New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service Mesh mTLS: DelegatedIdentity SPIFFE API #23968
Conversation
d7a12e1
to
9e7b516
Compare
4066f28
to
54b31e1
Compare
Commit 7d01bce2ac646eb44599d1b3e1d7200b7b39d00b does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
54b31e1
to
7ed5fdc
Compare
7ed5fdc
to
cb81118
Compare
cb81118
to
25f057c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with one question and a couple of spelling nits.
Nice work!
25f057c
to
19e51d8
Compare
This adds an interface for a hive cell to use that provides the auth package with a way to receive and verify validity of certificates involved. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This adds a dependency on the SPIFFE/SPIRE SDK to be used in the mTLS handling code. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This adds an implementation of the Delegate API of a SPIRE server as a source for certificates to be used in an mTLS handhake. It will connect to the admin socket of a SPIRE agent where it will be able to get the certificates and keys in name of all Cilium workloads which are receiving an SVID from the controller. This is then cached in memory for the auth handler to request. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
19e51d8
to
d25041f
Compare
/test |
One CI fail in Travis but does not seem related to this PR (the code path is not yet active so would be weird) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from vendor team ✔️
This adds an implementation of the Delegate API of a SPIRE server
as a source for certificates to be used in an mTLS handhake.
It will connect to the admin socket of a SPIRE agent where it will
be able to get the certificates and keys in name of all Cilium
workloads which are receiving an SVID from the controller.
This is then cached in memory for the auth handler to request.
Fixes: #23804