Add SPIRE connection to status

[ upstream commit 1410a66 ]

This adds the SPIRE connection to cilium status, this then can be used
by the CLI tool to surface errors and/or wait for SPIRE to be ready.
If Auth is disabled it will surface the disabled status.

This commit is a manual backport due to formatting and import conflicts
between main and v1.14 due to the replacement of the ipcache import with
the nodemanager in the upstream main branch.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>

api/v1/openapi.yaml

@@ -1959,6 +1959,9 @@ definitions:
       cni-chaining:
         description: Status of CNI chaining
         "$ref": "#/definitions/CNIChainingStatus"
+      auth-certificate-provider:
+        description: Status of Mutual Authentication certificate provider
+        "$ref": "#/definitions/Status"
   Status:
     description: Status of an individual component
     type: object

daemon/cmd/daemon.go

@@ -24,6 +24,7 @@ import (
 	"github.com/cilium/cilium/api/v1/models"
 	health "github.com/cilium/cilium/cilium-health/launch"
 	"github.com/cilium/cilium/daemon/cmd/cni"
+	"github.com/cilium/cilium/pkg/auth"
 	"github.com/cilium/cilium/pkg/bandwidth"
 	"github.com/cilium/cilium/pkg/bgp/speaker"
 	bgpv1 "github.com/cilium/cilium/pkg/bgpv1/agent"
@@ -217,6 +218,9 @@ type Daemon struct {
 
 	// statedb for implementing /statedb/dump
 	db statedb.DB
+
+	// authManager for reporting the status of the auth system certificate provider
+	authManager *auth.AuthManager
 }
 
 func (d *Daemon) initDNSProxyContext(size int) {
@@ -545,6 +549,7 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
 		l2announcer:          params.L2Announcer,
 		l7Proxy:              params.L7Proxy,
 		db:                   params.DB,
+		authManager:          params.AuthManager,
 	}
 
 	d.configModifyQueue = eventqueue.NewEventQueueBuffered("config-modify-queue", ConfigModifyQueueSize)

daemon/cmd/daemon_main.go

@@ -27,6 +27,7 @@ import (
 	"github.com/cilium/cilium/daemon/cmd/cni"
 	agentK8s "github.com/cilium/cilium/daemon/k8s"
 	"github.com/cilium/cilium/pkg/api"
+	"github.com/cilium/cilium/pkg/auth"
 	"github.com/cilium/cilium/pkg/aws/eni"
 	bgpv1 "github.com/cilium/cilium/pkg/bgpv1/agent"
 	"github.com/cilium/cilium/pkg/bpf"
@@ -1620,6 +1621,7 @@ type daemonParams struct {
 	L2Announcer          *l2announcer.L2Announcer
 	L7Proxy              *proxy.Proxy
 	DB                   statedb.DB
+	AuthManager          *auth.AuthManager
 }
 
 func newDaemonPromise(params daemonParams) promise.Promise[*Daemon] {

daemon/cmd/status.go

@@ -1019,6 +1019,26 @@ func (d *Daemon) startStatusCollector(cleaner *daemonCleanup) {
 				}
 			},
 		},
+		{
+			Name: "auth-cert-provider",
+			Probe: func(ctx context.Context) (interface{}, error) {
+				if d.authManager == nil {
+					return &models.Status{State: models.StatusStateDisabled}, nil
+				}
+
+				return d.authManager.CertProviderStatus(), nil
+			},
+			OnStatusUpdate: func(status status.Status) {
+				d.statusCollectMutex.Lock()
+				defer d.statusCollectMutex.Unlock()
+
+				if status.Err == nil {
+					if s, ok := status.Data.(*models.Status); ok {
+						d.statusResponse.AuthCertificateProvider = s
+					}
+				}
+			},
+		},
 	}
 
 	d.statusResponse.Masquerading = d.getMasqueradingStatus()

pkg/auth/always_fail_authhandler.go

@@ -6,6 +6,7 @@ package auth
 import (
 	"errors"
 
+	"github.com/cilium/cilium/api/v1/models"
 	"github.com/cilium/cilium/pkg/auth/certs"
 	"github.com/cilium/cilium/pkg/policy"
 )
@@ -31,3 +32,7 @@ func (r *alwaysFailAuthHandler) authType() policy.AuthType {
 func (r *alwaysFailAuthHandler) subscribeToRotatedIdentities() <-chan certs.CertificateRotationEvent {
 	return nil
 }
+
+func (r *alwaysFailAuthHandler) certProviderStatus() *models.Status {
+	return nil // reporting no status as we have no cert provider
+}

pkg/auth/always_pass_authhandler.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/sirupsen/logrus"
 
