eclipse-hono

Zero Downtime rotation of Eclipse Hono Auth Server Shared Secret


We're operating Eclipse Hono and would like to perform zero-downtime updates on all components in our cluster.

For authentication between the different Eclipse Hono components we use the Hono Auth Service. There we configured a shared secret (HONO_AUTH_SVC_SIGNING_SHARED_SECRET) to be used to for signing the issued tokens. Consuming services (e.g. Command Router / Mongo DB Device Regsitry) are configured with the same secret.

When changing the shared secret we simultaneously need to restart all instances of the mentioned microservices, which leads to a short downtime. If we would perform a rolling update, the old instances would not validate the issued tokens of instances already running with the new shared secret.

Has anyone the same issue, or knows how to perform a zero-downtime update?

One option to solve our problem would be the possibility to configure next to the HONO_AUTH_VALIDATION_SHARED_SECRET another secret (HONO_AUTH_VALIDATION_SHARED_SECRET_FALLBACK) which would be tried if the primary fails. Like this we could perform a rolling update of all components without downtime.

The usage of a certificate instead of the shared secret has as far as I can see the same restriction.

Thanks Chris


Solution

  • I also do not see any option to cycle the shared secret based on the current implementation without incurring any downtime. For this to work, Hono's components would need to support configuration of multiple shared secrets for validation of the tokens, as you correctly pointed out. Maybe you want to open an issue for this with Hono?