Remove disable_reattest_to_renew functionality (#5217)

Signed-off-by: Andrew Harding <azdagron@gmail.com>
spiffe · Jun 12, 2024 · 99f6675 · 99f6675
1 parent 8f9fa03
commit 99f6675
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 48 deletions.
diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
@@ -104,9 +104,6 @@ type agentConfig struct {
 	Experimental     experimentalConfig `hcl:"experimental"`
 
 	UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"`
-
-	// Deprecated configurables
-	DisableReattestToRenew bool `hcl:"disable_reattest_to_renew"`
 }
 
 type sdsConfig struct {
@@ -606,11 +603,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		logger.Warnf("Developer feature flag %q has been enabled", f)
 	}
 
-	ac.DisableReattestToRenew = c.Agent.DisableReattestToRenew
-	if c.Agent.DisableReattestToRenew {
-		logger.Warn("Disable reattest to renew flag will be removed in the next major release")
-	}
-
 	return ac, nil
 }
 

diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf
@@ -77,9 +77,6 @@ agent {
         # "spiffe://example.org/authorized_client1",
     # ]
 
-    # disable_reattest_to_renew: Allow agent to renew certificate when it expires rather than reattest
-    disable_reattest_to_renew = false
-
     # sds: Optional SDS configuration section.
     # sds = {
     #     # default_svid_name: The TLS Certificate resource name to use for the default

diff --git a/doc/spire_agent.md b/doc/spire_agent.md
@@ -70,7 +70,6 @@ This may be useful for templating configuration files, for example across differ
 | `trust_domain`                    | The trust domain that this agent belongs to (should be no more than 255 characters)                                                                                                                                                               |                                  |
 | `workload_x509_svid_key_type`     | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt;                                                                                                                                                                                     | ec-p256                          |
 | `availability_target`             | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. See [Availability Target](#availability-target) |                                  |
-| `disable_reattest_to_renew`       | Allow agent to renew certificate when it expires rather than reattest                                                                                                                                                                             | false                            |
 
 | experimental               | Description                                                                        | Default                 |
 |:---------------------------|------------------------------------------------------------------------------------|-------------------------|

diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -266,7 +266,6 @@ func (a *Agent) newManager(ctx context.Context, sto storage.Storage, cat catalog
 		SVIDKey:                  as.Key,
 		Bundle:                   as.Bundle,
 		Reattestable:             as.Reattestable,
-		DisableReattestToRenew:   a.c.DisableReattestToRenew,
 		Catalog:                  cat,
 		TrustDomain:              a.c.TrustDomain,
 		ServerAddr:               a.c.ServerAddress,

diff --git a/pkg/agent/config.go b/pkg/agent/config.go
@@ -103,9 +103,6 @@ type Config struct {
 
 	// AvailabilityTarget controls how frequently rotate SVIDs
 	AvailabilityTarget time.Duration
-
-	// Deprecated config option to disable reattest to renew functionality
-	DisableReattestToRenew bool
 }
 
 func New(c *Config) *Agent {

diff --git a/pkg/agent/manager/config.go b/pkg/agent/manager/config.go
@@ -27,7 +27,6 @@ type Config struct {
 	SVIDKey                  keymanager.Key
 	Bundle                   *managerCache.Bundle
 	Reattestable             bool
-	DisableReattestToRenew   bool
 	Catalog                  catalog.Catalog
 	TrustDomain              spiffeid.TrustDomain
 	Log                      logrus.FieldLogger
@@ -77,20 +76,19 @@ func newManager(c *Config) *manager {
 	}
 
 	rotCfg := &svid.RotatorConfig{
-		SVIDKeyManager:         keymanager.ForSVID(c.Catalog.GetKeyManager()),
-		Log:                    c.Log,
-		Metrics:                c.Metrics,
-		SVID:                   c.SVID,
-		SVIDKey:                c.SVIDKey,
-		BundleStream:           cache.SubscribeToBundleChanges(),
-		ServerAddr:             c.ServerAddr,
-		TrustDomain:            c.TrustDomain,
-		Interval:               c.RotationInterval,
-		Clk:                    c.Clk,
-		NodeAttestor:           c.NodeAttestor,
-		Reattestable:           c.Reattestable,
-		DisableReattestToRenew: c.DisableReattestToRenew,
-		RotationStrategy:       c.RotationStrategy,
+		SVIDKeyManager:   keymanager.ForSVID(c.Catalog.GetKeyManager()),
+		Log:              c.Log,
+		Metrics:          c.Metrics,
+		SVID:             c.SVID,
+		SVIDKey:          c.SVIDKey,
+		BundleStream:     cache.SubscribeToBundleChanges(),
+		ServerAddr:       c.ServerAddr,
+		TrustDomain:      c.TrustDomain,
+		Interval:         c.RotationInterval,
+		Clk:              c.Clk,
+		NodeAttestor:     c.NodeAttestor,
+		Reattestable:     c.Reattestable,
+		RotationStrategy: c.RotationStrategy,
 	}
 	svidRotator, client := svid.NewRotator(rotCfg)
 

diff --git a/pkg/agent/svid/rotator.go b/pkg/agent/svid/rotator.go
@@ -138,22 +138,17 @@ func (r *rotator) SetRotationFinishedHook(f func()) {
 	r.rotationFinishedHook = f
 }
 
-func (r *rotator) Reattest(ctx context.Context) (err error) {
+func (r *rotator) Reattest(ctx context.Context) error {
 	state, ok := r.state.Value().(State)
 	if !ok {
 		return fmt.Errorf("unexpected value type: %T", r.state.Value())
 	}
 
-	if state.Reattestable {
-		if !r.c.DisableReattestToRenew {
-			err = r.reattest(ctx)
-		} else {
-			return errors.New("re-attestation is disabled")
-		}
-	} else {
+	if !state.Reattestable {
 		return errors.New("attestation method is not re-attestable")
 	}
 
+	err := r.reattest(ctx)
 	if err == nil && r.rotationFinishedHook != nil {
 		r.rotationFinishedHook()
 	}
@@ -168,7 +163,7 @@ func (r *rotator) rotateSVIDIfNeeded(ctx context.Context) (err error) {
 	}
 
 	if r.c.RotationStrategy.ShouldRotateX509(r.clk.Now(), state.SVID[0]) {
-		if state.Reattestable && !r.c.DisableReattestToRenew {
+		if state.Reattestable {
 			err = r.reattest(ctx)
 		} else {
 			err = r.rotateSVID(ctx)

diff --git a/pkg/agent/svid/rotator_config.go b/pkg/agent/svid/rotator_config.go
@@ -22,14 +22,13 @@ import (
 const DefaultRotatorInterval = 5 * time.Second
 
 type RotatorConfig struct {
-	SVIDKeyManager         keymanager.SVIDKeyManager
-	Log                    logrus.FieldLogger
-	Metrics                telemetry.Metrics
-	TrustDomain            spiffeid.TrustDomain
-	ServerAddr             string
-	NodeAttestor           nodeattestor.NodeAttestor
-	Reattestable           bool
-	DisableReattestToRenew bool
+	SVIDKeyManager keymanager.SVIDKeyManager
+	Log            logrus.FieldLogger
+	Metrics        telemetry.Metrics
+	TrustDomain    spiffeid.TrustDomain
+	ServerAddr     string
+	NodeAttestor   nodeattestor.NodeAttestor
+	Reattestable   bool
 
 	// Initial SVID and key
 	SVID    []*x509.Certificate