Skip to content

v2.0.0-rc0: certmgr 2.0.0-rc0
Compare
Choose a tag to compare
@terinjokes terinjokes released this 01 Jul 23:44
v2.0.0-rc0
78f5202 
This release breaks API compatibility with certmgr-1.x and has much more strict
validation logic for what certmgr tolerates.

Specifically:
* certmgr daemon configuration must now be yaml- json is no longer supported.
* Spec's must now define their notification mechanism- actions- fully.  If a spec
  lacks `svcmgr` or `action` or `service`- this is fine, it just means nothing is
  notified.  If any of those are specified, then the resultant configuration *must*
  be validly parsed by the svcmgr that is targeted.
* Spec's are now strictly validated; unknown/unsupported fields in a spec is now
  a parse error that will prevent usage of the spec.  Typo's will be caught, is the
  short version.

There has been significant enhancement to the handling of on disk PKI since 1.6.4.
Major improvements are thus:
* Ondisk PKI content- CA, cert, key- are all now fully validated.  Cert and key are
  checked to confirm they're a valid keypair; cert is checked to confirm it still is
  signed by the current CA. On disk CA is checked to ensure it's the actual remote CA; etc.
  In particular, key algorithm and size are now also validated- certmgr will now detect
  if they're no longer matching the spec and it will force regeneration.
* Via the previous change, mtime checks are no longer relied upon.  This- and the above-
  removes the source of all known false positive "force a regeneration" events for
  certmgr.
* Certmgr no longer can trigger two actions for when a CA and cert/key has changed; it
  now only triggers a single action once PKI content is updated for both.
* Certmgr now opportunistically tries to renew cert/key when the CA has changed; the
  goal is to maximize the lifespan of the new content since we already have to trigger
  a notification of the consuming service.

Finally, other major improvements that aren't PKI related:
* yaml is now properly supported for spec definitions.  It's much more human readable,
  thus it's our recommendation to use that format if at all possible.
* metrics were rewritten in full.  Each spec now has basic metrics exported indicated
  expiry time, event counts for maintainance of the spec, failure counts, etc.  It
  should be possible to now have sane operational monitoring of certmgr, including
  alerting.
* certmgr now longer has a permission race for content it writes to disk- previous
  versions had a small window where the PKI content could have the certmgr user as the
  owner, rather than the specified user.  All PKI content is now atomically renamed into
  place, thus this window is gone.
* Initial steps were taken towards structured logging for certmgr; it's now possible
  to enable json logging if desired.  Future certmgr releases will improve the internal
  logging to be more structure orientated.
Assets 24
Loading