Force rotation X.509 SVIDs in Agent side #5446
Merged
+1,326
−57
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MarcosDY
force-pushed
the
taint-workload-x509-svid-v1
branch
from
4c3a48d
to
476b8d4
Compare
MarcosDY
requested review from
evan2645,
amartinezfayo,
azdagron and
rturner3
as code owners
MarcosDY
force-pushed
the
taint-workload-x509-svid-v1
branch
from
476b8d4
to
9b11a05
Compare
pkg/agent/manager/cache/lru_cache.go
Outdated
| } | ||
|
|
||
| agentmetrics.AddCacheManagerTaintedSVIDsSample(c.metrics, "", float32(taintedSVIDs)) | ||
| c.log.WithField(telemetry.TaintedSVIDs, taintedSVIDs).Debug("Tainted X.509 SVIDs") |
There was a problem hiding this comment.
This should be logged at Info level, as it is in the SVID store cache.
There was a problem hiding this comment.
sorry forgot to update this.. yeah, agree that this is an user action, and we must info it
pkg/agent/manager/cache/lru_cache.go
Outdated
| c.notifyTaintedBatchProcessed() | ||
| return | ||
| } | ||
| c.log.WithField(telemetry.Count, entriesLeftCount).Debug("Tainted entries left to be processed") |
There was a problem hiding this comment.
I would change slightly the message to be consistent with the message about the SVIDs already tainted. I would also make this an Info level message.
Suggested change
| c.log.WithField(telemetry.Count, entriesLeftCount).Debug("Tainted entries left to be processed") | |
| c.log.WithField(telemetry.Count, entriesLeftCount).Info("There are tainted X.509 SVIDs left to be processed") |
pkg/agent/manager/cache/lru_cache.go
Outdated
|
|
||
| entriesLeftCount := len(entryIDs) | ||
| if entriesLeftCount == 0 { | ||
| c.log.Debug("Finished processing all tainted entries") |
There was a problem hiding this comment.
This should be logged at Info level.
pkg/agent/svid/rotator.go
Outdated
| } | ||
|
|
||
| if tainted { | ||
| r.c.Log.Debug("Agent SVID is tainted by a root authority, forcing rotation") |
There was a problem hiding this comment.
This should be logged at Info level.
* Force rotation of X.509 workload SVIDs in store SVID cache * Force rotation of Agent SVID Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
MarcosDY
force-pushed
the
taint-workload-x509-svid-v1
branch
from
4731477
to
0675270
Compare
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR fixes
fixes #3907
fixes #3903