Comments (5)
Further, we should run the key generation and rotation tasks in the Kubernetes cluster as a cronjob, so that secrets never need to be exposed to our operator computers. This will involve building a Docker image for the key rotator and putting a kubectl run
invocation in a makefile, I think.
from prio-server.
Retitled; this is about validating and finishing our implementation of key rotation (deploy-operator
, manifest-updater
, etc.), and then deploying it in all the prio-server
deployments (ISRG/prod-us, ISRG/prod-intl, NCI/prod-us, Google/prod-intl).
from prio-server.
When we do this, we should also consider automating key backups (relatedly, see #935). For operational smoothness, it'd be nice if key backups were automated. On the other hand, if we empower some Kubernetes job to do this, then we have to be careful to configure ACLs on the backups so that they cannot be deleted or tainted with by a bug somewhere in prio-server
. Maybe the versioning features offered by the each cloud platform's secrets storage products suffices.
from prio-server.
Some thoughts on validations that the key rotation infrastructure will need to implement:
- Keys must either have no versions, or exactly one primary version.
- Post-rotation, keys must have at least one version.
- When being used to update keys in a manifest, keys must have at least one version.
- When being used to update keys in a manifest, keys must have versions with distinct creation times.
- When being used to update keys in a manifest, existing key versions' public portions should match with the public keys written to the manifest, matching by creation time/key ID (both of which would provide the same matching).
- Post-update, manifests must have exactly one packet encryption key version.
- Post-update, manifests must have at least one batch signing key version.
- Post-update, manifests' non-key data must match the pre-update manifest data exactly.
- Post-update, manifests' key data for key versions that exist both pre- & post-update must match exactly.
from prio-server.
From discussion in #1114:
Specifically, if a packet encryption key got so far ahead of its related manifests that the key did not include the version advertised as primary in the manifest, we would be asking clients to encrypt with a key we no longer consider valid for decryption. And if a batch signing key got so far ahead of its related manifests that the primary key was not included in the manifest, we would be trying to sign data with a key that we do not recognize as valid for verification.
Both of these conditions can be detected by the key-rotator
. We should include in our validations not writing keys that, if the key-rotator
fails to write updated manifests, would leave the system in a non-working configuration.
from prio-server.
Related Issues (20)
- Consider replacing facilitator_intake_packets_per_ingestion_batch gauge with a histogram
- `facilitator`: Do something about `avro_rs` dependency and the `uuid` crate
- Add metric to workflow-manager for batches missing peer validations
- Profile memory usage of workflow-manager HOT 4
- Adjust spot VM node pool sizes HOT 1
- workflow-manager: Credentials for S3 requests are not cached HOT 2
- Staging environments do not currently alert to VictorOps
- Pre-initialize counter metrics
- Monitor cloud credit balance
- Prio-server HOT 1
- Make use of google_container_node_pool.autoscaling.total_max_node_count
- Explicitly check HTTP status of `data.http` resources
- Switch to dtolnay/rust-toolchain action
- Task queue growth alert can be randomly triggered due to scale-in
- Expedite key rotation in `prod-intl` HOT 6
- Upgrade EKS clusters to Kubernetes 1.22 HOT 6
- Re-rotate keys for `mx` localities in `g-enpa` aggregator HOT 1
- Exporter and alerting for ABR ENPA certificates
- Replace `k8s-cloudwatch-adapter` with a supported alternative
- Upgrade EKS clusters to Kubernetes 1.23
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from prio-server.