Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix building unified delta WAL, unified delta CRLs #20058

Merged
merged 9 commits into from
Apr 11, 2023
Merged

Fix building unified delta WAL, unified delta CRLs #20058

merged 9 commits into from
Apr 11, 2023

Commits on Apr 11, 2023

  1. Correctly find certificates for unified delta CRL 

    When building the unified delta CRL, WAL entries from the non-primary
cluster were ignored. This resulted in an incomplete delta CRL,
preventing some entries from appearing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    76f317d View commit details
    Browse the repository at this point in the history

  2. Correctly rebuild unified delta CRLs 

    When deciding if the Unified Delta CRL should be rebuilt, we need to
check the status of all clusters and their last revoked serial numbers.
If any new serial has been revoked on any cluster, we should rebuild the
unified delta CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    330c612 View commit details
    Browse the repository at this point in the history

  3. Correctly persist Unified Delta CRL build entries 

    When building the unified CRL, we need to read the last seen serial
number from all clusters, not just the present cluster, and write it
to the last built serial for that cluster's unified delta WAL entry.
This prevents us from continuously rebuilding unified CRLs now that we
have fixed our rebuild heuristic.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    2a31342 View commit details
    Browse the repository at this point in the history

  4. Fix getLastWALSerial for unified delta CRLs 

    getLastWALSerial ignored its path argument, preventing it from reading
the specified cluster-specific WAL entry. On the primary cluster, this
was mostly equivalent, but now that we're correctly reading WAL entries
and revocations for other clusters, we need to handle reading these
entries correctly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    f2b6067 View commit details
    Browse the repository at this point in the history

  5. Copy delta WAL entries in event of failure 

    Any local delta WAL should be persisted to unified delta WAL space as
well. If such unified persistence fails, we need to ensure that they get
eventually moved up, otherwise they'll remain missing until the next
full CRL rebuild occurs, which might be significantly longer than when
the next delta CRL rebuild would otherwise occur. runUnifiedTransfer
already handles this for us, but it lacked logic for delta WAL serials.

The only interesting catch here is that we refuse to copy any entries
whose full unified revocation entry has not also been written.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    eb4cf81 View commit details
    Browse the repository at this point in the history

  6. Make doUnifiedTransferMissingLocalSerials log an error 

    This message is mostly an error and would always be helpful information
to have when troubleshooting failures.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    6505b96 View commit details
    Browse the repository at this point in the history

  7. Warn on cross-cluster write failures during revoke 

    When revoking certificates, we log cross-cluster revocation failures,
but we should really expose this information to the caller, that their
local revocation was successful, but their cross-cluster revocation
failed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    b0ca014 View commit details
    Browse the repository at this point in the history

  8. Ensure unified delta WAL entry has full entry 

    Delta WAL entries are empty files whose only information (a revoked
serial number) is contained in the file path. These depend implicitly on
a full revocation entry existing for this file (whether a cross-cluster
unified entry or a local entry).

We should not write unified delta WAL entries without the corresponding
full unified revocation entry existing. Add a warning in this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    784018d View commit details
    Browse the repository at this point in the history

  9. Add changelog entry 

    Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Apr 11, 2023
    Configuration menu
    Copy the full SHA
    09d4c70 View commit details
    Browse the repository at this point in the history