Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: Alongside OpenShift 4.10, 2021Q3 Plan
Affects Version/s: None
Component/s: None
Labels:

Epic Name:
Periodic continous refresh strategy for ignition server token
Blocked:
False
Ready:
False
Epic Status:
Done
Feature Link:
OCPSTRAT-326 - Implement HyperShift Infrastructure & Machine Management Models
Parent Link:
OCPSTRAT-326Implement HyperShift Infrastructure & Machine Management Models
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done

Cost of Delay:
0
WSJF:
0
Risk Score:
0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Market:

https://github.com/openshift/hypershift/issues/364

The token should periodically be refreshed on an interval and ultimately old tokens revoked. This provides a secure system overtime and limits the time a exposed secret is active for.

General idea:

Create new token after some time and use that in userdata secret
After some time has passed (gives enough time for in flight workers to bootstrap) remove old token.

links to

openshift/hypershift#485: Add support for ign serve token rotation

Assignee:: Alberto Garcia Lamela

Reporter:: Alberto Garcia Lamela

QA Contact:: Jie Zhao

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/08/30 12:18 PM

Updated:: 2022/03/15 8:49 PM

Resolved:: 2022/02/07 5:50 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates