Update to tidy status and docs (#20442)

* Add missing tidy-status state values

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on auto-tidy reading

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing tidy status field revocation_queue_safety_buffer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Include pause_duration in tidy-status docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add date of last auto-tidy operation to status

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-05-01 10:26:29 -04:00 committed by GitHub
parent b743ada5ab
commit 32a7f8250a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 91 additions and 5 deletions

View file

@ -4007,6 +4007,7 @@ func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
expectedData := map[string]interface{}{ expectedData := map[string]interface{}{
"safety_buffer": json.Number("1"), "safety_buffer": json.Number("1"),
"issuer_safety_buffer": json.Number("31536000"), "issuer_safety_buffer": json.Number("31536000"),
"revocation_queue_safety_buffer": json.Number("172800"),
"tidy_cert_store": true, "tidy_cert_store": true,
"tidy_revoked_certs": true, "tidy_revoked_certs": true,
"tidy_revoked_cert_issuer_associations": false, "tidy_revoked_cert_issuer_associations": false,
@ -4019,6 +4020,7 @@ func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
"error": nil, "error": nil,
"time_started": nil, "time_started": nil,
"time_finished": nil, "time_finished": nil,
"last_auto_tidy_finished": nil,
"message": nil, "message": nil,
"cert_store_deleted_count": json.Number("1"), "cert_store_deleted_count": json.Number("1"),
"revoked_cert_deleted_count": json.Number("1"), "revoked_cert_deleted_count": json.Number("1"),
@ -4040,6 +4042,7 @@ func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
t.Fatal("Expected tidy status response to include a value for time_finished") t.Fatal("Expected tidy status response to include a value for time_finished")
} }
expectedData["time_finished"] = timeFinished expectedData["time_finished"] = timeFinished
expectedData["last_auto_tidy_finished"] = tidyStatus.Data["last_auto_tidy_finished"]
if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil { if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil {
t.Fatal(diff) t.Fatal(diff)

