saltstack/salt

[DOCS] key rejection is not mentioned in the guides when AES key rotation situations happens

Open

#63 469 ouverte le 12 janv. 2023

Voir sur GitHub
 (11 commentaires) (0 réactions) (0 assignés)Python (5 508 forks)batch import
documentationgood first issueseverity-mediumtime-estimate-quick-fix

Métriques du dépôt

Stars
 (13 710 stars)
Métriques de merge PR
 (Merge moyen 72j 6h) (221 PRs mergées en 30 j)

Description

Description Is not obvious that key rejection causes AES rotation for publications.

Suggested Fix

https://docs.saltproject.io/en/latest/topics/tutorials/intro_scale.html#too-many-minions-re-authing

The Salt Master generates a new AES key to encrypt its publications at certain events such as a Master restart or the removal of a Minion key. If you are encountering this problem of too many minions re-authing against the Master, you will need to recalibrate your setup to reduce the rate of events like a Master restart or Minion key removal (salt-key -d).

TO

The Salt Master generates a new AES key to encrypt its publications at certain events such as a Master restart or the removal/rejection of a Minion key. If you are encountering this problem of too many minions re-authing against the Master, you will need to recalibrate your setup to reduce the rate of events like a Master restart, Minion key removal (salt-key -d) or Minion key rejection (salt-key -r).

https://docs.saltproject.io/en/getstarted/system/communication.html in "ROTATING SECURITY KEYS"

A rotating AES key is used to encrypt jobs that are sent to the Salt minion by the Salt master, and to encrypt connections to the Salt master fileserver. A new key is generated and used each time the Salt master restarts and each time a Salt minion key is deleted using the salt-key command.

TO

A rotating AES key is used to encrypt jobs that are sent to the Salt minion by the Salt master, and to encrypt connections to the Salt master fileserver. A new key is generated and used each time the Salt master restarts and each time a Salt minion key is deleted/rejected using the salt-key command.

https://docs.saltproject.io/en/latest/ref/cli/salt-key.html

Add a huge warning and backlinking to performance guide for key removal/rejection sections

Type of documentation Guides

Location or format of documentation https://docs.saltproject.io/en/getstarted/system/communication.html https://docs.saltproject.io/en/latest/topics/tutorials/intro_scale.html#too-many-minions-re-authing https://docs.saltproject.io/en/latest/ref/cli/salt-key.html

Additional context

Guide contributeur