You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nomad 1.7 uses a root encryption key to encrypt Variables at rest and a root signing key to sign Workload Identities.
These root keys should be rotated automatically using the following logic:
New root key should be generated at root_key_rotation_threshold / 2 and the public signing key published before use in the JWKS endpoint.
At root_key_rotation_threshold the prepublished key will be made active and the old active key will be made inactive
After root_key_rotation_threshold + root_key_gc_threshold after the old key was marked inactive, it should be garbage collected.
Update root_key_* docs to reflect that keys are not gc'd until rotation_threshold + gc_threshold are reached to avoid invalidating otherwise valid JWTs in use.
Jobspecs with an identity.tll > root_key_rotation_threshold should receive a Warning on submit.
What you're envisioning here should cover #19367 and #19368. I'm going to unassign myself from those and if you want, we can either close them out now or you can close them out with this issue.
Nomad 1.7 uses a root encryption key to encrypt Variables at rest and a root signing key to sign Workload Identities.
These root keys should be rotated automatically using the following logic:
root_key_rotation_threshold / 2
and the public signing key published before use in the JWKS endpoint.root_key_rotation_threshold
the prepublished key will be madeactive
and the oldactive
key will be madeinactive
root_key_rotation_threshold
+root_key_gc_threshold
after the old key was marked inactive, it should be garbage collected.root_key_*
docs to reflect that keys are not gc'd untilrotation_threshold + gc_threshold
are reached to avoid invalidating otherwise valid JWTs in use.identity.tll > root_key_rotation_threshold
should receive a Warning on submit.Prior Art
hashicorp/vault#12414
The text was updated successfully, but these errors were encountered: