Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPIRE bundle endpoint server should be configurable in terms of profile #2670

Closed
evan2645 opened this issue Jan 6, 2022 · 1 comment · Fixed by #4476
Closed

SPIRE bundle endpoint server should be configurable in terms of profile #2670

evan2645 opened this issue Jan 6, 2022 · 1 comment · Fixed by #4476
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Milestone
1.8.0

Comments

@evan2645
Copy link
Member

evan2645 commented Jan 6, 2022

When configuring federation in SPIRE Server, remote bundle endpoint servers are configured in terms of what profile they are using (i.e. https_web or https_spiffe). This is in contrast to SPIRE Server's bundle endpoint server, the configuration of which takes only address/port and an optional ACME config. If ACME is configured, the bundle endpoint server uses the https_web profile, and if not then it uses the https_spiffe profile.

This distinction isn't documented anywhere, and it is also confusing to users who now have to choose a "profile" when they didn't have to originally. Instead, SPIRE Server's bundle endpoint server should be configurable in terms of profile the same way that the client is, and the ACME configurables should simply be a part of the https_web profile configuration.

Propose then implement a new configuration shape for the bundle endpoint server that is more closely aligned with the client configuration and the specification terminology
@rturner3 rturner3 added help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog unscoped The issue needs more design or understanding in order for the work to progress labels May 22, 2023
@rturner3 rturner3 added this to the 1.7.0 milestone May 22, 2023
@MarcosDY MarcosDY modified the milestones: 1.7.0, 1.7.1 Jun 6, 2023
@rturner3 rturner3 modified the milestones: 1.7.1, 1.7.2 Jul 6, 2023
@rturner3 rturner3 modified the milestones: 1.7.2, 1.8.0 Aug 8, 2023
@evan2645
Copy link
Member Author

Here is the current configuration shape for the bundle endpoint server

server {
    .
    .
    .
    federation {
        bundle_endpoint {
            address = "0.0.0.0"
            port = 8443
            acme {
                domain_name = "example.org"
                email = "mail@example.org"
            }
            refresh_hint = "10m"
        }
    }
}

Here is the proposed shape that better aligns with the spec, and with the federates_with configuration stanzas:

server {
    .
    .
    .
    federation {
        bundle_endpoint {
            address = "0.0.0.0"
            port = 8443
            refresh_hint = "10m"

            profile "https_web" {
                acme {
                    domain_name = "example.org"
                    email = "mail@example.org"
                }

                static_serving_cert_path = "/path/to/cert.crt"
                static_serving_cert_key_path = "/path/to/cert.key"
            }

            profile "https_spiffe" {}
        }
    }
}

Where only one profile block can be specified, and either acme or (static_serving_cert_path and static_serving_cert_key_path) are required if https_web profile is selected.

Support for static_serving_cert_path and friends is not currently implemented, and is not required to be implemented for the purpose of this issue, but I wanted to illustrate where it would land with the new config shape since we're likely to take that as a feature at some point in the future.

Back compat

To migrate, we allow either a single profile to be specified, acme to be specified, or nothing to be specified. All three conditions are mutually exclusive. If acme is specified, it implies profile "https_web" with the provided acme config block. If nothing is specified, it implies profile "https_spiffe".

Whenever a profile is not specified and we imply its existence through back compat config, we should log a warning and guide the user to configure the correct profile.

@evan2645 evan2645 removed the unscoped The issue needs more design or understanding in order for the work to progress label Aug 24, 2023
@evan2645 evan2645 removed their assignment Aug 24, 2023
@MarcosDY MarcosDY mentioned this issue Sep 4, 2023
Merged
@kfox1111 kfox1111 mentioned this issue Sep 20, 2023
Open
@kfox1111 kfox1111 mentioned this issue Oct 9, 2023
Closed
@faisal-memon faisal-memon mentioned this issue Oct 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
1.8.0
Development

Successfully merging a pull request may close this issue.

Add profile configuration to bundle endpoint MarcosDY/spire
3 participants
@evan2645 @MarcosDY @rturner3