Stopgap solution to ID token for outbound requests #25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements a stopgap solution to adding DAPS ID token headers to requests originating from Orion and directed to a remote IDS connector outside the mesh.
Functionality overview
When Orion sends an HTTP request to a remote IDS connector (typically to notify of entity updates), a DAPS ID token needs to be added to the outgoing request so that the remote connector can identify the sender. This PR implements exactly that. We get the token from a configured DAPS service through mTLS, insert it in an IDS JSON "result message", Base64-encode the JSON, and add a header to the request. The header's name is
header
and its value is the Base64 block.Does it ring a bell? Well, that's pretty much what we did already for Orion HTTP responses to requests from a remote client (a.k.a. consumer) connector. In fact, we're supposed to add the IDS ID header identifying Orion to both responses to consumer connectors (PR #16) and requests to server (a.k.a. provider) connectors, which is what this PR does.
Implementation overview
Having the ID token implementation for responses (PR #16), you'd think we should've been able to just reuse it as is and plonk the ID token in Orion requests by dint of Istio config. While that was the plan, it didn't pan out---see #24. As a workaround, this PR implements:
The HTTP endpoint reuses PR #16's
GenerateToken
function to get an ID token from DAPS and produce the output Base64 block. Notice though that to do that, the HTTP endpoint has to be able to get hold of Istio adapter config data. Where does it get it from? Well, the Mixer always calls the adapter's gRPC endpoint with the current config, so on getting that data, the adapter caches it in memory so that it'll be available to any subsequent call to the HTTP endpoint.Shortcomings
kubeclt apply -f new-istio-cfg.yaml
), they should also make a dummy call to Orion straight afterwards (e.g.GET /v2
) so that the Mixer calls the adapter with the new config. Otherwise later calls to the HTTP endpoint may fail due to a stale cache.See #24 for what to do about these sore points.