split key default to false (#46)

* draft Signed-off-by: wfan <wfan@lycorp.co.jp> * hash Signed-off-by: wfan <wfan@lycorp.co.jp> * log Signed-off-by: wfan <wfan@lycorp.co.jp> * Update cmd/athenz-sia/main.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> * Update pkg/identity/certificated.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> * Update pkg/identity/healthcheckd.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> * Update pkg/identity/metricsd.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> * Update pkg/token/daemon.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> --------- Signed-off-by: wfan <wfan@lycorp.co.jp> Signed-off-by: Windz <WindzCUHK@users.noreply.github.com> Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com>
AthenZ · Oct 26, 2023 · dbbf93b · dbbf93b
1 parent 6b5a231
commit dbbf93b
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 13 deletions.
diff --git a/athenz-sia.env b/athenz-sia.env
@@ -142,10 +142,10 @@ ROLECERT_DIR=
 #
 ROLE_CERT_FILENAME_DELIMITER=:role.
 #
-# Outputs private key specifically for role certificates (e.g. :true or false)
-# Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L92
+# Outputs private key specifically for role certificates (e.g. true or false)
+# Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/7cedb649397adb59afdaaa821cfa0b1d226b7203/pkg/config/default.go#L92
 #
-ROLE_CERT_KEY_FILE_OUTPUT=true
+ROLE_CERT_KEY_FILE_OUTPUT=false
 #
 # Athenz Role Auth Header to retrieve role tokens
 # Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L41

diff --git a/cmd/athenz-sia/main.go b/cmd/athenz-sia/main.go
@@ -85,8 +85,8 @@ func main() {
 	}
 
 	if !idConfig.Init {
-		<-ch // wait until receiving os.Signal from channel ch
-		log.Println("Shutting down...")
+		s := <-ch // wait until receiving os.Signal from channel ch
+		log.Printf("Initiating shutdown with received signal %s ...\n", s.String())
 	}
 
 	close(certificateChan)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -242,6 +242,15 @@ func (idConfig *IdentityConfig) validateAndInit() (err error) {
 		PollInterval: pollInterval,
 	})
 
+	// if certificate provisioning is disabled (use external key) and splitting role certificate key file is disabled, role certificate and external key mismatch problem may occur when external key rotates.
+	// error case: issue role certificate, rotate external key, mismatch period, issue role certificate, resolve, rotate external key, ...
+	if idConfig.ProviderService == "" && !idConfig.RoleCertKeyFileOutput {
+		// if role certificate issuing is enabled, warn user about the mismatch problem
+		if idConfig.TargetDomainRoles != "" && idConfig.RoleCertDir != "" {
+			log.Warnf("Rotating KEY_FILE[%s] may cause key mismatch with issued role certificate due to different rotation cycle. Please manually restart SIA when you rotate the key file.", idConfig.KeyFile)
+		}
+	}
+
 	// During the init flow if X.509 cert(and key) already exists,
 	//   - someone is attempting to run init after a pod has been started
 	//   - pod sandbox crashed and kubelet runs the init container

diff --git a/pkg/config/default.go b/pkg/config/default.go
@@ -89,7 +89,7 @@ func DefaultIdentityConfig() *IdentityConfig {
 		TargetDomainRoles:         "",
 		RoleCertDir:               "",
 		RoleCertFilenameDelimiter: DEFAULT_ROLE_CERT_FILENAME_DELIMITER,
-		RoleCertKeyFileOutput:     true,
+		RoleCertKeyFileOutput:     false,
 		RoleAuthHeader:            DEFAULT_ROLE_AUTH_HEADER,
 		TokenType:                 "accesstoken",
 		TokenRefresh:              DEFAULT_TOKEN_REFRESH,
@@ -114,7 +114,7 @@ func DefaultIdentityConfig() *IdentityConfig {
 		rawMode:                  "init",
 		rawRefresh:               "24h",
 		rawDelayJitterSeconds:    "0",
-		rawRoleCertKeyFileOutput: "true",
+		rawRoleCertKeyFileOutput: "false",
 		rawTokenRefresh:          DEFAULT_TOKEN_REFRESH.String(),
 		rawTokenExpiry:           DEFAULT_TOKEN_EXPIRY.String(),
 		rawTokenServerRESTAPI:    "false",

diff --git a/pkg/identity/certificated.go b/pkg/identity/certificated.go
@@ -103,8 +103,7 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
 						return errors.Wrap(err, "unable to save x509 role cert")
 					}
 
-					// always output role cert key file to prevent unexpected key rotation when using external key
-					if id == nil || idConfig.RoleCertKeyFileOutput {
+					if idConfig.RoleCertKeyFileOutput {
 						outKeyPath := filepath.Join(idConfig.RoleCertDir, rolecert.Domain+idConfig.RoleCertFilenameDelimiter+rolecert.Role+".key.pem")
 						log.Debugf("Saving x509 role cert key[%d bytes] at [%s]", len(roleKeyPEM), outKeyPath)
 						if err := w.AddBytes(outKeyPath, 0644, roleKeyPEM); err != nil {
@@ -354,7 +353,7 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
 					log.Errorf("Failed to refresh x509 certificate after multiple retries: %s", err.Error())
 				}
 			case <-stopChan:
-				log.Info("Certificate provider will shutdown")
+				log.Info("Initiating shutdown of certificate provider daemon ...")
 				err = deleteRequest()
 				if err != nil {
 					log.Errorf("Failed to delete x509 certificate Instance ID record: %s", err.Error())

diff --git a/pkg/identity/healthcheckd.go b/pkg/identity/healthcheckd.go
@@ -59,7 +59,7 @@ func Healthcheckd(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
 		defer close(shutdownChan)
 
 		<-stopChan
-		log.Info("Health check server will shutdown")
+		log.Info("Initiating shutdown of health check daemon ...")
 		ctx, cancel := context.WithTimeout(context.Background(), idConfig.ShutdownTimeout)
 		defer cancel()
 		healthCheckServer.SetKeepAlivesEnabled(false)

diff --git a/pkg/identity/metricsd.go b/pkg/identity/metricsd.go
@@ -98,7 +98,7 @@ func Metricsd(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (error,
 		defer close(shutdownChan)
 
 		<-stopChan
-		log.Info("Metrics exporter will shutdown")
+		log.Info("Initiating shutdown of metrics exporter daemon ...")
 		// context.Background() is used, no timeout
 		err := exporter.Shutdown()
 		if err != nil {

diff --git a/pkg/token/daemon.go b/pkg/token/daemon.go
@@ -274,7 +274,7 @@ func Tokend(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (error, <
 					log.Errorf("Failed to refresh tokens after multiple retries: %s", err.Error())
 				}
 			case <-stopChan:
-				log.Info("Token provider will shutdown")
+				log.Info("Initiating shutdown of token provider daemon ...")
 				time.Sleep(idConfig.ShutdownDelay)
 				ctx, cancel := context.WithTimeout(context.Background(), idConfig.ShutdownTimeout)
 				defer cancel()