Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add integration tests for force rotation and revocation #5526

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add integration tests for force rotation and revocation #5526

wants to merge 4 commits into from

Conversation

MarcosDY
Copy link
Collaborator

Add integration tests for force rotation and revocation

  • Self-singed authority: Starts a nested SPIRE server to test force rotation and revocation scenarios.
  • Upstream authority: Use a disk-based upstream authority to test force rotation and revocation scenarios.

Which issue this PR fixes
fixes: #5440 #5439

@MarcosDY
Add integration tests for force rotation and revocation
ea91938 
- Self-singed authority: Starts a nested SPIRE server to test force rotation and revocation scenarios.
- Upstream authority: Use a disk-based upstream authority to test force rotation and revocation scenarios.

Signed-off-by: Marcos Yacob <[email protected]>
@MarcosDY
Update readme
abfc165 
Signed-off-by: Marcos Yacob <[email protected]>
@MarcosDY
authority permisions
5373843 
Signed-off-by: Marcos Yacob <[email protected]>
@MarcosDY
rename variables to be consistent
b22951a 
Signed-off-by: Marcos Yacob <[email protected]>
@rturner3 rturner3 added this to the 1.11.0 milestone Oct 1, 2024
amartinezfayo
amartinezfayo reviewed Oct 5, 2024
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this, @MarcosDY!

test/integration/suites/force-rotation-self-signed/README.md
@@ -0,0 +1,26 @@
# Force rotation in selt-signed X.509 authority Suite
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Force rotation in selt-signed X.509 authority Suite
# Force rotation with self-signed X.509 authority Suite

test/integration/suites/force-rotation-self-signed/README.md
## Description

This test suite configures a self-signed CA in the root-server,
and excersices forced rotation of CA certificates across nested servers.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
and excersices forced rotation of CA certificates across nested servers.
and exercises forced rotation of CA certificates across nested servers.

test/integration/suites/force-rotation-self-signed/README.md
## Test steps

1. **Prepare a new X.509 authority**: Validate that the new X.509 authority is propagated to all nested servers.
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes active.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes active.
2. **Activate the new X.509 authority**: Ensure that the new X.509 authority becomes active.

test/integration/suites/force-rotation-self-signed/README.md
1. **Prepare a new X.509 authority**: Validate that the new X.509 authority is propagated to all nested servers.
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes active.
3. **Taint the old X.509 authority**: Confirm that the tainted authority is propagated to nested servers and that all X.509 SVIDs are rotated accordingly.
4. **Revoke the tainted X.509 authority**: Validate the revocation propagates to all nested servers, and that all SVIDs removes the revoked authority.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. **Revoke the tainted X.509 authority**: Validate the revocation propagates to all nested servers, and that all SVIDs removes the revoked authority.
4. **Revoke the tainted X.509 authority**: Validate that the revocation instruction is propagated to all nested servers, and that all SVIDs have the revoked authority removed.

test/integration/suites/force-rotation-self-signed/intermediateA/server/server.conf
Comment on lines +7 to +8
ca_ttl = "56h"
default_x509_svid_ttl = "19h"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a small comment about the rationale behind these values?

test/integration/suites/force-rotation-self-signed/leafA/server/server.conf
Comment on lines +7 to +8
ca_ttl = "19h"
default_x509_svid_ttl = "6h"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a small comment about the rationale behind these values?

test/integration/suites/force-rotation-upstream-authority/README.md
## Test steps

1. **Prepare a new X.509 authority**: Verify that a new X.509 authority is successfully created.
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes the active authority.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes the active authority.
2. **Activate the new X.509 authority**: Ensure that the new X.509 authority becomes the active authority.

test/integration/suites/force-rotation-upstream-authority/README.md

1. **Prepare a new X.509 authority**: Verify that a new X.509 authority is successfully created.
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes the active authority.
3. **Taint the old X.509 authority**: Confirm that the old X.509 authority is marked as tainted, and verify that the taint is propagated to the agent, triggering rotation of all X.509 SVIDs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. **Taint the old X.509 authority**: Confirm that the old X.509 authority is marked as tainted, and verify that the taint is propagated to the agent, triggering rotation of all X.509 SVIDs.
3. **Taint the old X.509 authority**: Confirm that the old X.509 authority is marked as tainted, and verify that the taint instruction is propagated to the agent, triggering the rotation of all X.509 SVIDs.

test/integration/suites/force-rotation-upstream-authority/README.md
1. **Prepare a new X.509 authority**: Verify that a new X.509 authority is successfully created.
2. **Activate the new X.509 authority**: Ensure the new X.509 authority becomes the active authority.
3. **Taint the old X.509 authority**: Confirm that the old X.509 authority is marked as tainted, and verify that the taint is propagated to the agent, triggering rotation of all X.509 SVIDs.
4. **Revoke the tainted X.509 authority**: Validate that the revocation is propagated to the agent and that all SVIDs remove the revoked authority.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. **Revoke the tainted X.509 authority**: Validate that the revocation is propagated to the agent and that all SVIDs remove the revoked authority.
4. **Revoke the tainted X.509 authority**: Validate that the revocation instruction is propagated to the agent and that all the SVIDs have the the revoked authority removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo left review comments

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
1.11.0
Development

Successfully merging this pull request may close these issues.

Integration test: Force rotation nested spire with Upstream authority
3 participants
@MarcosDY @amartinezfayo @rturner3