Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring: warn if removing a key that was used for encrypting variables #24766

Merged
merged 9 commits into from
Jan 7, 2025
Merged

keyring: warn if removing a key that was used for encrypting variables #24766

merged 9 commits into from
Jan 7, 2025

Conversation

pkazmierczak
Copy link
Contributor

This PR adds an additional check in the Keyring.Delete RPC to make sure we're not trying to delete a key that's been used to encrypt a variable. It also adds a -force flag for the CLI/API to sidestep that check.

Resolves #24591
Internal ref: https://hashicorp.atlassian.net/browse/NET-11829

@pkazmierczak pkazmierczak requested review from a team as code owners December 31, 2024 15:45
@pkazmierczak pkazmierczak added the backport/1.9.x backport to 1.9.x release line label Dec 31, 2024
jrasell
jrasell requested changes Jan 3, 2025
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this @pkazmierczak!

I tested this locally and couldn't get a delete to work even when using the force flag. I believe we need to populate the RPC request force parameter from the HTTP request here in order for the HTTP->RPC translation to handle this new parameter.

It would also be good if we could address the following items:

  • The CLI help output doesn't include the new flag option.
  • It would be nice to have API and CLI tests to cover this addition as the RPC test did not catch the issue detailed above.
  • Document the API and CLI changes.

.changelog/24766.txt Outdated Show resolved Hide resolved
api/keyring.go Show resolved Hide resolved
nomad/keyring_endpoint.go Outdated Show resolved Hide resolved
@pkazmierczak pkazmierczak requested review from a team as code owners January 3, 2025 15:37
aimeeu
aimeeu approved these changes Jan 3, 2025
View reviewed changes
Copy link
Contributor

@aimeeu aimeeu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating the docs!

@pkazmierczak
Copy link
Contributor Author

@jrasell I addressed all your comments, thanks for the thorough review.

jrasell
jrasell approved these changes Jan 7, 2025
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @pkazmierczak!

I tested this locally on macOS attempting to delete root keys used for both variable encryption and task workload identity.

@pkazmierczak pkazmierczak merged commit 0906f78 into main Jan 7, 2025
32 checks passed
@pkazmierczak pkazmierczak deleted the f-warn-if-removing-used-encryption-key branch January 7, 2025 09:15
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Jan 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aimeeu aimeeu aimeeu approved these changes

@jrasell jrasell jrasell approved these changes

@gstewart-hashi gstewart-hashi Awaiting requested review from gstewart-hashi gstewart-hashi is a code owner automatically assigned from hashicorp/web-presence

Assignees
No one assigned
Labels
backport/1.9.x backport to 1.9.x release line
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

warn if removing a root key that was used for encrypting Variables
3 participants
@pkazmierczak @jrasell @aimeeu