Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service Mesh mTLS: DelegatedIdentity SPIFFE API #23968

Merged
merged 3 commits into from Mar 8, 2023
Merged

Service Mesh mTLS: DelegatedIdentity SPIFFE API #23968

merged 3 commits into from Mar 8, 2023

Conversation

meyskens
Copy link
Member

@meyskens meyskens commented Feb 23, 2023
edited

This adds an implementation of the Delegate API of a SPIRE server
as a source for certificates to be used in an mTLS handhake.

It will connect to the admin socket of a SPIRE agent where it will
be able to get the certificates and keys in name of all Cilium
workloads which are receiving an SVID from the controller.
This is then cached in memory for the auth handler to request.

Fixes: #23804

Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 23, 2023
@meyskens meyskens added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Mar 2, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 2, 2023
@meyskens meyskens added area/servicemesh GH issues or PRs regarding servicemesh kind/feature This introduces new functionality. labels Mar 2, 2023
@meyskens meyskens force-pushed the meyskens/spiffe-delegate branch 4 times, most recently from 4066f28 to 54b31e1 Compare March 2, 2023 15:25
@maintainer-s-little-helper
Copy link

Commit 7d01bce2ac646eb44599d1b3e1d7200b7b39d00b does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Mar 2, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Mar 2, 2023
@meyskens meyskens changed the title [Very WIP] Service Mesh mTLS: DelegatedIdentity SPIFFE API Service Mesh mTLS: DelegatedIdentity SPIFFE API Mar 2, 2023
@meyskens meyskens marked this pull request as ready for review March 2, 2023 15:38
@meyskens meyskens requested review from a team as code owners March 2, 2023 15:38
youngnick
youngnick approved these changes Mar 3, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one question and a couple of spelling nits.

Nice work!

pkg/auth/certs/provider.go Outdated Show resolved Hide resolved
pkg/auth/spire/delegate.go Outdated Show resolved Hide resolved
pkg/auth/spire/delegate.go Outdated Show resolved Hide resolved
mhofstetter
mhofstetter requested changes Mar 6, 2023
View reviewed changes
pkg/auth/spire/delegate.go Outdated Show resolved Hide resolved
pkg/auth/spire/delegate.go Outdated Show resolved Hide resolved
@meyskens
Define a CertificateProvider interface
d1e05d7 
This adds an interface for a hive cell to use that provides the
auth package with a way to receive and verify validity of certificates involved.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
@meyskens
Vendor in SPIFFE/SPIRE SDK
e462fe7 
This adds a dependency on the SPIFFE/SPIRE SDK to be used in the
mTLS handling code.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
@meyskens
Add Spire delegate API as CertificateProvider
d25041f 
This adds an implementation of the Delegate API of a SPIRE server
as a source for certificates to be used in an mTLS handhake.

It will connect to the admin socket of a SPIRE agent where it will
be able to get the certificates and keys in name of all Cilium
workloads which are receiving an SVID from the controller.
This is then cached in memory for the auth handler to request.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
@meyskens
Copy link
Member Author

meyskens commented Mar 7, 2023

/test

@meyskens
Copy link
Member Author

meyskens commented Mar 7, 2023

One CI fail in Travis but does not seem related to this PR (the code path is not yet active so would be weird)

sayboras
sayboras approved these changes Mar 8, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from vendor team ✔️

@sayboras sayboras merged commit ab5ea83 into cilium:master Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhofstetter mhofstetter mhofstetter approved these changes

@sayboras sayboras sayboras approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh kind/feature This introduces new functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cilium Agent support for DelegatedIdentity SPIFFE API
4 participants
@meyskens @mhofstetter @sayboras @youngnick