amartinezfayo
commented
3 years ago This part of the efforts to solve #1934.
Closed APTy closed 3 years ago
amartinezfayo
commented
3 years ago This part of the efforts to solve #1934.
evan2645
commented
3 years ago Closing this out in favor of tracking the work in #1934 thank you for opening this @APTy!
In case of a compromised UpstreamCA or self-signed SPIRE cluster, it is important to be able to quickly rotate the trust bundles and SVIDs of all downstream consumers, plus propagate the trust bundle change to any federated trust domains.
If the SPIRE server receives a new upstream root in the ca manager "prepare" step, it will push a new bundle update to all consumers; however, we still need to revoke the old (compromised) upstream root. But because many workloads still rely on the old upstream root, it may be prudent to speed up workload SVID renewal, to start making use of the new root as quickly as possible, so that the old one can be removed more expediently.
In the case of using the UpstreamCA plugin, this renewal may need to be synchronized across clusters.