Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-24150

Alternative Gateway Secret Support in Turnpike

XMLWordPrintable

    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • No
    • Platform A&M Sprint 64, Platform A&M Sprint 65

      After the Gateway Secret rotation during RHCLOUD-23975, it was discovered that Turnpike does not have a method of supporting an Alternative Gateway Secret. Without supporting an Alternative Gateway Secret, there is an issue when a new Gateway Secret is pushed to Akamai. Turnpike validates the new Gateway Secret that is supplied to it from Akamai against the old Gateway Secret provided to it at run time. Whether Turnpike or Akamai is updated first with the new Gateway Secret, there is a possibility of downtime because there will be a mismatch between the Gateway Secret Turnpike uses to validate and what Akamai is providing it. 

       

      The suggestion is to provide Alternative Gateway Secret support in Turnpike similarly to how we handle it with Gateway. Please note that the Alternative Gateway Secret is typically remote after Gateway Secrets have been rotated. So updated logic in Turnpike will need to be able to support the Alternative Gateway Secret being absent. 

       

      Gateway/3scale - PSK Check:

      Turnpike - PSK Check:

       

       

      Additionally, one this functionality has been added to Turnpike we will need to update the Turnpike section of the "Gateway - "gateway-secret" Rotation" doc to make use of the Alternative Gateway Secret

              rh-ee-edong Ellen Dong
              caswilli-insights Casey Williams
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: