Skip to content

Rate-limit the /v1/rotate endpoint#1971

Open
0xVijay wants to merge 1 commit into
bitnami:mainfrom
0xVijay:ratelimit-rotate-endpoint
Open

Rate-limit the /v1/rotate endpoint#1971
0xVijay wants to merge 1 commit into
bitnami:mainfrom
0xVijay:ratelimit-rotate-endpoint

Conversation

@0xVijay

@0xVijay 0xVijay commented May 22, 2026

Copy link
Copy Markdown

What this does

Wraps the /v1/rotate handler in the same httpRateLimiter.RateLimit(...) chain that /v1/verify already uses, and clarifies the help text on --rate-limit / --rate-limit-burst to reflect that both endpoints are covered.

Why

/v1/rotate decrypts a SealedSecret with the controller's private key and re-encrypts it with the latest sealing key — a full RSA-OAEP decrypt + re-encrypt on every request. The default Helm chart binds system:authenticated to the proxier role, so any user with a valid cluster credential can reach the endpoint via the kube-apiserver proxy and flood it. The CPU goes to 100% and SealedSecret reconciliation stalls across the whole cluster.

/v1/verify was already rate-limited at pkg/controller/server.go:49. Rotate just needs the same wrapper.

This was discussed in advisory GHSA-jpp5-6cf2-prqh@alvneiayu accepted it as a genuine improvement and suggested opening a regular issue / PR. Sending the PR directly.

Change

-	mux.Handle("/v1/rotate", Instrument("/v1/rotate", http.HandlerFunc(func(...) {
+	mux.Handle("/v1/rotate", Instrument("/v1/rotate", httpRateLimiter.RateLimit(http.HandlerFunc(func(...) {

Plus a one-word help-text update on the two existing rate-limit flags so the docs match the behaviour.

Notes

  • No new flags introduced — reuses the existing --rate-limit / --rate-limit-burst quotas so deployments don't need configuration changes.
  • Behaviour parity with verify means 429 Too Many Requests once the per-source GCRA bucket is exhausted.
  • Happy to add a test that exercises the limiter on rotate if you want one. I noticed there's no equivalent test for verify today so I kept the change minimal — let me know.

@0xVijay
Apply rate limiter to /v1/rotate endpoint
aa3f83e 
The /v1/rotate handler was registered without the throttled rate
limiter that /v1/verify uses. Since rotate performs a full RSA-OAEP
decrypt + re-encrypt on every request, an authenticated cluster user
who can reach the endpoint via the kube-apiserver proxy can drive
the controller's CPU to 100% and stall SealedSecret reconciliation
cluster-wide.

Wraps the rotate handler in the same httpRateLimiter.RateLimit(...)
chain used for verify. Updates the help text on --rate-limit and
--rate-limit-burst to reflect that both endpoints are now covered.

Reported in GHSA-jpp5-6cf2-prqh.
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions Bot added the Stale label Jun 7, 2026
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.

@github-actions github-actions Bot closed this Jun 14, 2026
@alvneiayu alvneiayu reopened this Jun 14, 2026
@github-actions github-actions Bot removed the Stale label Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alvneiayu alvneiayu Awaiting requested review from alvneiayu alvneiayu is a code owner

@agarcia-oss agarcia-oss Awaiting requested review from agarcia-oss agarcia-oss is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0xVijay @alvneiayu