-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spiffe Integration #17335
Spiffe Integration #17335
Conversation
Folks, Just sent a commit updating to the last version of Delegated Identity API. Also, this commit introduces the single watch approach: for each endpoint, one stream between Cilium and Spire is created to get X509-SVID updates. |
@rscampos can you rebase against master? I assume this PR can be marked for review? If it's in draft, people will tend to ignore it unless it is marked as ready :-) |
f849715
to
12ec574
Compare
Hello @aanm, I'm sorry for the delay... I did a rebase and organize all the commits in an easier way. I'll mark for review, feel free to ping me any time, tks :) |
2e9bf88
to
09a70f1
Compare
I've been looking forward to this integration. Just curious if you have any estimate on when this could get merged? |
Hey @aanm ! I believe we're numerous to look for this feature (as highlighted in the recent cilium blog post). |
@thylong, regarding the initiative toward Spiffe integration, take a look at https://github.com/accuknox/cilium-spire-tutorials if you want to try it out. Maybe this could help to understand a little bit more about the integration. |
Thanks for your insights @navarrothiago , definitely appreciated ! |
This pull request has been automatically marked as stale because it |
It seems this PR hasn't seen activity in a while and picked up several merge conflicts in the meantime. I'll thus convert it to draft status. @navarrothiago/@rscampos please feel free to move it out of draft again once the conflicts are resolved and the PR is ready for review again. |
This pull request has been automatically marked as stale because it |
This pull request has not seen any activity since it was marked stale. |
Is the Spiffe integration occurring anywhere else? Been looking forward to this going through. |
Hey folks, what is missing for the integration here? Happy to figure out how to help and move this forward. |
Let me put forward the status here based on what I know:
If anyone wants to take this forward, here would be the steps:
Even though some of the folks developing this PR have now moved on to do something else, I am hoping I should be able to check and pull some of them together in a discussion/call if anyone is interested to take this forward. |
What is this?
This PR contains the Cilium-SPIFFE integration that has been proposed in this design document. This PR covers the "Identity Generation Hardening" part of such proposal. We already have some prototypes of the "Upgrading connections to mTLS" part but we prefer start discussing only the former one to keep it more scoped.
How to test?
If you want to test it by yourself you can follow these steps. Otherwise you can watch this recorded demo.
--enable-spiffe
flag to cilium-agentTODO
ref #4016
old PR #16626
cc @nyrahul @jrajahalme @jrfastab @navarrothiago @mauriciovasquezbernal