Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic secrets/certificate rotation #553

Closed
Tracked by #612
ja20222 opened this issue Apr 5, 2023 · 0 comments · Fixed by #807
Closed
Tracked by #612

Dynamic secrets/certificate rotation #553

ja20222 opened this issue Apr 5, 2023 · 0 comments · Fixed by #807
Assignees
@pleshakov
Labels
area/control-plane General control plane issues enhancement New feature or request refined Requirements are refined and the issue is ready to be implemented.
Milestone
v0.5.0

Comments

@ja20222
Copy link

ja20222 commented Apr 5, 2023
edited by mpstefan
Loading

As a user of NKG
I want NKG to update my configuration when I update my secrets
So that I do not need to redeploy my Gateway to update my certificates.

Acceptance Criteria

  • Secrets should be watched by the control plane and re-applied when referenced by a Gateway that we accepted.
  • Gateway compatibility doc is updated, mention that secrets are applied when changed.
@pleshakov pleshakov added area/nginx-configuration Relates to nginx configuration area/control-plane General control plane issues bug Something isn't working enhancement New feature or request and removed area/nginx-configuration Relates to nginx configuration bug Something isn't working labels Apr 7, 2023
@pleshakov pleshakov added this to the v1.0.0 milestone Apr 7, 2023
@mpstefan mpstefan mentioned this issue May 30, 2023
Closed
@mpstefan mpstefan modified the milestones: v1.0.0, v0.5.0 Jun 5, 2023
@mpstefan mpstefan added the refined Requirements are refined and the issue is ready to be implemented. label Jun 5, 2023
@pleshakov pleshakov self-assigned this Jun 15, 2023
@pleshakov pleshakov moved this from 🆕 New to 🏗 In Progress in NGINX Gateway Fabric Jun 15, 2023
pleshakov added a commit to pleshakov/nginx-gateway-fabric that referenced this issue Jun 16, 2023
@pleshakov
Watch for Secrets (draft)
a2e7413 
Problem:
Watch for secret updates
Solves nginxinc#553

Solution:
Watch for secret updates
@pleshakov pleshakov mentioned this issue Jun 16, 2023
Closed
6 tasks
@pleshakov pleshakov mentioned this issue Jun 30, 2023
Merged
6 tasks
@pleshakov pleshakov moved this from 🏗 In Progress to 👀 In Review in NGINX Gateway Fabric Jun 30, 2023
pleshakov added a commit to pleshakov/nginx-gateway-fabric that referenced this issue Jul 7, 2023
@pleshakov
Watch for Secrets
0262e1d 
Problem:
NKG doesn't watch for updates of TLS Secrets referenced by Gateway
resource.

Solution:
- Move secrets processing into ChangeProcessor.
- Introduce helper secretResolver component to resolve Secrets (includes
validation) and capture resolved Secrets.
- When building Gateway Listener, resolve Secrets using secretResolver.
- When building Graph, add referenced Secrets by Gateway to the Graph,
including the ones that don't exists.
- When Upserting or Deleting a Secret to ChangeProccessor, use Graph
to determine if the Secret is referenced by the Graph and thus changes
the store.
- When building Configuration, add all TLS Secrets to it referenced
by _valid_ TLS Listeners.
- Update NGINX file.Manager so that it can deal with multiple files
of two types: regular and secret.
- Remove SecretStore and SecretDiskMemoryManager components.

Solves nginxinc#553
Solves nginxinc#441

Testing:
- Update affected and add new unit tests
- Manual testing
- Conformance testing. Relevant tests pass:
TestConformance/GatewayInvalidTLSConfiguration
pleshakov added a commit that referenced this issue Jul 7, 2023
@pleshakov
Watch for Secrets (#807)
890fddb 
Problem:
NKG doesn't watch for updates of TLS Secrets referenced by Gateway
resource.

Solution:
- Move secrets processing into ChangeProcessor.
- Introduce helper secretResolver component to resolve Secrets (includes
validation) and capture resolved Secrets.
- When building Gateway Listener, resolve Secrets using secretResolver.
- When building Graph, add referenced Secrets by Gateway to the Graph,
including the ones that don't exists.
- When Upserting or Deleting a Secret to ChangeProccessor, use Graph
to determine if the Secret is referenced by the Graph and thus changes
the store.
- When building Configuration, add all TLS Secrets to it referenced
by _valid_ TLS Listeners.
- Update NGINX file.Manager so that it can deal with multiple files
of two types: regular and secret.
- Remove SecretStore and SecretDiskMemoryManager components.

Solves #553
Solves #441

Testing:
- Update affected and add new unit tests
- Manual testing
- Conformance testing. Relevant tests pass:
TestConformance/GatewayInvalidTLSConfiguration
@github-project-automation github-project-automation bot moved this from 👀 In Review to ✅ Done in NGINX Gateway Fabric Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pleshakov pleshakov

Labels
area/control-plane General control plane issues enhancement New feature or request refined Requirements are refined and the issue is ready to be implemented.
Projects
NGINX Gateway Fabric
Archived in project
Milestone
v0.5.0
Development

Successfully merging a pull request may close this issue.

Watch for Secrets pleshakov/nginx-gateway-fabric
3 participants
@pleshakov @mpstefan @ja20222