-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple upstream authority plugins support #5101
Comments
So, if I understand correctly, the desired side-effect of having the inactive upstream authority declared, is so that the root authority material for the upstream can be in the bundle? Is there anything else? If that's it, there are other ways we can achieve that today. For example, some plugins support loading additional root CAs (see bundle_file_path here, or supplemental_bundle_path here). If we needed something more broadly scoped that would cover any plugin, this kind of thing could be implemented in SPIRE Server core so that each plugin didn't have to provide a way. There is also the AppendBundle RPC, which can be used to add arbitrary CAs to the bundle. This could be used in advance of activating a new UpstreamAuthority to ensure the upstream authority is available in the bundle well in advance. I'll also mention that SPIRE's prepare/activate cycle for rotating into a new authority already accommodates rolling into a new upstream authority, though the timing can be hard to control explicitly without work from the proposed LocalAuthority API, though that API is not available yet. |
@azdagron yeah, I guess main point is to have new inactive upstream authority CA certificate to be in distributed to clients bundle. I probably can come up with some additional benefits of this approach is the main goal to do that this way as for me. Another point here is that while these are probably viable options to consider and move on with I didn't find any references in documentation to them or to how to safely rotate upstream authority certificate or migrate to another upstream authority. |
Ah, yes, it looks like we have yet to add the |
Seems like my particular use case is already kind of covered since AWS PCA has |
I think this should "just work" if you change your UpstreamCA plugin to point to the new PCA ARN? SPIRE Server will automatically prepare a cert against the new root and distribute that new root in the bundle in advance of using it to sign SVIDs. Just want to check that this isn't sufficient for your case? |
Main concern with that is that certificate changes with this approach is uncontrollable and can lead to high severity incidents. |
AFAICT, the
Is it that you don't have an easy way to extract the next/new CA material and configure onto the plugin? |
Once again
Not really, but I want to highlight once again that it is "manual" operation or need to be automated additionally. It is totally up to you to decide what way you're wanna go further just I do not see reasons why this scenario won't work out of the box with spire and why it does not handle rotation/upstream authority migration without additional efforts from operator side. |
Ok, thanks for your help through this @StupidScience. Since we do have both automatic and manual ways to handle the rotation of an upstream authority (but not via the proposed dual UpstreamAuthority approach), I'm afraid I'm misunderstanding part of your ask. I definitely think there's room for improvement, but it's not clear to me what alternate shapes would fill your requirements I'll go ahead and close this out for now since it seems you're unblocked. Thanks again for the feedback here 🙏 |
Continuing this slack discussion I wanted to suggest support for multiple upstream authorities in spire at time. I think this feature would compliment work that's happening in #1934 and open ways for graceful handling of multiple scenarios, including but not limited:
In order to achieve this I'd like to suggest support of multiple (or strictly 2) upstream authority plugins in server's configuration while only one of them is allowed to be "active", e.g. (very roughly):
That would mean that upstream_ca_2023 is in use to sign all SVIDs, while upstream_ca_2024 is only included to trust bundles that servers distribute to agents/clients. So once operator is ready to switch to new upstream authority they should flip active flag.
That would allow much more control on operator side to make migrations.
Please let me know wdyt?
cc @evan2645
The text was updated successfully, but these errors were encountered: