2.0 KiB
Certificate rotation
First party certificate rotation for the following components is implemented in three different places:
- RP
- MDSD
- MDM
The first party certificate is stored in a keyvault. The certificate is provided by Microsoft and in certain scenarios have to be rotated.
To ensure all three mentioned components read the new certificate, following is implemented.
RP
The certificate is read via certificateRefresher, which regularly rereads the certificate from the keyvault and updates
the in-memory copy used in an authorizer.
MDSD and MDM
Both MDSD and MDM, make use of regularly downloaded certificate. The certificate is normally downloaded via KeyVault extension. Unfortunately in ARO RP VM uses RHEL which is unsupported Linux distribution.
Therefore a workaround is used. The download systemd unit downloads the certificates and updates the correct file path
/var/lib/waagent/Microsoft.Azure.KeyVault.Store/
to mimic the KeyVault extension.
Moreover, both MDSD and MDM are deployed on VMs for the gateway and RP:
pkg/deploy/generator/resources_rp.gopkg/deploy/generator/resources_gateway.go
MDSD
MDSD uses the configuration to read new keys automatically. It read from the known file path
/var/lib/waagent/Microsoft.Azure.KeyVault.Store/
to get the fresh certificate.
MDM
MDM currently does not have the ability to read fresh certificate. The certificate is read from known path, but it is not re-read. To overcome this limitation, new systemd unit is introduced.
The systemd unit watch-mdm-credentials.path monitors the file path for
changes and when the change occurs,
the MDM container is restarted forcing the re-read of the fresh certificate.