Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server CA persistence support #532

Merged
merged 1 commit into from
Jul 12, 2018
Merged

server CA persistence support #532

merged 1 commit into from
Jul 12, 2018

Conversation

azdagron
Copy link
Member

  • updates memory CA to optionally persist signing keypair to disk.
  • updates CA manager to skip the initial rotation if there is a good
    keypair returned by the CA.

Signed-off-by: Andrew Harding azdagron@gmail.com

@azdagron
server CA persistence support
5df5f6d 
- updates memory CA to optionally persist signing keypair to disk.
- updates CA manager to skip the initial rotation if there is a good
  keypair returned by the CA.

Signed-off-by: Andrew Harding <azdagron@gmail.com>
martincapello
martincapello approved these changes Jul 12, 2018
View reviewed changes
Copy link
Contributor

@martincapello martincapello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

walmav
walmav reviewed Jul 12, 2018
View reviewed changes
doc/plugin_server_ca_memory.md
if the server is restarted, a new signing authority is generated against the upstream CA.
The `memory` plugin implements an in-memory signing authority. The signing
keypair is optionally persisted to disk. When the server is loaded, if no
keypair has been persisted, or if the keypair is expiring/expired, a new
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how do we determine expiring?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same way it is done today. Certificate is "expiring" when it is within 1/6th of the ttl left.

evan2645
evan2645 approved these changes Jul 12, 2018
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 🔑 📝 ☺️

doc/plugin_server_ca_memory.md
@@ -1,13 +1,15 @@
# Server plugin: ServerCA "memory"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the name memory still accurate if the plugin can also persist to disk?

For now I think this is fine, but after upcoming ServerCA refactors we may want to consider making the disk-based functionality a dedicated plugin

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, i agree.

@walmav
Copy link

walmav commented Jul 12, 2018

⚡️

@azdagron azdagron merged commit ca37796 into spiffe:master Jul 12, 2018
@azdagron azdagron deleted the server-ca-persistence branch July 12, 2018 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@walmav walmav walmav approved these changes

@martincapello martincapello martincapello approved these changes

@evan2645 evan2645 evan2645 approved these changes

@ajessup ajessup Awaiting requested review from ajessup

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@drrt drrt Awaiting requested review from drrt

@MarcosDY MarcosDY Awaiting requested review from MarcosDY

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@azdagron @walmav @evan2645 @martincapello