Use SPIFFE ID for validation if enabled on current issuing and validating MRC certificate #5160
Use SPIFFE ID for validation if enabled on current issuing and validating MRC certificate #5160
Conversation
I've opened this so can get feedback on this approach. I considered enlightening the |
54595c1
to
188b5ae
Compare
025916e
to
666b81e
Compare
@@ -183,7 +183,7 @@ func (mc *MeshCatalog) getRoutingRulesFromTrafficTarget(trafficTarget access.Tra | |||
trustDomain := mc.GetTrustDomain() | |||
allowedDownstreamPrincipals := mapset.NewSet() | |||
for _, source := range trafficTarget.Spec.Sources { | |||
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain)) | |||
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain, mc.SpiffEnabled())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Expanding the principal in the mesh catalog isn't right here. This would be better to be done in the XDS builders as it is done for other XDS endpoints. This would keep the mesh catalog knowing about the OSM identities only, which is how it is done for the rest of the functions in the catalog. I will create an issue before merging to track this enhancement if agreed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
666b81e
to
2d6f580
Compare
on hold until #5193 merges |
2655dde
to
3b28547
Compare
pkg/certificate/manager.go
Outdated
// Note that the CRD uses a default, so this value will always be set. | ||
// It is up to the caller to determine if the signing and validating trust domains are different | ||
func (m *Manager) GetTrustDomains() TrustDomain { | ||
func (m *Manager) GetIssuers() IssuerInfo { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kept this as a struct since it keeps it on the stack vs allocating a list in the heap based on #5193 (comment)
@openservicemesh/osm-maintainers this is ready for review 🚀 |
3b28547
to
14640ef
Compare
6c7c88d
to
24cbc32
Compare
Signed-off-by: James Sturtevant <jstur@microsoft.com>
24cbc32
to
c14fed6
Compare
rebased on all the latest changes |
Signed-off-by: James Sturtevant <jstur@microsoft.com>
Signed-off-by: James Sturtevant <jstur@microsoft.com>
Signed-off-by: James Sturtevant jstur@microsoft.com
Description:
This builds on #5131 which added the SPIFFE ID into the certificates. Now that the SPIFFE ID is present we can use it to make routing and validation decisions.
Todo:
Fixes: #5025, #5026
Testing done:
Affected area:
Please answer the following questions with yes/no.
Does this change contain code from or inspired by another project?
no
Is this a breaking change?
no
Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)?
no