sa: GetRevokedCerts returns explicit shards too #7918
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change GetRevokedCerts to return a combined list of certs for a given shard, calculating shard membership temporally and by explicit assignment to a shard in the revokedCertificates table.
This functionality is gated on the ShardIdx field of GetRevokedCertsRequest. If it is zero, revoked certs will only be returned from a given temporal shard (and we assume that no certs have been assigned to any explicit shard yet).
After we start sending the ShardIdx field, and also start writing entries to the revokedCertificates table, this will result in CRL sizes doubling for several months until we retire the temporal sharding code, since most revoked certificates will be included in one shard based on their entry in revokedCertificates, and a different shard based on their issuance time.
Update the tests to cover more cases, and reduce duplication somewhat.
Update
test.ThrowAwayCert
to document the lifetime it uses, and to generate serial numbers that are the same length as used in the rest of boulder (which makes debug output using serials easier to read).Part of #7094