keystore: add active health checker

[dboslee]

the active health checker performs signing requests against CAs.

failed signing requests are reported back to a callback which will trip teleports readiness state.

the health checker watches CA events to ensure that the keys being tested are kept up-to-date.

this can be enabled by configuring

keystore:
  health_check:
    active:
      enabled: true

this config format leaves room for adding alternative health checking methods and additional parameters for the active health checker

changelog: Added support for health checks to monitor cert authority availability and affect Teleport Auth readiness

[nklaassen]

seems this may be called twice, flaky test detector is catching a negative waitgroup counter

you could probably try using synctest here instead of a fake clock https://pkg.go.dev/testing/synctest, then you could just "sleep" instead of advancing the clock and if done right it should guarantee the health check runs before your test continues

[dboslee]

👍 I'll give it a shot, I haven't messed with synctest before.

[dboslee]

good to know this is an option, thanks. updated in 214f551

[nklaassen]

couldn't you just call GetTLSCertAndSigner instead of adding this method?

[dboslee]

Yeah I was trying to make the API more consistent but I could also just drop the cert in the health checker

[nklaassen]

doesn't really matter, but if you prefer to add the GetTLSSigner method, can you just move it right next to GetTLSCertAndSigner?

[dboslee]

moved in 3b14f71

[nklaassen]

this test of the deprecated watcher should not be updated though

[dboslee]

I think this is just a bad diff, the deprecated watcher test is not modified.

[nklaassen]

I think it's right, this test should exercise the deprecated watcher, I just don't think the comment should say it should be updated (i assume it's a copy/paste error)

[dboslee]

I miss understood. I will update to say something along the lines of "remove the test when the deprecated method is no longer used"

[dboslee]

updated the lint comment in 6b773ab

[fspmarshall]

The process of selecting the next signer is a bit funky. The local signer store isn't sorted, and the API doesn't specify that the upstream data source sending the new signer list needs to send them sorted. Additionally, this seeking logic just always restarts at the beginning if it can't find where it left off.

Admittedly, the set of signers for a cluster is small and relatively static, so these may be non-issues. I doubt we'd actually have problems unless something else was going wrong, but if you find the time I think it would be better practice to do one of the following:

• Sort the local signer store by <domain-name>/<kind> (or vise-versa) and then select the lexicographically next value. That way we don't need to rely on the upstream yielding a sorted sequence, and can continue where we left off in the face of removals.

• Do away with stepping through one signer each "tick" in favor of just health checking all of them each tick. If load is a concern, adding a cpl hundred ms of rate limiting to the inner check loop would probably be fine.

[dboslee]

good point, I will update to use the lexical sorting approach.

This is mostly intended for KMS integrations which have quota and cost implications. for example aws kms asymmetric crypto operations have a default 1000 req/second limit (for a region not per key) and costs $0.15 / 10000 requests.

at a rate of 1 req/minute the cost works out to $7.88 per key per year. Or just $7.88 since we're doing 1 key at a time.

we don't do it often but we did add two CAs in v18 and each CA can contain multiple keys so I'd rather keep the load/cost of this small and predictable.