new feature: refactor server-side PKI #67799

mattp- · 2025-03-07T18:35:12Z

What does this PR do?

The end goal of this work is to support a non file/disk based interface for pub key management. Using the existing salt.cache interface allows to leverage existing implementations of other storage backends (ie mysql, postgres, redis, etc).

Of note, this will allow a common shared view of pub keys for multi-master setups.

To avoid a break-the-world scenario in this change, a fully backward compatible salt.cache.localfs_key_backcompat is provided as the new default that emulates the disk operations salt.key was doing before.

open discussion items:
- as is i've left master side pub/priv key as is to live in etc/salt/pki; it COULD be moved to the same interface if that's desired

Tests written?

Not yet, pushing to see what CI does

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

salt/crypt.py

mattp- · 2025-05-07T20:08:20Z

@twangboy appreciate the approve but still working on this one 👍 have some unaccounted for work with the cluster mode i need to look at as well as the current failing tests (also need to add more coverage)

twangboy · 2025-05-07T20:11:07Z

I added [WIP] to the beginning of the title of this PR. When you're done, remove the [WIP].

mattp- · 2025-05-08T00:26:24Z

@twangboy sorry had to remove the label, something weird is going on with the github actions; i need the tests to run but its being wonky. will keep poking at it

the end goal of this work is to support a non file/disk based interface for pub key management. Using the existing salt.cache interface allows us to leverage existing implementations of other storage backends (ie mysql, postgres, redis, etc). Of note, this will allow a common shared view of pub keys for multi-master setups. To avoid a break-the-world scenario in this change, a fully backward compatible salt.cache.localfs_key_backcompat is provided as the new default that emulates the disk operations salt.key was doing before. open discussion items: - as is i've left master side pub/priv key as is to live in etc/salt/pki; it COULD be moved to the same interface if thats desired

mattp- requested a review from a team as a code owner March 7, 2025 18:35

mattp- temporarily deployed to ci March 7, 2025 18:35 — with GitHub Actions Inactive

mattp- temporarily deployed to ci March 7, 2025 18:48 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from 7dbaec7 to 73b0823 Compare March 7, 2025 19:19

mattp- temporarily deployed to ci March 7, 2025 19:20 — with GitHub Actions Inactive

mattp- temporarily deployed to ci March 7, 2025 19:32 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from 73b0823 to cd73034 Compare March 7, 2025 19:49

mattp- temporarily deployed to ci March 7, 2025 19:50 — with GitHub Actions Inactive

mattp- temporarily deployed to ci March 7, 2025 20:02 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from cd73034 to c97c671 Compare March 7, 2025 20:23

mattp- temporarily deployed to ci March 7, 2025 20:24 — with GitHub Actions Inactive

mattp- temporarily deployed to ci March 7, 2025 20:36 — with GitHub Actions Inactive

dwoz reviewed Mar 8, 2025

View reviewed changes

salt/crypt.py Outdated Show resolved Hide resolved

mattp- force-pushed the pki branch from c97c671 to 7059678 Compare April 8, 2025 18:39

mattp- temporarily deployed to ci April 8, 2025 18:40 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from 7059678 to d897dd5 Compare April 8, 2025 19:17

mattp- temporarily deployed to ci April 8, 2025 19:17 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from d897dd5 to 7dbdd0b Compare April 8, 2025 19:26

twangboy added the test:full Run the full test suite label May 7, 2025

twangboy previously approved these changes May 7, 2025

View reviewed changes

twangboy temporarily deployed to ci May 7, 2025 20:07 — with GitHub Actions Inactive

twangboy changed the title ~~new feature: refactor server-side PKI~~ [WIP] new feature: refactor server-side PKI May 7, 2025

mattp- temporarily deployed to ci May 7, 2025 20:43 — with GitHub Actions Inactive

mattp- dismissed twangboy’s stale review via ce18e39 May 8, 2025 00:18

mattp- force-pushed the pki branch from 60d1e19 to ce18e39 Compare May 8, 2025 00:18

mattp- changed the title ~~[WIP] new feature: refactor server-side PKI~~ new feature: refactor server-side PKI May 8, 2025

mattp- force-pushed the pki branch from ce18e39 to d4cea0c Compare May 8, 2025 00:23

mattp- closed this May 8, 2025

mattp- reopened this May 8, 2025

mattp- force-pushed the pki branch from d4cea0c to a057e5d Compare May 8, 2025 00:26

mattp- temporarily deployed to ci May 8, 2025 00:34 — with GitHub Actions Inactive

mattp- temporarily deployed to ci May 8, 2025 01:56 — with GitHub Actions Inactive

mattp- force-pushed the pki branch from a057e5d to 0cec313 Compare May 8, 2025 19:39

mattp- temporarily deployed to ci May 8, 2025 19:39 — with GitHub Actions Inactive

mattp- temporarily deployed to ci May 8, 2025 20:02 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

new feature: refactor server-side PKI #67799

new feature: refactor server-side PKI #67799

mattp- commented Mar 7, 2025

mattp- commented May 7, 2025

twangboy commented May 7, 2025

mattp- commented May 8, 2025

new feature: refactor server-side PKI #67799

Are you sure you want to change the base?

new feature: refactor server-side PKI #67799

Conversation

mattp- commented Mar 7, 2025

What does this PR do?

Tests written?

Commits signed with GPG?

mattp- commented May 7, 2025

twangboy commented May 7, 2025

mattp- commented May 8, 2025