-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force rotation X.509 SVIDs in Agent side #5446
Force rotation X.509 SVIDs in Agent side #5446
Conversation
4c3a48d
to
476b8d4
Compare
476b8d4
to
9b11a05
Compare
pkg/agent/manager/cache/lru_cache.go
Outdated
} | ||
|
||
agentmetrics.AddCacheManagerTaintedSVIDsSample(c.metrics, "", float32(taintedSVIDs)) | ||
c.log.WithField(telemetry.TaintedSVIDs, taintedSVIDs).Debug("Tainted X.509 SVIDs") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be logged at Info level, as it is in the SVID store cache.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry forgot to update this.. yeah, agree that this is an user action, and we must info it
pkg/agent/manager/cache/lru_cache.go
Outdated
c.notifyTaintedBatchProcessed() | ||
return | ||
} | ||
c.log.WithField(telemetry.Count, entriesLeftCount).Debug("Tainted entries left to be processed") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change slightly the message to be consistent with the message about the SVIDs already tainted. I would also make this an Info level message.
c.log.WithField(telemetry.Count, entriesLeftCount).Debug("Tainted entries left to be processed") | |
c.log.WithField(telemetry.Count, entriesLeftCount).Info("There are tainted X.509 SVIDs left to be processed") |
pkg/agent/manager/cache/lru_cache.go
Outdated
|
||
entriesLeftCount := len(entryIDs) | ||
if entriesLeftCount == 0 { | ||
c.log.Debug("Finished processing all tainted entries") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be logged at Info level.
pkg/agent/svid/rotator.go
Outdated
} | ||
|
||
if tainted { | ||
r.c.Log.Debug("Agent SVID is tainted by a root authority, forcing rotation") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be logged at Info level.
* Force rotation of X.509 workload SVIDs in store SVID cache * Force rotation of Agent SVID Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
4731477
to
0675270
Compare
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
Which issue this PR fixes
fixes #3907
fixes #3903