority. | |
| // The X.509 authority to taint is identified using the provided X.509 Subject Key | |
| // Identifier (or SKID) of the old X.509 authority. |
| // | ||
| // If a previously active X.509 authority does not exist (e.g. if one | ||
| // has been prepared but not activated yet), a FailedPrecondition | ||
| // error will be returned. | ||
| rpc TaintX509Authority(TaintX509AuthorityRequest) returns (TaintX509AuthorityResponse); | ||
|
|
||
| // TaintX509UpstreamAuthority marks the provided upstream authority as | ||
| // being tainted. SPIRE Agents observing a tainted authority to be tainted |
There was a problem hiding this comment.
Suggested change
| // being tainted. SPIRE Agents observing a tainted authority to be tainted | |
| // being tainted. SPIRE Agents observing a tainted authority |
Signed-off-by: Marcos Yacob <[email protected]>
azdagron
approved these changes
Aug 7, 2024
amartinezfayo
approved these changes
Aug 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.