View file

@ -35,8 +35,10 @@ const (
type tidyStatus struct { type tidyStatus struct {
// Parameters used to initiate the operation // Parameters used to initiate the operation
safetyBuffer int safetyBuffer int
issuerSafetyBuffer int issuerSafetyBuffer int
revQueueSafetyBuffer int
tidyCertStore bool tidyCertStore bool
tidyRevokedCerts bool tidyRevokedCerts bool
tidyRevokedAssocs bool tidyRevokedAssocs bool
@ -152,6 +154,11 @@ func pathTidyCancel(b *backend) *framework.Path {
Description: `Issuer safety buffer`, Description: `Issuer safety buffer`,
Required: false, Required: false,
}, },
"revocation_queue_safety_buffer": {
Type: framework.TypeInt,
Description: `Revocation queue safety buffer`,
Required: true,
},
"tidy_cert_store": { "tidy_cert_store": {
Type: framework.TypeBool, Type: framework.TypeBool,
Description: `Tidy certificate store`, Description: `Tidy certificate store`,
@ -197,6 +204,11 @@ func pathTidyCancel(b *backend) *framework.Path {
Description: `Time the operation finished`, Description: `Time the operation finished`,
Required: false, Required: false,
}, },
"last_auto_tidy_finished": {
Type: framework.TypeString,
Description: `Time the last auto-tidy operation finished`,
Required: true,
},
"message": { "message": {
Type: framework.TypeString, Type: framework.TypeString,
Description: `Message of the operation`, Description: `Message of the operation`,
@ -288,6 +300,11 @@ func pathTidyStatus(b *backend) *framework.Path {
Description: `Issuer safety buffer`, Description: `Issuer safety buffer`,
Required: true, Required: true,
}, },
"revocation_queue_safety_buffer": {
Type: framework.TypeInt,
Description: `Revocation queue safety buffer`,
Required: true,
},
"tidy_cert_store": { "tidy_cert_store": {
Type: framework.TypeBool, Type: framework.TypeBool,
Description: `Tidy certificate store`, Description: `Tidy certificate store`,
@ -336,6 +353,11 @@ func pathTidyStatus(b *backend) *framework.Path {
"time_finished": { "time_finished": {
Type: framework.TypeString, Type: framework.TypeString,
Description: `Time the operation finished`, Description: `Time the operation finished`,
Required: false,
},
"last_auto_tidy_finished": {
Type: framework.TypeString,
Description: `Time the last auto-tidy operation finished`,
Required: true, Required: true,
}, },
"message": { "message": {
@ -1449,6 +1471,8 @@ func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *f
resp.Data["missing_issuer_cert_count"] = b.tidyStatus.missingIssuerCertCount resp.Data["missing_issuer_cert_count"] = b.tidyStatus.missingIssuerCertCount
resp.Data["revocation_queue_deleted_count"] = b.tidyStatus.revQueueDeletedCount resp.Data["revocation_queue_deleted_count"] = b.tidyStatus.revQueueDeletedCount
resp.Data["cross_revoked_cert_deleted_count"] = b.tidyStatus.crossRevokedDeletedCount resp.Data["cross_revoked_cert_deleted_count"] = b.tidyStatus.crossRevokedDeletedCount
resp.Data["revocation_queue_safety_buffer"] = b.tidyStatus.revQueueSafetyBuffer
resp.Data["last_auto_tidy_finished"] = b.lastTidy
switch b.tidyStatus.state { switch b.tidyStatus.state {
case tidyStatusStarted: case tidyStatusStarted:
@ -1624,6 +1648,7 @@ func (b *backend) tidyStatusStart(config *tidyConfig) {
b.tidyStatus = &tidyStatus{ b.tidyStatus = &tidyStatus{
safetyBuffer: int(config.SafetyBuffer / time.Second), safetyBuffer: int(config.SafetyBuffer / time.Second),
issuerSafetyBuffer: int(config.IssuerSafetyBuffer / time.Second), issuerSafetyBuffer: int(config.IssuerSafetyBuffer / time.Second),
revQueueSafetyBuffer: int(config.QueueSafetyBuffer / time.Second),
tidyCertStore: config.CertStore, tidyCertStore: config.CertStore,
tidyRevokedCerts: config.RevokedCerts, tidyRevokedCerts: config.RevokedCerts,
tidyRevokedAssocs: config.IssuerAssocs, tidyRevokedAssocs: config.IssuerAssocs,
@ -1780,6 +1805,7 @@ The result includes the following fields:
* 'revocation_queue_deleted_count': the number of revocation queue entries deleted * 'revocation_queue_deleted_count': the number of revocation queue entries deleted
* 'tidy_cross_cluster_revoked_certs': the value of this parameter when initiating the tidy operation * 'tidy_cross_cluster_revoked_certs': the value of this parameter when initiating the tidy operation
* 'cross_revoked_cert_deleted_count': the number of cross-cluster revoked certificate entries deleted * 'cross_revoked_cert_deleted_count': the number of cross-cluster revoked certificate entries deleted
* 'revocation_queue_safety_buffer': the value of this parameter when initiating the tidy operation
` `
const pathConfigAutoTidySyn = ` const pathConfigAutoTidySyn = `

