Spire proposal/testing results doc #445
Spire proposal/testing results doc #445
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome write up 😄
I've not done a proper review, but just added that one comment (plus wanted to +1 the write-up!)
|
||
Use Spire within the Tarmak cluster to bolster the authentication of workload | ||
identities, resulting in a more secure cluster. This could ultimately mean a | ||
large or complete replacement of Vault and it's periphery tools, in favour of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to continue to use Vault (for its many other, noted, features) as an actual secret store, but use SPIFFE and Spire to provide attestation documents that can be used to authenticate with Vault? i.e. spiffe/spire replaces the init-token
s? Or is this not something that's possible/we want to explore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes exactly, think that could be a little better written^ !
I'm am concerned however about how much code we need to touch - if any - in the security path, given spire's maturity. Need to weigh whether it's worth adding the extra layer of complexity too.
|
||
Avoiding writing our own plugins. This is better left to experts and if is | ||
required, Spire should be dropped due to not being ready yet for our | ||
requirements. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you find that you need plugins which aren't already available, or run into any showstoppers otherwise, please let me know.
|
||
Spire is not currently well built for HA and really only expects a single server | ||
in cluster. PostgreSQL support for HA is quite poor from what I have found, | ||
whilst also being the only supported "HA" backend. I was able to use a tool Patroni_ that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think SPIRE has an easy path to MySQL support... if it helps, I can prioritize this. XtraDB provides a nice galera-enabled MySQL distribution that supports multi master.
a1419a1
to
c9f6ced
Compare
on those instances to panic. Spire servers have to connect to the PostgreSQL | ||
cluster master elected through Consul. | ||
|
||
Spire uses Elliptic Curve keys which is odd and can be annoying. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not too sure either provide more evidence or get rid of this sentence. There are good reasons IMHO for ECC (https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/)
/assign @JoshVanL I think james' comment is quite valid. Also the one about the ECC and last but not least DCO |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
c9f6ced
to
5a54567
Compare
@JoshVanL: GitHub didn't allow me to assign the following users: sime. Note that only jetstack members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/unassign |
Thanks @JoshVanL /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: simonswine The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
This adds a document detailing the feasibility of adding spire into the Tarmak cluster. It includes steps needed to achieve this and results of some testing.
fixes #436
/assign @simonswine