+	"github.com/cilium/cilium/api/v1/models"
 	"github.com/cilium/cilium/pkg/auth/certs"
 	"github.com/cilium/cilium/pkg/policy"
 )
@@ -41,3 +42,7 @@ func (r *alwaysPassAuthHandler) authType() policy.AuthType {
 func (r *alwaysPassAuthHandler) subscribeToRotatedIdentities() <-chan certs.CertificateRotationEvent {
 	return nil
 }
+
+func (r *alwaysPassAuthHandler) certProviderStatus() *models.Status {
+	return nil // reporting no status as we have no cert provider
+}

pkg/auth/cell.go

@@ -24,7 +24,7 @@ import (
 	"github.com/cilium/cilium/pkg/stream"
 )
 
-// Cell invokes authManager which is responsible for request authentication.
+// Cell provides AuthManager which is responsible for request authentication.
 // It does this by registering to "auth required" signals from the signal package
 // and reacting upon received signal events.
 // Actual authentication gets performed by an auth handler which is
@@ -37,7 +37,7 @@ var Cell = cell.Module(
 
 	// The auth manager is the main entry point which gets registered to signal map and receives auth requests.
 	// In addition, it handles re-authentication and auth map garbage collection.
-	cell.Invoke(registerAuthManager),
+	cell.Provide(registerAuthManager),
 	cell.ProvidePrivate(
 		// Null auth handler provides support for auth type "null" - which always succeeds.
 		newMutualAuthHandler,
@@ -86,10 +86,10 @@ type authManagerParams struct {
 	PolicyRepo      *policy.Repository
 }
 
-func registerAuthManager(params authManagerParams) error {
+func registerAuthManager(params authManagerParams) (*AuthManager, error) {
 	if !params.Config.MeshAuthEnabled {
 		params.Logger.Info("Authentication processing is disabled")
-		return nil
+		return nil, nil
 	}
 
 	// Instantiate & wire auth components
@@ -99,7 +99,7 @@ func registerAuthManager(params authManagerParams) error {
 
 	mgr, err := newAuthManager(params.Logger, params.AuthHandlers, mapCache, params.IPCache, params.Config.MeshAuthSignalBackoffDuration)
 	if err != nil {
-		return fmt.Errorf("failed to create auth manager: %w", err)
+		return nil, fmt.Errorf("failed to create auth manager: %w", err)
 	}
 
 	mapGC := newAuthMapGC(params.Logger, mapCache, params.IPCache, params.PolicyRepo)
@@ -122,25 +122,25 @@ func registerAuthManager(params authManagerParams) error {
 	)
 
 	if err := registerSignalAuthenticationJob(jobGroup, mgr, params.SignalManager, params.Config); err != nil {
-		return fmt.Errorf("failed to register signal authentication job: %w", err)
+		return nil, fmt.Errorf("failed to register signal authentication job: %w", err)
 	}
 	registerReAuthenticationJob(jobGroup, mgr, params.AuthHandlers)
 	registerGCJobs(jobGroup, params.Lifecycle, mapGC, params.Config, params.NodeManager, params.IdentityChanges)
 
 	params.Lifecycle.Append(jobGroup)
 
-	return nil
+	return mgr, nil
 }
 
-func registerReAuthenticationJob(jobGroup job.Group, mgr *authManager, authHandlers []authHandler) {
+func registerReAuthenticationJob(jobGroup job.Group, mgr *AuthManager, authHandlers []authHandler) {
 	for _, ah := range authHandlers {
 		if ah != nil && ah.subscribeToRotatedIdentities() != nil {
 			jobGroup.Add(job.Observer("auth re-authentication", mgr.handleCertificateRotationEvent, stream.FromChannel(ah.subscribeToRotatedIdentities())))
 		}
 	}
 }
 
-func registerSignalAuthenticationJob(jobGroup job.Group, mgr *authManager, sm signal.SignalManager, config config) error {
+func registerSignalAuthenticationJob(jobGroup job.Group, mgr *AuthManager, sm signal.SignalManager, config config) error {
 	var signalChannel = make(chan signalAuthKey, config.MeshAuthQueueSize)
 
 	// RegisterHandler registers signalChannel with SignalManager, but flow of events

pkg/auth/certs/provider.go

@@ -7,6 +7,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 
+	"github.com/cilium/cilium/api/v1/models"
 	"github.com/cilium/cilium/pkg/identity"
 )
 
@@ -36,4 +37,7 @@ type CertificateProvider interface {
 
 	// SubscribeToRotatedIdentities will return a channel with the identities that have rotated certificates
 	SubscribeToRotatedIdentities() <-chan CertificateRotationEvent
+
+	// Status will return the status of the certificate provider
+	Status() *models.Status
 }