Skip to content

Root key rotate - core side#7218

Merged
jackyalbo merged 2 commits intonoobaa:masterfrom
jackyalbo:jacky-root-key-rotate
Apr 19, 2023
Merged

Root key rotate - core side#7218
jackyalbo merged 2 commits intonoobaa:masterfrom
jackyalbo:jacky-root-key-rotate

Conversation

@jackyalbo
Copy link
Copy Markdown
Contributor

@jackyalbo jackyalbo commented Feb 27, 2023
edited
Loading

Explain the changes

  1. We decided to move key rotation part in core to a daily running process checking if anything is changed with the external root keys file and if so, to re-encrypt the system/systems keys accordingly.
  2. the key files will be under directory /etc/noobaa-server/root_keys. the active root key id will be under /etc/noobaa-server/active_root_key
  3. As trying to support both old format (env-variable) and the new one(a directory mount with no env variable) checks were added to system_server load and also in case of running in the new format and seeing the old format leftovers - those leftovers will get cleaned

in 2nd commit:

  • moving mongodb outside of noobaa tester container (due to issues with the image in M1)
  • like in postgres, mongo will run in its own container and tester will connect to it for DB access.

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

  1. Fixed Automatically comment out mongo-db code in Tests.Dockerfile when using Mac with M1 #7179
  • Doc added/updated
  • Tests added

@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from 67c6ca0 to fa195e0 Compare February 27, 2023 14:39
romayalon
romayalon reviewed Feb 27, 2023
View reviewed changes
Comment thread Makefile Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Copy link
Copy Markdown
Contributor

@romayalon romayalon Feb 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel we should remove the old format or at least merge it so it won't be even more confusing

Copy link
Copy Markdown
Contributor

@romayalon romayalon Mar 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still relevant

Comment thread src/server/system_services/system_server.js Outdated
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from 74c3c08 to 766bf44 Compare March 2, 2023 15:37
@jackyalbo
Copy link
Copy Markdown
Contributor Author

jackyalbo commented Mar 7, 2023

As discussed with @romayalon and @dannyzaken. I'm resolving all the design issues; moving the key_rotator to bg_worker, and waiting for a re-review.

@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch from 766bf44 to 338b800 Compare March 7, 2023 09:57
dannyzaken
dannyzaken reviewed Mar 8, 2023
View reviewed changes
Comment thread Makefile Outdated
Comment thread src/test/unit_tests/coretest.js Outdated
Comment thread src/util/mongo_client.js Outdated
Comment thread src/server/system_services/system_store.js Outdated
Comment thread config.js Outdated
Comment thread src/server/bg_services/key_rotator.js Outdated
Comment thread src/server/bg_services/key_rotator.js Outdated
Comment thread src/server/bg_services/key_rotator.js Outdated
Comment thread src/server/bg_workers.js Outdated
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch from 338b800 to 2358c23 Compare March 8, 2023 18:04
@jackyalbo jackyalbo requested a review from dannyzaken March 9, 2023 13:02
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch from 2358c23 to e9a2dc6 Compare March 9, 2023 14:14
@jackyalbo jackyalbo mentioned this pull request Mar 12, 2023
Merged
1 task
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch from e9a2dc6 to 98b5f42 Compare March 12, 2023 16:05
romayalon
romayalon reviewed Mar 13, 2023
View reviewed changes
Comment thread src/server/bg_services/key_rotator.js Outdated
romayalon
romayalon reviewed Mar 13, 2023
View reviewed changes
Comment thread src/server/system_services/system_store.js Outdated
romayalon
romayalon reviewed Mar 13, 2023
View reviewed changes
Comment thread src/server/system_services/master_key_manager.js Outdated
@baum baum mentioned this pull request Mar 14, 2023
Merged
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 2 times, most recently from f2d5812 to 6c29fcc Compare March 16, 2023 14:05
romayalon
romayalon reviewed Mar 19, 2023
View reviewed changes
Comment thread config.js Outdated
Comment thread src/server/system_services/master_key_manager.js
Comment thread src/server/system_services/master_key_manager.js Outdated
Copy link
Copy Markdown
Contributor

@romayalon romayalon Mar 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still relevant

Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
Comment thread src/server/system_services/master_key_manager.js Outdated
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch 3 times, most recently from 69d3da6 to ea3ecda Compare March 23, 2023 15:08
baum
baum reviewed Mar 31, 2023
View reviewed changes
Comment thread src/server/system_services/system_store.js Outdated
@jackyalbo
Root Key rotate - core side
12029e2 
Signed-off-by: jackyalbo <jacky.albo@gmail.com>
@jackyalbo
Addition and fixes for makefile and dockerfiles
65d0f56 
Moving mongo to a docker in the same way we do for Postgres

Signed-off-by: jackyalbo <jacky.albo@gmail.com>
@jackyalbo jackyalbo force-pushed the jacky-root-key-rotate branch from ea3ecda to 65d0f56 Compare April 18, 2023 13:28
baum
baum approved these changes Apr 18, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@baum baum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jackyalbo jackyalbo merged commit 57b0dde into noobaa:master Apr 19, 2023
@jackyalbo jackyalbo mentioned this pull request Apr 19, 2023
Closed
@Neon-White Neon-White mentioned this pull request Apr 2, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romayalon romayalon romayalon left review comments

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

+1 more reviewer

@baum baum baum approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Automatically comment out mongo-db code in Tests.Dockerfile when using Mac with M1

4 participants

@jackyalbo @baum @dannyzaken @romayalon