feat(nats pubusb): add NATS CA cert generation#26590
Open
cstyan wants to merge 2 commits into
Open
Conversation
Adds cryptokeys support for a CA that will sign the ephemeral leaf certificates replicas use for NATS cluster mTLS: - New crypto_key_feature enum value nats_ca; the rotator generates a self-signed ECDSA P-256 CA (PEM cert+key bundle in the secret column) and rotates it on the shared key duration with a 30 day token duration matching the maximum leaf lifetime. - FetchNATSCA accessor returns the active CA (parsed cert and signer) plus a trust bundle of all valid CA rows and the active row sequence so callers can detect rotation. It creates the CA on first fetch under an advisory lock since the NATS pubsub is constructed before the rotator starts. - The CA bundle contains a private key and stays excluded from the wsproxy crypto-keys endpoint allowlist and the signing/encryption keycaches. The feature is dormant: nothing fetches the CA until cli/server.go is wired up in a follow-up branch.
FetchNATSCA bootstrapped the nats_ca crypto key under a dedicated LockIDNATSCACreate advisory lock, separate from the rotator's LockIDCryptoKeyRotation. This was safe in practice: the server only starts the rotator (coderd.New) after FetchNATSCA returns during pubsub setup, so the two writers never overlap and never contend on the crypto_keys (feature, sequence) primary key. This is a defensive consistency change, not a bug fix. Reusing the rotator's lock makes the bootstrap path and the rotator mutually exclusive regardless of call ordering, so a future caller that invokes FetchNATSCA concurrently with the rotator can't race the primary key. It also keeps nats_ca consistent with how the other crypto key features are created (single advisory lock). The now-unused LockIDNATSCACreate is removed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: The changes in this PR were generated with heavy AI help. I have verified general functionality (manual test) and reviewed the code structure itself. Crypto details are outside my current knowledge base, but I believe relying on the stdlib x509 package is safe here. Please nit pick both the code and implementation details if anything smells off at all.
AI summary of changes:
Adds cryptokeys support for a CA that will sign the ephemeral leaf certificates replicas use for NATS cluster mTLS:
The feature is dormant: nothing fetches the CA until cli/server.go is wired up in a follow-up branch.