Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets #20253
+314
−86
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a user generates an external CA without KeyUsage bits and imports it into Vault (as Vault does not allow setting KeyUsage on internally generated CAs), they can end up with issuer equivalency classes without a valid representative for generating the CRL. This is because Go fails on rebuilding CRLs for issuers lacking an asserted CRL Building KeyUsage.
Add warnings into the CRL rebuild infrastructure and allow certain actions to directly expose them to operators (import, manual rebuild, potentially revoke), whereas all other operations will result in these warnings being logged at a
Warn
level.I'm not quite happy with this approach: over a cluster's lifetime, I'd imagine this could get somewhat verbose if the operator does not take steps to address it. However, it is also a somewhat rare problem to have (though, I have added one other warning when a legacy bundle is in use with delta CRLs), so I'm inclined to believe that while it is not perfect, it is perhaps good enough.
During import this looks like:
This also appears on the CRL rebuild endpoint (
/pki/crl/rotate
).Resolves: #20137