Closed schmichael closed 2 months ago
tgross
commented
8 months ago What you're envisioning here should cover https://github.com/hashicorp/nomad/issues/19367 and https://github.com/hashicorp/nomad/issues/19368. I'm going to unassign myself from those and if you want, we can either close them out now or you can close them out with this issue.
schmichael
commented
8 months ago Thanks for linking things together Tim.
we can either close them out now or you can close them out with this issue.
I'm going to leave them open until this ships to ensure everything is buttoned up appropriately.
tgross
commented
2 months ago Implemented in #23577 and will ship in the next regular release of Nomad 1.8.x, with backports to Nomad 1.7.x/1.6.x Enterprise.
Nomad 1.7 uses a root encryption key to encrypt Variables at rest and a root signing key to sign Workload Identities.
These root keys should be rotated automatically using the following logic:
root_key_rotation_threshold / 2and the public signing key published before use in the JWKS endpoint.root_key_rotation_thresholdthe prepublished key will be madeactiveand the oldactivekey will be madeinactiveroot_key_rotation_threshold+root_key_gc_thresholdafter the old key was marked inactive, it should be garbage collected.root_key_*docs to reflect that keys are not gc'd untilrotation_threshold + gc_thresholdare reached to avoid invalidating otherwise valid JWTs in use.identity.tll > root_key_rotation_thresholdshould receive a Warning on submit.Prior Art
https://github.com/hashicorp/vault/pull/12414