New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: implement re-authentication in case of rotated certificates #25927
auth: implement re-authentication in case of rotated certificates #25927
Conversation
|
||
func handleAuthentication(a *authManager, k authKey, reAuth bool) { | ||
if a.markPendingAuth(k) { | ||
go func(key authKey) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kind of wonder whether we really want to keep a dedicated go-routine for every (re-)authentication request.
I tend to an implementation with a worker-pool which is working on the auth requests. This would be easier to test and prevent the manager from overload the authhandlers (e.g. SPIRE).
But keeping it as is for the context of this PR.
This commit refactors the authentication triggered by the signal map to use the hive job framework. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit introduces mutual auth re-authentication. Whenever an authhandler is emiting CertificateRotatedEvents, an authentication will be triggered. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
9c18657
to
2fdb7fe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM looks like a clean approach :)
A worker pool would be a good improvement for drop-in deployments of spire where it would immediately create spire IDs at the same time so they all get the same renewal schedule. However it could also be a good follow up pr imo.
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/500/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
This commit adds back the stream package import, which appears to be missing due to a merge race between cilium#25927 and cilium#25934. Fixes: eb653b6 ("auth: use Resource.Observe for jobs") Fixes: ebb6fc3 ("auth: implement re-authentication in case of rotated certificates") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
This commit adds back the stream package import, which appears to be missing due to a merge race between #25927 and #25934. Fixes: eb653b6 ("auth: use Resource.Observe for jobs") Fixes: ebb6fc3 ("auth: implement re-authentication in case of rotated certificates") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Until now, auth map entries were garbage collected based on the following criterias: * related identity has been deleted * related node has been deleted * entry has been expired The initial goal was that expiration will cover the case where no longer a policy is enforcing authentication. But the introduction of re-authentication (cilium#25927) changed this, because the entries would have re-authenticated "forever" (until identity or node would have been deleted). Therefore, this commit introduces some rudimentary garbage collection based on policies by periodically checking whether a policy is still enforcing authentication between two identities. If not, the auth map entry gets deleted. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Until now, auth map entries were garbage collected based on the following criterias: * related identity has been deleted * related node has been deleted * entry has been expired The initial goal was that expiration will cover the case where no longer a policy is enforcing authentication. But the introduction of re-authentication (#25927) changed this, because the entries would have re-authenticated "forever" (until identity or node would have been deleted). Therefore, this commit introduces some rudimentary garbage collection based on policies by periodically checking whether a policy is still enforcing authentication between two identities. If not, the auth map entry gets deleted. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adds back the stream package import, which appears to be missing due to a merge race between cilium#25927 and cilium#25934. Fixes: eb653b6 ("auth: use Resource.Observe for jobs") Fixes: ebb6fc3 ("auth: implement re-authentication in case of rotated certificates") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Until now, auth map entries were garbage collected based on the following criterias: * related identity has been deleted * related node has been deleted * entry has been expired The initial goal was that expiration will cover the case where no longer a policy is enforcing authentication. But the introduction of re-authentication (cilium#25927) changed this, because the entries would have re-authenticated "forever" (until identity or node would have been deleted). Therefore, this commit introduces some rudimentary garbage collection based on policies by periodically checking whether a policy is still enforcing authentication between two identities. If not, the auth map entry gets deleted. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This PR introduces mutual auth re-authentication. Whenever an
authhandler is emiting CertificateRotatedEvents, an authentication will
be triggered.
In addition, the existing authentication flow has been refactored to use the hive job framework.
Fixes #25475