ocsp-responder: add LiveSigningPeriod (#6237)
Previously we used "ExpectedFreshness" to control how frequently the Redis source would request re-signing of stale entries. But that field also controls whether multi_source is willing to serve a MariaDB response. It's better to split these into two values.
This commit is contained in:
Jacob Hoffman-Andrews
GitHub
parent
ac0752ea53
commit
3b09571e70
|
|
@ -46,8 +46,7 @@ type Config struct {
|
|||
|
||||
Path string
|
||||
ListenAddress string
|
||||
// MaxAge is the max-age to set in the Cache-Control response
|
||||
// header. It is a time.Duration formatted string.
|
||||
// Deprecated and unused.
|
||||
MaxAge cmd.ConfigDuration
|
||||
|
||||
// When to timeout a request. This should be slightly lower than the
|
||||
|
|
@ -73,6 +72,10 @@ type Config struct {
|
|||
// This has a default value of 61h.
|
||||
ExpectedFreshness cmd.ConfigDuration
|
||||
|
||||
// How often a response should be signed when using Redis/live-signing
|
||||
// path. This has a default value of 60h.
|
||||
LiveSigningPeriod cmd.ConfigDuration
|
||||
|
||||
// A limit on how many requests to the RA (and onwards to the CA) will
|
||||
// be made to sign responses that are not fresh in the cache. This
|
||||
// should be set to somewhat less than
|
||||
|
|
@ -172,6 +175,11 @@ as generated by Boulder's ceremony command.
|
|||
expectedFreshness = 61 * time.Hour
|
||||
}
|
||||
|
||||
liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration
|
||||
if liveSigningPeriod == 0 {
|
||||
liveSigningPeriod = 60 * time.Hour
|
||||
}
|
||||
|
||||
tlsConfig, err := c.OCSPResponder.TLS.Load()
|
||||
cmd.FailOnError(err, "TLS config")
|
||||
clientMetrics := bgrpc.NewClientMetrics(stats)
|
||||
|
|
@ -185,7 +193,7 @@ as generated by Boulder's ceremony command.
|
|||
}
|
||||
liveSource := live.New(rac, int64(maxInflight))
|
||||
|
||||
rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, expectedFreshness, clk, stats, logger)
|
||||
rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, stats, logger)
|
||||
cmd.FailOnError(err, "Could not create redis source")
|
||||
|
||||
source, err = responder.NewMultiSource(source, rocspSource, expectedFreshness, stats, logger)
|
||||
|
|
|
|||
|
|
@ -20,11 +20,11 @@ type rocspClient interface {
|
|||
}
|
||||
|
||||
type redisSource struct {
|
||||
client rocspClient
|
||||
signer responder.Source
|
||||
counter *prometheus.CounterVec
|
||||
clk clock.Clock
|
||||
staleThreshold time.Duration
|
||||
client rocspClient
|
||||
signer responder.Source
|
||||
counter *prometheus.CounterVec
|
||||
clk clock.Clock
|
||||
liveSigningPeriod time.Duration
|
||||
// Note: this logger is not currently used, as all audit log events are from
|
||||
// the dbSource right now, but it should and will be used in the future.
|
||||
log blog.Logger
|
||||
|
|
@ -35,7 +35,7 @@ type redisSource struct {
|
|||
func NewRedisSource(
|
||||
client *rocsp.WritingClient,
|
||||
signer responder.Source,
|
||||
staleThreshold time.Duration,
|
||||
liveSigningPeriod time.Duration,
|
||||
clk clock.Clock,
|
||||
stats prometheus.Registerer,
|
||||
log blog.Logger,
|
||||
|
|
@ -51,12 +51,12 @@ func NewRedisSource(
|
|||
rocspReader = client
|
||||
}
|
||||
return &redisSource{
|
||||
client: rocspReader,
|
||||
signer: signer,
|
||||
counter: counter,
|
||||
staleThreshold: staleThreshold,
|
||||
clk: clk,
|
||||
log: log,
|
||||
client: rocspReader,
|
||||
signer: signer,
|
||||
counter: counter,
|
||||
liveSigningPeriod: liveSigningPeriod,
|
||||
clk: clk,
|
||||
log: log,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -90,7 +90,7 @@ func (src *redisSource) Response(ctx context.Context, req *ocsp.Request) (*respo
|
|||
}
|
||||
|
||||
func (src *redisSource) isStale(resp *ocsp.Response) bool {
|
||||
return src.clk.Since(resp.ThisUpdate) > src.staleThreshold
|
||||
return src.clk.Since(resp.ThisUpdate) > src.liveSigningPeriod
|
||||
}
|
||||
|
||||
func (src *redisSource) signAndSave(ctx context.Context, req *ocsp.Request, cause string) (*responder.Response, error) {
|
||||
|
|
|
|||
|
|
@ -34,7 +34,8 @@
|
|||
"/hierarchy/intermediate-cert-rsa-b.pem",
|
||||
"/hierarchy/intermediate-cert-ecdsa-a.pem"
|
||||
],
|
||||
"maxAge": "10s",
|
||||
"expectedFreshness": "61h",
|
||||
"liveSigningPeriod": "60h",
|
||||
"timeout": "4.9s",
|
||||
"shutdownStopTimeout": "10s",
|
||||
"debugAddr": ":8005",
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@
|
|||
"/hierarchy/intermediate-cert-rsa-b.pem",
|
||||
"/hierarchy/intermediate-cert-ecdsa-a.pem"
|
||||
],
|
||||
"maxAge": "10s",
|
||||
"timeout": "4.9s",
|
||||
"shutdownStopTimeout": "10s",
|
||||
"debugAddr": ":8005",
|
||||
|
|
|
|||
Loading…
Reference in New Issue