Spire proposal/testing results doc #445
Conversation
jetstack-bot
added
release-note
|
|
||
| Use Spire within the Tarmak cluster to bolster the authentication of workload | ||
| identities, resulting in a more secure cluster. This could ultimately mean a | ||
| large or complete replacement of Vault and it's periphery tools, in favour of |
There was a problem hiding this comment.
Would it be possible to continue to use Vault (for its many other, noted, features) as an actual secret store, but use SPIFFE and Spire to provide attestation documents that can be used to authenticate with Vault? i.e. spiffe/spire replaces the init-tokens? Or is this not something that's possible/we want to explore?
There was a problem hiding this comment.
Yes exactly, think that could be a little better written^ !
I'm am concerned however about how much code we need to touch - if any - in the security path, given spire's maturity. Need to weigh whether it's worth adding the extra layer of complexity too.
|
|
||
| Avoiding writing our own plugins. This is better left to experts and if is | ||
| required, Spire should be dropped due to not being ready yet for our | ||
| requirements. |
There was a problem hiding this comment.
If you find that you need plugins which aren't already available, or run into any showstoppers otherwise, please let me know.
|
|
||
| Spire is not currently well built for HA and really only expects a single server | ||
| in cluster. PostgreSQL support for HA is quite poor from what I have found, | ||
| whilst also being the only supported "HA" backend. I was able to use a tool Patroni_ that |
There was a problem hiding this comment.
I think SPIRE has an easy path to MySQL support... if it helps, I can prioritize this. XtraDB provides a nice galera-enabled MySQL distribution that supports multi master.
jetstack-bot
added
the
needs-rebase
JoshVanL
force-pushed
the
436-spire-proposal-doc
branch
from
a1419a1
to
c9f6ced
Compare
jetstack-bot
removed
the
needs-rebase
jetstack-bot
added
the
dco-signoff: no
| on those instances to panic. Spire servers have to connect to the PostgreSQL | ||
| cluster master elected through Consul. | ||
|
|
||
| Spire uses Elliptic Curve keys which is odd and can be annoying. |
There was a problem hiding this comment.
Not too sure either provide more evidence or get rid of this sentence. There are good reasons IMHO for ECC (https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/)
|
/assign @JoshVanL I think james' comment is quite valid. Also the one about the ECC and last but not least DCO |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
JoshVanL
force-pushed
the
436-spire-proposal-doc
branch
from
c9f6ced
to
5a54567
Compare
jetstack-bot
added
dco-signoff: yes
|
@JoshVanL: GitHub didn't allow me to assign the following users: sime. Note that only jetstack members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/unassign |
|
Thanks @JoshVanL /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: simonswine The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
What this PR does / why we need it:
This adds a document detailing the feasibility of adding spire into the Tarmak cluster. It includes steps needed to achieve this and results of some testing.
fixes #436
/assign @simonswine