Feature: Adding support for NATS/Blobstore cert rotation without recreating vms #2323
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Config functions to calculate blobstore and nats config shas - New database columns on VM to track current deployed config shas - Methods to test if the config has changed since VM was last deployed Signed-off-by: Joseph Palermo <jpalermo@pivotal.io>
[#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM Signed-off-by: Brian Upton <bupton@vmware.com>
* The update_settings method of the agent class now takes a generic hash in preparation for adding more settings to it. * Updated the UpdateInstanceSettingsStep to re-use the existing method on the Instance class instead of re-implementing it. [#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM Signed-off-by: Joseph Palermo <jpalermo@vmware.com>
Extracts the blobstore credential redaction into a method on the blobstore in prepartion to use it elsewhere [#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM Signed-off-by: Brian Upton <bupton@vmware.com>
- Only if the blobstore has been changed [#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM
- Only if the nats signing credentials or server CA have changed - Also persist the new sha1 into the database [#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM Signed-off-by: Joseph Palermo <jpalermo@pivotal.io>
…ing deploy [#179396629] Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM Signed-off-by: Joseph Palermo <jpalermo@pivotal.io>
Signed-off-by: Long Nguyen <nguyenlo@vmware.com>
This pre-populates the new blobstore_config_sha1 and nats_config_sha1 columns with the current SHAs when the database is migrated to add the columns. These values are read off of the Bosh::Director::Config global class because: 1. The Sequel gem's migration system does not allow outside parameters to be passed to the migrations. So it is not possible to pass in the full config object directly. 2. The config file path is passed in to the migrate script, so we cannot load the file directly in the migration (unless we assume the config file path) Loading the global state onto the Config method required calling the aptly named `configure_evil_config_singleton!` method, previously only called when the BOSH Director app is launched. [#179396629] TAS-29 Rotation of certificates/credentials stored in the bosh-agent metadata can be updated without recreating the VM
…rectors. This is due to config class tries to read or create uuid if it doesn't exist. Signed-off-by: Brian Upton <bupton@vmware.com>
|
bgandon
approved these changes
Oct 6, 2021
beyhan
reviewed
Oct 7, 2021
| } | ||
| end | ||
|
|
||
| AgentClient.with_agent_id(vm.agent_id, @model.name).update_settings(settings) |
There was a problem hiding this comment.
In this class agent_client.* is used only this place doesn't use it anymore. Maybe we should add a comment to make sure why it doesn't use agent_client.*.
|
What kind of tests have been executed with this change? I also added two general comments to the Feature proposal: #2309 (comment) |
We've run all of the unit tests and we've done manual testing of this change and the bosh agent change. We've tested new director with old agent, old director with new agent, and new director with new agent. We've also tested a full certificate/credential rotation with new director and new agent to verify the happy path works and no VM recreations are needed to rotate the nats and blobstore certificates and credentials. We have NOT run all of the integration tests or Bosh Acceptance Tests. We will probably not run those before merging as they are very expensive to setup and run. We'll instead fix any bugs uncovered by failures in those test suites after the fact (but before we release a new version of the bosh director) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently rotating nats or blobstore certs, vms need to be recreated so BOSH agent can get the new certs.
This was proposed #2309 and is the PR for the changes on the director side