Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Fix building unified delta WAL, unified delta CRLs into release/1.13.x #20090

Merged
merged 1 commit into from
Apr 11, 2023
Merged

Backport of Fix building unified delta WAL, unified delta CRLs into release/1.13.x #20090

merged 1 commit into from
Apr 11, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Contributor

Backport

This PR is auto-generated from #20058 to be assessed for backporting due to the inclusion of the label backport/1.13.x.

The below text is copied from the body of the original PR.

Built on top of #20057; will be rebased once that merges.

Perhaps best to review this commit by commit as it should make most sense that way. If short summaries are nice:

  1. We only considered certificates from the current primary cluster when building the unified delta CRL.
  2. We only considered last-revoked serials from the current primary cluster when deciding to build the unified delta CRL.
  3. We only wrote out last-revoked serials to the current primary cluster's last-built entry, meaning if 2 wasn't also a bug, we could potentially rebuild more frequently than necessary (without new revocations).
  4. When doing the build, the last read serial wasn't the current primary cluster's cross-cluster last revoked serial, but instead its local delta WAL last revoked serial. These entries were effectively the same (since the cross-cluster storage writer for the primary cluster should've just been a local write), so this only mattered post 2 being fixed.
  5. Given that there were PBPWF failures in the writer, and given the change in Log, don't err, on unified delta WAL write failure #20057, we need logic similar to the existing full revocation entries for copying delta WAL entries cross-cluster if PBPWF write failed for some reason.
  6. Cleanup commit to switch a log to an error message.
  7. Add warnings to the revocation handler when PBPWF writing fails.
  8. Only attempt writing the unified delta WAL entry if the full entry succeeded.

But due to an obvious failure in the PBPWF writer, we weren't going to see any of these bugs.

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/cipherboy-fix-building-delta-wal/rarely-topical-cub branch 2 times, most recently from fca3ea2 to b0ba7d3 Compare April 11, 2023 18:03
@cipherboy cipherboy enabled auto-merge (squash) April 11, 2023 18:07
@cipherboy cipherboy merged commit 3d84957 into release/1.13.x Apr 11, 2023
@fopina-ci fopina-ci mentioned this pull request Apr 27, 2023
Closed
@fopina-ci fopina-ci mentioned this pull request Jun 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-secure-vault-core @cipherboy