Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring: replicate RSA private key via GetKey RPC #19350

Merged
merged 1 commit into from
Dec 7, 2023
Merged

keyring: replicate RSA private key via GetKey RPC #19350

merged 1 commit into from
Dec 7, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented Dec 7, 2023
edited
Loading

When we added a RSA key for signing Workload Identities, we added it to the keystore serialization but did not also add it to the GetKey RPC. This means that when a key is rotated, the RSA key will not come along. The Nomad leader signs all Workload Identities, and external consumers of WI (like Consul or Vault) will verify the WI using the Keyring.ListPublic RPC that's forwarded to the leader. After a leader election, the new leader will not have the RSA private key and cannot use the existing ed25519 key to verify WIs with the RS256 algorithm.

Add the RSA key material to the GetKey RPC.

Also remove an extraneous write to disk that happens for each key each time we restart the Nomad server.

Fixes: #19340

@tgross tgross added this to the 1.7.x milestone Dec 7, 2023
@tgross tgross requested review from schmichael and lgfa29 December 7, 2023 16:40
@tgross tgross requested a review from pkazmierczak December 7, 2023 16:44
@tgross tgross mentioned this pull request Dec 7, 2023
Closed
@tgross
keyring: replicate RSA private key via GetKey RPC
a7345f0 
When we added a RSA key for signing Workload Identities, we added it to the
keystore serialization but did not also add it to the `GetKey` RPC. This means
that when a key is rotated, the RSA key will not come along. The Nomad leader
signs all Workload Identities, but external consumers of WI (like Consul or
Vault) will verify the WI against any of the servers. If the request to verify
hits a follower, the follower will not have the RSA private key and cannot use
the existing ed25519 key to verify WIs with the `RS256` algorithm.

Add the RSA key material to the `GetKey` RPC.

Also remove an extraneous write to disk that happens for each key each time we
restart the Nomad server.

Fixes: #19340
@tgross tgross force-pushed the b-gh13340-keyring-restore branch from ca45772 to a7345f0 Compare December 7, 2023 16:51
@tgross tgross marked this pull request as ready for review December 7, 2023 19:01
schmichael
schmichael approved these changes Dec 7, 2023
View reviewed changes
Copy link
Member

@schmichael schmichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oof. Great catch.

@tgross tgross added the backport/1.7.x backport to 1.7.x release line label Dec 7, 2023
@tgross tgross merged commit f1be76b into main Dec 7, 2023
23 checks passed
@tgross tgross deleted the b-gh13340-keyring-restore branch December 7, 2023 19:15
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Dec 7, 2023
Merged
@tgross tgross modified the milestones: 1.7.x, 1.7.1 Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schmichael schmichael schmichael approved these changes

@lgfa29 lgfa29 Awaiting requested review from lgfa29

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees
No one assigned
Labels
backport/1.7.x backport to 1.7.x release line theme/keyring theme/workload-identity type/bug
Projects
None yet
Milestone
1.7.1
Development

Successfully merging this pull request may close these issues.

RSA key lost on leader election (1.7.0)
2 participants
@tgross @schmichael