Machine ID: Per-ouput certificate_ttl and renewal_interval
#51956
Conversation
| } | ||
|
|
||
| if l.TTL < l.RenewalInterval && !oneShot { | ||
| log.WarnContext( |
There was a problem hiding this comment.
I re-homed these warnings from BotConfig.CheckAndSetDefaults.
Ideally, we'd return an error (so they'd get wrapped with the service[%d] prefix) but decided not to as making this a "hard fail" would be a breaking change.
There was a problem hiding this comment.
I would expect validate to return the error, a specific kind and the caller decides what to do with it.
There might be cases where an hard error is required
boxofrad
force-pushed
the
boxofrad/tbot-per-service-cert-lifetimes
branch
from
e568275 to
292ab59
Compare
…me` struct These values are always required together, and moving them into a struct will make it more straightforward to override them per-service/output.
boxofrad
force-pushed
the
boxofrad/tbot-per-service-cert-lifetimes
branch
from
292ab59 to
1787f24
Compare
boxofrad
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
|
Amplify deployment status
|
| func (o *WorkloadIdentityJWTService) GetCertificateLifetime() CertificateLifetime { | ||
| return CertificateLifetime{} | ||
| } |
There was a problem hiding this comment.
I didn't add it for this output because although there is a TTL, it felt wrong referring to it as the "certificate TTL" because it's really the JWT TTL.
There was a problem hiding this comment.
What if we renamed certificate -> credential? That might make more sense in regards to both JWTs and X509? Imho, this is actually one of the more useful outputs to use this on since I'd expect a JWT to require a very short TTL (e.g 5 minutes).
There was a problem hiding this comment.
Good point! Rename it just on this output, or on them all?
There was a problem hiding this comment.
Probably better to be consistent and rename on them all - but I can see how that creates a problem with the fields on the root configuration resource. I assume supporting both names on the root config would be challenging? We could deprecate the usage of certificate_ttl and encourage migration to credential_ttl. WDYT?
There was a problem hiding this comment.
+1 on renaming to be consistent
boxofrad
force-pushed
the
boxofrad/tbot-per-service-cert-lifetimes
branch
from
03c6ed2 to
599c8d7
Compare
boxofrad
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
github-actions
bot
requested review from
bernardjkim,
hugoShaka and
jimbishopp
github-actions
bot
requested review from
marcoandredinis,
mmcallister,
ptgott,
r0mant,
tigrato,
timothyb89,
xinding33 and
zmb3
There was a problem hiding this comment.
Most of these outputs/services will have a test named something like TestApplicationOutput_YAML. That test usually has a "full" case where we try and set all of the possible config values. It'd be great to see the CertificateLifetime fields added to this. I've witnessed some really weird behaviour from our YAML marshal/unmarshaling libraries before, and those tests are fairly good at identifying when this happens.
Implements #51560 by adding
certificate_ttlandrenewal_intervaloptions to all tbot services/outputs, allowing you to control their certificate lifecycles separately fromtbot's internal identity.This is useful when you use
tbotin one-shot mode to authenticate a cron job, because it enables you to set a long enough TTL ontbot's internal identity to survive until the next run, but a suitable short TTL on the workload's identity.Example config:
changelog: tbot: support overriding
certificate_ttlandrenewal_intervalon most outputs and services