Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sa: GetRevokedCerts returns explicit shards too #7918

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

sa: GetRevokedCerts returns explicit shards too #7918

wants to merge 6 commits into from
+180 −80

Conversation

jsha
Copy link
Contributor

@jsha jsha commented Jan 7, 2025
edited
Loading

Change GetRevokedCerts to return a combined list of certs for a given shard, calculating shard membership temporally and by explicit assignment to a shard in the revokedCertificates table.

This functionality is gated on the ShardIdx field of GetRevokedCertsRequest. If it is zero, revoked certs will only be returned from a given temporal shard (and we assume that no certs have been assigned to any explicit shard yet).

After we start sending the ShardIdx field, and also start writing entries to the revokedCertificates table, this will result in CRL sizes doubling for several months until we retire the temporal sharding code, since most revoked certificates will be included in one shard based on their entry in revokedCertificates, and a different shard based on their issuance time.

Update the tests to cover more cases, and reduce duplication somewhat.

Update test.ThrowAwayCert to document the lifetime it uses, and to generate serial numbers that are the same length as used in the rest of boulder (which makes debug output using serials easier to read).

Part of #7094

jsha added 5 commits January 9, 2025 15:59
@jsha
sa: GetRevokedCerts returns explicit shards too
b5525e4 
Change GetRevokedCerts to return a combined list of certs for a given shard,
calculating shard membership temporally _and_ by explicit assignment to a shard
in the revokedCertificates table.

This functionality is gated on the ShardIdx field of GetRevokedCertsRequest.
If it is zero, revoked certs will only be returned from a given temporal shard
(and we assume that no certs have been assigned to any explicit shard yet).

After we start sending the ShardIdx field, and also start writing entries to the
revokedCertificates table, this will result in CRL sizes doubling for
several months until we retire the temporal sharding code, since most revoked
certificates will be included in one shard based on their entry in
revokedCertificates, and a different shard based on their issuance time.
@jsha
update comment
ea93022
@jsha
Make tests work
4a07984
@jsha
Update tests
4708117
@jsha
More test fixes
824e6e2
@jsha jsha force-pushed the get-revoked-both-kinds branch from cf603c0 to 824e6e2 Compare January 9, 2025 23:59
@jsha jsha marked this pull request as ready for review January 10, 2025 00:20
@jsha jsha requested a review from a team as a code owner January 10, 2025 00:20
@jsha jsha requested a review from aarongable January 10, 2025 00:20
@jsha jsha mentioned this pull request Jan 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable Awaiting requested review from aarongable aarongable is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jsha