Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downstream spire-server does not honour ca_ttl configurable. #5236

Closed
sorindumitru opened this issue Jun 19, 2024 · 2 comments · Fixed by #5264
Closed

Downstream spire-server does not honour ca_ttl configurable. #5236

sorindumitru opened this issue Jun 19, 2024 · 2 comments · Fixed by #5264
Assignees
@azdagron
Labels
priority/backlog Issue is approved and in the backlog

Comments

@sorindumitru
Copy link
Contributor

When running a nested SPIRE deployment, it can be surprising that the TTL on the CA used by the downstream server does not come from the ca_ttl in the configuration file, but is taken from the registration entry of the downstream spire-server instance.

Would it be possible to have the downstream spire-server specify the TTL it requires for the CA when requesting one? It would still need to be bounded by the TTL of the upstream CA, but that's less surprising to me.

Alternatively, this could be documented to make it less of a surprise.

  • Version: probably all of them since the introduction of the spire upstream authority
  • Platform: any
  • Subsystem: server
@MarcosDY MarcosDY added the triage/in-progress Issue triage is in progress label Jun 20, 2024
@azdagron
Copy link
Member

I agree that it would be less surprising. Further, it's even more strange that the default TTL applied to the downstream CA, if the registration entry does not set one, is the default workload SVID TTL. This behavior is historic and somewhat unintentional but it shipped that way originally and we've maintained it due to backcompat.

The upstream authority plugin interface already provides a preferred_ttl field to plugins. The spire upstream authority plugin could be taught about that field, and the NewDownstreamX509CA RPC extended to support it.

The biggest question here is backwards compatibility... I'd personally be for this change on a minor release boundary, provided we include a configuration value that allows folks to revert to the old behavior, at least for a time. I'm curious to hear other maintainers thoughts.

@azdagron
Copy link
Member

We have consensus to move forward on this change. Here is a rough plan of action:

  1. Update the NewDownstreamX509CA RPC to provide the preferred_ttl value passed to the spire UA plugin to the upstream server
  2. Update the NewDownstreamX509CA implementation to pass this as the TTL parameter into the CA subsystem when minting the downstream intermediate CA instead of the downstream entry TTL (if any) This step should be conditional for now, see step (3)
  3. Add a configuration value honor_downstream_ca_ttl, which defaults to false. This configuration value controls whether or not we do (2).

Then, on the next deprecation boundary
4. Deprecate the honor_downstream_ca_ttl configuration value and default to true

Then, on the next deprecation boundary after that
5. Remove the honor_downstream_ca_ttl configuration value

I will raise my hand to implement (1)-(3) and then create issues for (4) and (5) based on whichever release (1)-(3) land in.

@azdagron azdagron added priority/backlog Issue is approved and in the backlog and removed triage/in-progress Issue triage is in progress labels Jun 27, 2024
@azdagron azdagron mentioned this issue Jun 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azdagron azdagron

Labels
priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Optionally prefer downstream X509 CA TTL spiffe/spire
3 participants
@sorindumitru @MarcosDY @azdagron