feat: HSM/KMS CA rotation reminders via cluster alerts#36780
Merged
feat: HSM/KMS CA rotation reminders via cluster alerts#36780
Conversation
rosstimothy
approved these changes
Jan 17, 2024
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Contributor
Author
|
friendly ping @lxea |
lxea
approved these changes
Jan 23, 2024
|
@nklaassen See the table below for backport results.
|
This was referenced Jan 23, 2024
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a follow-up to #36549
Here I'm adding a cluster alert when an HSM or KMS is configured but not actively used yet because a CA rotation is needed. Before #36459
tctl statuswas able to display this warning in some cases because each auth would add newly generated keys to the CA on startup, but now that the auths are able to continue using any existing software keys, they don't do that andtctl statushas no way to know that the current state of the CAs doesn't match the auth server's CA configuration (from teleport.yaml). In this case rotation is not strictly necessary for the cluster to continue functioning, but it is necessary in order to start actually using HSM/KMS keys after configuring the feature.I'm also adding the alert at a higher severity when the auth server is not able to sign with any of the keys currently in the CA. This is most likely to happen if migrating from an HSM/KMS back to using software keys. Since there will only be HSM keys in the CA, and the auth has no reference to them, it can't use them and a CA rotation is required to add new software keys.
Changelog: Increased visibility for necessary CA rotations when configuring HSM or KMS backing of CA keys.