saltstack/salt

[DOCS] key rejection is not mentioned in the guides when AES key rotation situations happens

Open

#63.469 aberto em 12 de jan. de 2023

Ver no GitHub
 (11 comments) (0 reactions) (0 assignees)Python (5.508 forks)batch import
documentationgood first issueseverity-mediumtime-estimate-quick-fix

Métricas do repositório

Stars
 (13.710 stars)
Métricas de merge de PR
 (Mesclagem média 72d 6h) (221 fundiu PRs em 30d)

Description

Description Is not obvious that key rejection causes AES rotation for publications.

Suggested Fix

https://docs.saltproject.io/en/latest/topics/tutorials/intro_scale.html#too-many-minions-re-authing

The Salt Master generates a new AES key to encrypt its publications at certain events such as a Master restart or the removal of a Minion key. If you are encountering this problem of too many minions re-authing against the Master, you will need to recalibrate your setup to reduce the rate of events like a Master restart or Minion key removal (salt-key -d).

TO

The Salt Master generates a new AES key to encrypt its publications at certain events such as a Master restart or the removal/rejection of a Minion key. If you are encountering this problem of too many minions re-authing against the Master, you will need to recalibrate your setup to reduce the rate of events like a Master restart, Minion key removal (salt-key -d) or Minion key rejection (salt-key -r).

https://docs.saltproject.io/en/getstarted/system/communication.html in "ROTATING SECURITY KEYS"

A rotating AES key is used to encrypt jobs that are sent to the Salt minion by the Salt master, and to encrypt connections to the Salt master fileserver. A new key is generated and used each time the Salt master restarts and each time a Salt minion key is deleted using the salt-key command.

TO

A rotating AES key is used to encrypt jobs that are sent to the Salt minion by the Salt master, and to encrypt connections to the Salt master fileserver. A new key is generated and used each time the Salt master restarts and each time a Salt minion key is deleted/rejected using the salt-key command.

https://docs.saltproject.io/en/latest/ref/cli/salt-key.html

Add a huge warning and backlinking to performance guide for key removal/rejection sections

Type of documentation Guides

Location or format of documentation https://docs.saltproject.io/en/getstarted/system/communication.html https://docs.saltproject.io/en/latest/topics/tutorials/intro_scale.html#too-many-minions-re-authing https://docs.saltproject.io/en/latest/ref/cli/salt-key.html

Additional context

Guia do colaborador