-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected default X509 SVID TTL #3581
Labels
priority/urgent
Issue is approved and is must be completed in the assigned milestone
Milestone
Comments
@azdagron for visibility |
These two lines in the test appear to be why this wasn't caught during testing. It was an issue I ran into during initial testing and resolved it incorrectly. spire/cmd/spire-server/cli/run/run_test.go Lines 642 to 643 in d98577f
Removing those two lines shows the test now failing as it should.
|
Yikes. We should fix this. |
dennisgove
added a commit
to dennisgove/spire
that referenced
this issue
Nov 7, 2022
3 tasks
dennisgove
added a commit
to dennisgove/spire
that referenced
this issue
Nov 7, 2022
…used Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
evan2645
added
the
priority/urgent
Issue is approved and is must be completed in the assigned milestone
label
Nov 8, 2022
MarcosDY
pushed a commit
that referenced
this issue
Nov 8, 2022
MarcosDY
pushed a commit
that referenced
this issue
Nov 8, 2022
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this issue
Oct 16, 2023
…used (spiffe#3583) Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PR #3445 added support for X509 and JWT specific SVID TTLs. As part of this, the
spire-server
binary config arguments were updated to include all ofspire/cmd/spire-server/cli/run/run.go
Lines 77 to 79 in d98577f
The following lines set the config defaults for the X509 and JWT SVIDs
spire/cmd/spire-server/cli/run/run.go
Lines 839 to 840 in d98577f
The result is that the values for
DefaultX509SVIDTTL
andDefaultJWTSVIDTTL
are always set to some value even if the startup config file does not set those.On face this seems reasonable, but an issue appears if the startup config instead sets
DefaultSVIDTTL
and neither of the new X509/JWT specific values.In such a case the following blocks will always be executed and the desired
DefaultSVIDTTL
will be ignored.spire/cmd/spire-server/cli/run/run.go
Lines 472 to 481 in d98577f
spire/cmd/spire-server/cli/run/run.go
Lines 492 to 501 in d98577f
The result is a breaking change if someone has set the
DefaultSVIDTTL
value and has now updated to version 1.5.0.For example, with this config file
the following will appear in the logs on startup
The text was updated successfully, but these errors were encountered: