-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make server's AWS node attestor plugin subsume AWS node resolver plugin #1705
Conversation
… of the functionallity provided by the server's aws node resolver plugin. Signed-off-by: martincapello <m.a.capello@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @martincapello for this, it is looking great!
I think that we need to update https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_aws_iid.md to reflect that the node attestor now discovers the selectors.
With the attestor plugin now returning the selectors also provided by the resolver, I wonder if the node resolver should be deprecated. We could do this in a few ways:
|
Signed-off-by: Martin Capello <martin@macbook.local>
Signed-off-by: Martin Capello <martin@macbook.local>
Happy to make any change needed once the code owners give me green light. |
@azdagron I'm not sure if I understand the semantics of 1. Specifically I'm not sure what "gut the resolver functionality" means in this context. Just wanted to make sure that we don't brake any compatibility guarantees. |
The node resolver is more or less tightly coupled with the node attestor. Meaning that if When I said "gut the resolver functionality", I meant to remove all of the internals of the resolver, essentially turning it into a no-op. The However, if we don't want to risk it, we can keep the resolver as-is and just make sure that the attest code dedups selectors (I don't think it does right now). It does mean that we're now doing 2x the API calls against AWS, which may impact cost (I don't recall how AWS does pricing here). We'd still want to log a warning saying that the resolver will be removed in the future. |
Thanks for the detailed explanation. IMO #1 provides a cleaner solution and I do agree that chances to brake an external |
Ok then, can I go ahead and deprecate the node resolver as proposed in the # 1 alternative? |
+1 to removing the aws node resolver behavior but logging a warning to users. |
I'll start working on the changes. |
Moved code that wasn't common any longer. Signed-off-by: martincapello <m.a.capello@gmail.com>
Signed-off-by: martincapello <m.a.capello@gmail.com>
Note that I refactored the code again because there was code that wasn't common any longer. This also allowed to reduce the amount of exported things. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking pretty good. Are there more test cases we can remove (or move over to the attestor tests) from the resolver tests? I noticed there are some Configure tests that are no longer relevant.
return nil, iidError.New("failed to get client: %w", err) | ||
} | ||
|
||
resp, err := client.DescribeInstancesWithContext(ctx, &ec2.DescribeInstancesInput{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This call may have already happened during the Attest call (albeit with different filters). I think we should refactor the code to always call DescribeInstancesWithContext during the Attest call (instead of conditionally), using these filters, since we're going to be need it to build the selector list anyway.
Forgot to remove node resolver tests, doing it now... |
Signed-off-by: martincapello <m.a.capello@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've manually verified this all still works in AWS. I'm good with this change.
Thanks again, @martincapello !
Pull Request check list
Affected functionality
SPIRE Server's AWS node attestor and node resolver plugins.
Description of change
1) Refactors the code of the aforementioned plugins moving common functionality to thepkg/common/plugin/aws
.2) Adds agent's selectors resolution to the AWS node attestor plugin.
3) Deprecates the AWS node resolver plugin by making it return an empty response and log a warning when configured.
4) Re-refactors to move code that wasn't common any longer.
Which issue this PR fixes
Fixes #683 (comment)