j3parker
commented
3 years ago What's missing:
- Tests
- ECDSA support
- Refactoring the in-memory stuff to be built on top of this
The first of those is mandatory to merge this, the other two I'd be good to do in a follow-up (like immediately after, not "in the future")
Getting this PR up without tests just to validate the approach.
External storage (vs. in-memory) will work better for scale-up/scale-down activity. This will enable us to scale more aggressively, including use-cases like AWS Lambda.
It also moves rotation out-of-line of requests, which will avoid CPU+latency spikes.
Fetching the latest private key will still be done on-demand, but there is the option to do it proactively out-of-band. This will allow us to consolidate the fetch in web-server workloads and further hide latency from individual requests.
Web server workloads will be able to proactively fetch a key on boot before being placed into load.