luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/sdk
History
Alexander Scheel e03fb14be4
Support for generating Delta CRLs (#16773) 
* Allow generation of up-to-date delta CRLs

While switching to periodic rebuilds of CRLs alleviates the constant
rebuild pressure on Vault during times of high revocation, the CRL
proper becomes stale. One response to this is to switch to OCSP, but not
every system has support for this. Additionally, OCSP usually requires
connectivity and isn't used to augment a pre-distributed CRL (and is
instead used independently).

By generating delta CRLs containing only new revocations, an existing
CRL can be supplemented with newer revocations without requiring Vault
to rebuild all complete CRLs. Admins can periodically fetch the delta
CRL and add it to the existing CRL and applications should be able to
support using serials from both.

Because delta CRLs are emptied when the next complete CRL is rebuilt, it
is important that applications fetch the delta CRL and correlate it to
their complete CRL; if their complete CRL is older than the delta CRL's
extension number, applications MUST fetch the newer complete CRL to
ensure they have a correct combination.

This modifies the revocation process and adds several new configuration
options, controlling whether Delta CRLs are enabled and when we'll
rebuild it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback: fix several bugs

Thanks Steve!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invoke periodic func on active nodes

We need to ensure we read the updated config (in case of OCSP request
handling on standby nodes), but otherwise want to avoid CRL/DeltaCRL
re-building.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 11:37:09 -04:00
..
database refactor: replace strings.Replace with strings.ReplaceAll (#15392) 2022-08-03 15:22:48 -04:00
framework VAULT-7698 Fix ignored parameter warnings for endpoint arbitrary data options (#16794) 2022-08-23 08:51:23 -04:00
helper Support for generating Delta CRLs (#16773) 2022-08-29 11:37:09 -04:00
logical VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) 2022-07-05 13:02:00 -04:00
physical Fix keyring file missing after Vault restart (#15946) 2022-06-15 10:22:42 -07:00
plugin Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377) 2022-07-20 10:36:23 -05:00
queue sdk/queue: move lock before checking queue length (#13146) 2021-11-29 14:54:00 -05:00
version Prep for 1.12 (#15612) 2022-05-25 16:18:41 -04:00
go.mod Update minimum required go version for sdk (#15913) 2022-06-09 12:25:24 -07:00
go.sum Update to fixed parseutil v0.1.6 (#15774) 2022-06-02 17:31:45 -04:00
README.md Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00

README.md

Vault SDK libs

This package provides the sdk package which contains code useful for developing Vault plugins.

Although we try not to break functionality, we reserve the right to reorganize the code at will and may occasionally cause breaks if they are warranted. As such we expect the tag of this module will stay less than v1.0.0.

For any major changes we will try to give advance notice in the CHANGES section of Vault's CHANGELOG.md.