-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for generating Delta CRLs #16773
Conversation
c99f0c2
to
93da855
Compare
032235f
to
76bad87
Compare
05f2f2f
to
b814748
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Holding off on an approval until tests (that I could walk through to try to make sense of the locks-on-build-where), but I think you are on the right track.
} | ||
|
||
// Last is setup during newCRLBuilder(...), so we don't need to deal with | ||
// a zero condition. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is super smart
48b668d
to
ceef225
Compare
0301ba7
to
a91cb51
Compare
a91cb51
to
442cc4c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A great start for this feature! I think I need another pass on Monday, but added some thoughts for this initial review
cfg, err := cb.getConfigWithUpdate(sc) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if !cfg.EnableDelta { | ||
// We explicitly do not update the last check time here, as we | ||
// want to persist the last rebuild window if it hasn't been set. | ||
return nil | ||
} | ||
|
||
deltaRebuildDuration, err := time.ParseDuration(cfg.DeltaRebuildInterval) | ||
if err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this happen prior to us grabbing the _builder.Lock()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to fix the config instead? Or do you want to delay the lock until after this conditional, so if fetching the config in the first place fails, we bail?
That said, we shouldn't bail here as we verify this condition during setting of the config :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either option is acceptable to me, if we are fixing then the lock prior makes sense. If we are just going to bail might as well do it prior to grabbing the lock.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we wait to grab the lock until we commit to doing the actual rebuild then...? Hmmm
if _, err := time.ParseDuration(deltaRebuildInterval); err != nil { | ||
return logical.ErrorResponse(fmt.Sprintf("given delta_rebuild_interval could not be decoded: %s", err)), nil | ||
} | ||
config.DeltaRebuildInterval = deltaRebuildInterval |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validate that we haven't been passed in a value less than periodFunc interval?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sadly we don't have a response right now for this handler, so we can't add warnings... Do we want to return the set structure instead?
We (abuse) this code path in the test cases right now, like we do with AutoRebuild grace period, maybe we should later refactor the config to return the set config and add the warnings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good.
While switching to periodic rebuilds of CRLs alleviates the constant rebuild pressure on Vault during times of high revocation, the CRL proper becomes stale. One response to this is to switch to OCSP, but not every system has support for this. Additionally, OCSP usually requires connectivity and isn't used to augment a pre-distributed CRL (and is instead used independently). By generating delta CRLs containing only new revocations, an existing CRL can be supplemented with newer revocations without requiring Vault to rebuild all complete CRLs. Admins can periodically fetch the delta CRL and add it to the existing CRL and applications should be able to support using serials from both. Because delta CRLs are emptied when the next complete CRL is rebuilt, it is important that applications fetch the delta CRL and correlate it to their complete CRL; if their complete CRL is older than the delta CRL's extension number, applications MUST fetch the newer complete CRL to ensure they have a correct combination. This modifies the revocation process and adds several new configuration options, controlling whether Delta CRLs are enabled and when we'll rebuild it. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Thanks Steve! Signed-off-by: Alexander Scheel <[email protected]>
442cc4c
to
fb8dd84
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
@stevendpclark I've updated the PR so it only invokes the periodic func on active nodes. |
We need to ensure we read the updated config (in case of OCSP request handling on standby nodes), but otherwise want to avoid CRL/DeltaCRL re-building. Signed-off-by: Alexander Scheel <[email protected]>
10702f6
to
ea54cb0
Compare
While switching to periodic rebuilds of CRLs alleviates the constant
rebuild pressure on Vault during times of high revocation, the CRL
proper becomes stale. One response to this is to switch to OCSP, but not
every system has support for this. Additionally, OCSP usually requires
connectivity and isn't used to augment a pre-distributed CRL (and is
instead used independently).
By generating delta CRLs containing only new revocations, an existing
CRL can be supplemented with newer revocations without requiring Vault
to rebuild all complete CRLs. Admins can periodically fetch the delta
CRL and add it to the existing CRL and applications should be able to
support using serials from both.
Because delta CRLs are emptied when the next complete CRL is rebuilt, it
is important that applications fetch the delta CRL and correlate it to
their complete CRL; if their complete CRL is older than the delta CRL's
extension number, applications MUST fetch the newer complete CRL to
ensure they have a correct combination.
This modifies the revocation process and adds several new configuration
options, controlling whether Delta CRLs are enabled and when we'll
rebuild it.
Add-- waiting on this until asked fordelta_crl_path
to AIA URLs (rebase chain after Add per-issuer AIA URI information to PKI secrets engine #16563 merges) --- requires new X509 extension.