Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge Azure MSI Node Resolver into Attestor #3272

Merged
merged 6 commits into from
Aug 1, 2022
Merged

Merge Azure MSI Node Resolver into Attestor #3272

merged 6 commits into from
Aug 1, 2022

Conversation

azdagron
Copy link
Member

@azdagron azdagron commented Jul 25, 2022
edited

This PR merges the selector gathering functionality from the Azure MSI NodeResolver into the NodeAttestor in preparation for the removal of the NodeResolver in 1.5.0.

There are supported two cases:

  1. Node Attestor is configured like it is today. This will continue to work but will emit a warning that no selectors will be produced and that this will be an error in a future release.
  2. Node Attestor configured with required creds for resolution. This should produce selectors identical to today's Node Resolver.

If the Node Resolver is configured, deprecation warnings will be emitted. If both the NodeAttestor and NodeResolver produce selectors, they will be merged without duplication.

There is one small change to the configuration of the NodeAttestor as it existed in the NodeResolver plugin. The use_msi configurable has now been moved into the per-tenant configuration. Since each tenant must be specified anyway (a departure from the NodeResolver), and the MSI credentials will only work with at most one tenant, it made sense to configure which tenant should authenticate with MSI token.

@azdagron
Merge Azure MSI NodeResolver into Attestor
34f53ae 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron azdagron added this to the 1.4.0 milestone Jul 25, 2022
@azdagron azdagron marked this pull request as draft July 25, 2022 20:36
@azdagron
fix linting
03b59d6 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron
Update docs and move use_msi into per-tenant config
21689ce 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron azdagron marked this pull request as ready for review July 29, 2022 15:45
@azdagron
Copy link
Member Author

Many thanks to the folks from UFCG (@SilvaMatteus, Fernando, Eduardo and Anderson) for testing these changes!

amartinezfayo
amartinezfayo reviewed Aug 1, 2022
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thanks @azdagron!
I only have some small suggestions. Could we also update server_full.conf with a note in the NodeResolver "azure_msi sample indicating that it has been deprecated?

doc/plugin_server_noderesolver_azure_msi.md Outdated Show resolved Hide resolved
pkg/server/plugin/nodeattestor/azuremsi/msi.go Outdated Show resolved Hide resolved
pkg/server/plugin/nodeattestor/azuremsi/msi.go
// If credentials are not configured and selectors won't be gathered.
// TODO: make this an error condition in a future release
if client == nil {
p.log.Warn("No client credentials available for tenant. Selectors will not be produced by the node attestor for this node. This will be an error in a future release.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker, but I think that it would be great to have this covered in the tests. Other misconfigurations like the use of both MSI and app authentication could also gain more coverage.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. I've expanded coverage to test that in the absence of creds:

  1. This warning gets logged
  2. Attestation still succeeds

I also added the test for misconfiguration when both creds are supplied.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and also fixed flakiness due to nondeterministic ordering of processing of the tenant map.

@azdagron
Address PR comments
de70253 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron
Update server_full.conf
c34c2a9 
Signed-off-by: Andrew Harding <aharding@vmware.com>
amartinezfayo
amartinezfayo approved these changes Aug 1, 2022
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@azdagron azdagron merged commit c13d763 into spiffe:main Aug 1, 2022
@azdagron azdagron deleted the merge-azure-resolver-into-attestor branch August 1, 2022 19:58
This was referenced Aug 1, 2022
Closed
Closed
stevend-uber pushed a commit to stevend-uber/spire that referenced this pull request Oct 16, 2023
@azdagron @stevend-uber
Merge Azure MSI Node Resolver into Attestor (spiffe#3272)
879fd7e 
Signed-off-by: Andrew Harding <aharding@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
1.4.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@azdagron @amartinezfayo