Enable periodic, automatic rebuilding of CRLs #16762
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Aug 16, 2022
stevendpclark
force-pushed
the
stevendpclark/pki-ocsp-responder
branch
from
ad2e82e
to
2296498
Compare
cipherboy
force-pushed
the
cipherboy-auto-rebuild-crls
branch
3 times, most recently
from
b35bc20
to
2d2d398
Compare
When enabled, periodic rebuilding of CRLs will improve PKI mounts in two
way:
1. Reduced load during periods of high (new) revocations, as the CRL
isn't rebuilt after each revocation but instead on a fixed schedule.
2. Ensuring the CRL is never stale as long as the cluster remains up,
by checking for next CRL expiry and regenerating CRLs before that
happens. This may increase cluster load when operators have large
CRLs that they'd prefer to let go stale, rather than regenerating
fresh copies.
In particular, we set a grace period before expiration of CRLs where,
when the periodic function triggers (about once a minute), we check
upcoming CRL expirations and check if we need to rebuild the CRLs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
When testing backends that use the periodic func, and specifically, testing the behavior of that periodic func, waiting for the usual 1m interval can lead to excessively long test execution. By switching to a shorter period--strictly for testing--we can make these tests execute faster. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-auto-rebuild-crls
branch
from
2d2d398
to
e7fe9ea
Compare
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-auto-rebuild-crls
branch
from
6c9e780
to
2232940
Compare
stevendpclark
approved these changes
Aug 23, 2022
kitography
approved these changes
Aug 23, 2022
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This was referenced Aug 24, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This enables automatic, periodic rebuilding of CRLs. When periodic rebuilding of CRLs is enabled, we'll decline to rebuild the CRL on every revocation and instead wait until the next update (or some precipitating event -- revocation of an issuer, manual rebuild, &c). This ensures that there's not a lot of load on the CRL building nodes (also allowing "batch" revocations as a side effect) between expected CRL updates. This also fixes a long-standing bug, wherein the CRL would expire but if an operator does not issue a new revocation (or does not manually trigger a rebuild), we'd let the CRL lapse.
main.