sync authorized entries: issues with entry id reuse

[sorindumitru]

When using the experimental use_sync_authorized_entries = true configuration users can run into situations where agents don't see entry updates if users recreate entries with the same name:

• spire-server entry create "entryID"
• spire-server entry update "entryID" (optionally, I think you still have the same issue if you don't do this)
• spire-server entry delete "entryID" followed quickly (shorter than the agent sync interval) by spire-server entry create "entryID"

The agent would receive a revision about the entry "entryID" but will see the RevisionNumber set 0, which is smaller than the previous RevisionNumber it had, and will ignore that update.

This has usually a small chance of happening, due to using UUIDs by default for the entry IDs, but since users are allowed to specify an entry ID it can happen more easily.

Ideas for dealing with this:

• Include the "created_at" field in the entry revision update and use both it and the revision number to decide if an entry needs to be re-synced. This adds a bit more overhead to the communication, but it should cover all situations.

• Replace the two with a single "updated at" field.

• Version: >= 1.8.7

• Platform: any

• Subsystem: server,agent