Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds manual and automated root rotation support #221

Merged
merged 16 commits into from
Feb 11, 2025
Merged

Adds manual and automated root rotation support #221

merged 16 commits into from
Feb 11, 2025

Conversation

robmonte
Copy link
Member

Overview

Adds a path and handler for /rotate-root similar to gcp secrets.

Adds support for new automated root rotation manager in Vault Enterprise.

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[ ] Backwards compatible

@robmonte robmonte requested a review from a team as a code owner January 30, 2025 00:37
fairclothjm
fairclothjm reviewed Jan 30, 2025
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Left some initial comments.

plugin/backend.go
Invalidate: b.invalidate,
InitializeFunc: b.initialize,
Invalidate: b.invalidate,
RotateCredential: b.rotateRootCredential,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we ever land on a decision around what the API will look like when we add support for static roles? Presumably it will be backwards compatible with this one?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We haven't landed on a decision, but approaches we have discussed should be backwards compatible. Either a net new addition to the framework.Backend to isolate static credential rotation methods (ex RotateStaticCredentials). If that feels like overload, we can extend support on this method itself to include static role rotations, and conditionally use either/or based on the rotation job type

vinay-gopalan
vinay-gopalan previously approved these changes Feb 11, 2025
View reviewed changes
vinay-gopalan
vinay-gopalan previously approved these changes Feb 11, 2025
View reviewed changes
@robmonte robmonte merged commit 3d9386a into main Feb 11, 2025
5 checks passed
@robmonte robmonte deleted the VAULT-33326/support-auto-root-rotation branch February 11, 2025 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm left review comments

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@robmonte @fairclothjm @vinay-gopalan