3
changelog/20442.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Add missing fields to tidy-status, include new last_auto_tidy_finished field.
```

View file

@ -76,7 +76,8 @@ update your API calls accordingly.
- [Combining CRLs from the Same Issuer](#combine-crls-from-the-same-issuer) - [Combining CRLs from the Same Issuer](#combine-crls-from-the-same-issuer)
- [Sign Revocation List](#sign-revocation-list) - [Sign Revocation List](#sign-revocation-list)
- [Tidy](#tidy) - [Tidy](#tidy)
- [Configure Automatic Tidy](#configure-automatic-tidy) - [Read Automatic Tidy Configuration](#read-automatic-tidy-configuration)
- [Set Automatic Tidy Configuration](#set-automatic-tidy-configuration)
- [Tidy Status](#tidy-status) - [Tidy Status](#tidy-status)
- [Cancel Tidy](#cancel-tidy) - [Cancel Tidy](#cancel-tidy)
- [Cluster Scalability](#cluster-scalability) - [Cluster Scalability](#cluster-scalability)
@ -3889,7 +3890,57 @@ $ curl \
http://127.0.0.1:8200/v1/pki/tidy http://127.0.0.1:8200/v1/pki/tidy
``` ```
### Configure Automatic Tidy ### Read Automatic Tidy Configuration
This endpoint fetches the current automatic tidy configuration.
This is the combination of the periodic invocation parameters described
[in the below write handler](#set-automatic-tidy-configuration) and
the tidy parameters [described above in the tidy endpoint](#tidy).
| Method | Path |
| :----- | :---------------------- |
| `GET` | `/pki/config/auto-tidy` |
#### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/pki/config/auto-tidy
```
#### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"enabled": false,
"interval_duration": 43200,
"issuer_safety_buffer": 31536000,
"maintain_stored_certificate_counts": false,
"pause_duration": "0s",
"publish_stored_certificate_count_metrics": false,
"revocation_queue_safety_buffer": 172800,
"safety_buffer": 259200,
"tidy_cert_store": false,
"tidy_cross_cluster_revoked_certs": false,
"tidy_expired_issuers": false,
"tidy_move_legacy_ca_bundle": false,
"tidy_revocation_queue": false,
"tidy_revoked_cert_issuer_associations": false,
"tidy_revoked_certs": false
},
"auth": null
}
```
<a name="configure-automatic-tidy"></a>
### Set Automatic Tidy Configuration
This endpoint allows configuring periodic tidy operations, using the tidy mechanism This endpoint allows configuring periodic tidy operations, using the tidy mechanism
described above. Status is from automatically run tidies are still reported at the described above. Status is from automatically run tidies are still reported at the
@ -3941,7 +3992,7 @@ The result includes the following fields:
* `safety_buffer`: the value of this parameter when initiating the tidy operation * `safety_buffer`: the value of this parameter when initiating the tidy operation
* `tidy_cert_store`: the value of this parameter when initiating the tidy operation * `tidy_cert_store`: the value of this parameter when initiating the tidy operation
* `tidy_revoked_certs`: the value of this parameter when initiating the tidy operation * `tidy_revoked_certs`: the value of this parameter when initiating the tidy operation
* `state`: one of *Inactive*, *Running*, *Finished*, *Error* * `state`: one of *Inactive*, *Running*, *Finished*, *Error*, *Cancelling*, or *Cancelled*
* `error`: the error message, if the operation ran into an error * `error`: the error message, if the operation ran into an error
* `time_started`: the time the operation started * `time_started`: the time the operation started
* `time_finished`: the time the operation finished * `time_finished`: the time the operation finished
@ -3957,6 +4008,9 @@ The result includes the following fields:
* `revocation_queue_deleted_count`: the number of revocation queue entries deleted * `revocation_queue_deleted_count`: the number of revocation queue entries deleted
* `tidy_cross_cluster_revoked_certs`: the value of this parameter when initiating the tidy operation * `tidy_cross_cluster_revoked_certs`: the value of this parameter when initiating the tidy operation
* `cross_revoked_cert_deleted_count`: the number of cross-cluster revoked certificate entries deleted * `cross_revoked_cert_deleted_count`: the number of cross-cluster revoked certificate entries deleted
* `revocation_queue_safety_buffer`: the value of this parameter when initiating the tidy operation
* `pause_duration`: the value of this parameter when initiating the tidy operation
* `last_auto_tidy_finished`: the time when the last auto-tidy operation finished; may be different than `time_finished` especially if the last operation was a manually executed tidy operation. Set to current time at mount time to delay the initial auto-tidy operation; not persisted.
| Method | Path | | Method | Path |