-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding metadata to the entry that allows a registrar to self-identify #4898
Comments
I've needed this functionality too. I've tested abusing hints for this purpose with the spire-controller-manager, and it was very easy to implement, but I agree its probably not a good long term strategy. My thoughts on your questions are as follows: If someone needs hard security around all of it, they should probably be using separate spire-server/controller-manager instances to guarantee security. If we wanted to support hard multi-tenancy within spire-server proper, that would be ok too, but substantially more work then what is being needed to solve this softer problem. So, that in mind, I'm thinking something simple/advisory is better too.
And things not filtering by entry owner would see all entries just as now. As for implementation, I'm thinking it would basically mirror the work that was done for hints? |
Will add my 5 cents here.
If it is metadata and not specific field anyone who has impact on the process of entry creation, e.g.
Rather advisory with “system” reserved keys or prefixes. E.g. controller manager can prefix all keys with
Not sure I get it. Perhaps if you have additional logic around it could be used for access controls, otherwise consider metadata as metadata and no direct effect on ACL. I believe there is little to no difference of purposes with what Hint currently has, just could be more structured or hint could be considered as one of metadata fields. |
If its a field and not a generic metadata property, like hint is, we can add a filter which entries get handed back to the controller for processing. This could save a lot of network trips for syncing to the registrar when multiple are involved. Like: https://github.com/spiffe/spire-api-sdk/blob/v1.8.7/proto/spire/api/server/entry/v1/entry.pb.go#L913 |
Have little experience with sql so correct if I’m wrong but I can imagine you can extract Just not sure if adding specific field for each metadata that can be required for all potential use cases is sustainable approach. |
I'd wager generic entry metadata is likely out of scope as a solution for this request. Probably worth considering, but there has traditionally been a fair bit of opposition to the idea for a variety of reasons. |
@azdagron any consensus on the approach to use here? Also what would be a timeline? I guess it won't be backported so we would expect to see it in at least 1.10? |
Only one external controller manager is supported at a time until spiffe/spire#4898 is resolved. Signed-off-by: Kevin Fox <[email protected]>
There isn't clear consensus on a path forward for first-class support of a concept like this in SPIRE. For the immediate needs of the spire-controller-manager, we've decided to use entry id prefixing as a stop-gap. If/when SPIRE opens up support for something different, we can leverage it then. |
* Complete Server K8S PSAT support Add all the SPIRE Server supported options for the K8S PSAT attestor. This retains the ease of use for configuring local cluster support while adding the ability to configure multiple/external clusters as well. Kubeconfig support is added in its own config block as it will be used/shared with spire-controller-manager support in the future. Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict Signed-off-by: Kevin Fox <[email protected]> * Add support for integration tests in the tests/integration dir Signed-off-by: Kevin Fox <[email protected]> * Fix split issue and typo Signed-off-by: Kevin Fox <[email protected]> * Add basic psat test Signed-off-by: Kevin Fox <[email protected]> * Fix linter Signed-off-by: Kevin Fox <[email protected]> * Fix up test Signed-off-by: Kevin Fox <[email protected]> * Add missing file Signed-off-by: Kevin Fox <[email protected]> * Better encode config Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Update docs Signed-off-by: Kevin Fox <[email protected]> * Apply suggestions from code review Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Add external k8s bundler Adds support to sync the CA bundle to configmaps in external Kubernetes clusters Signed-off-by: Kevin Fox <[email protected]> * Update default Signed-off-by: Kevin Fox <[email protected]> * Fix config file layout. Incorperate feedback. Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Update based on parent pr feedback Signed-off-by: Kevin Fox <[email protected]> * Reformat config file Signed-off-by: Kevin Fox <[email protected]> * Fix some things Signed-off-by: Kevin Fox <[email protected]> * Reconfigure kind Signed-off-by: Kevin Fox <[email protected]> * More debugging Signed-off-by: Kevin Fox <[email protected]> * Fix up kind Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Add external spire-controller-managers Only one external controller manager is supported at a time until spiffe/spire#4898 is resolved. Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Upgrade to spire-controller-manager 0.5.0 Signed-off-by: Kevin Fox <[email protected]> * Update for released 0.5.0 Signed-off-by: Kevin Fox <[email protected]> * Merge in some of the id prefix pr Signed-off-by: Kevin Fox <[email protected]> * Entry ID Prefix (#287) * Add Entry ID Prefix support Signed-off-by: Kevin Fox <[email protected]> * Mulitcluster test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Implement cleanup setting too Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Bump up test container Signed-off-by: Kevin Fox <[email protected]> * Swith to testing with nightly Signed-off-by: Kevin Fox <[email protected]> * Fix value name Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix up doc formatting Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
* Complete Server K8S PSAT support Add all the SPIRE Server supported options for the K8S PSAT attestor. This retains the ease of use for configuring local cluster support while adding the ability to configure multiple/external clusters as well. Kubeconfig support is added in its own config block as it will be used/shared with spire-controller-manager support in the future. Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict Signed-off-by: Kevin Fox <[email protected]> * Add support for integration tests in the tests/integration dir Signed-off-by: Kevin Fox <[email protected]> * Fix split issue and typo Signed-off-by: Kevin Fox <[email protected]> * Add basic psat test Signed-off-by: Kevin Fox <[email protected]> * Fix linter Signed-off-by: Kevin Fox <[email protected]> * Fix up test Signed-off-by: Kevin Fox <[email protected]> * Add missing file Signed-off-by: Kevin Fox <[email protected]> * Better encode config Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Update docs Signed-off-by: Kevin Fox <[email protected]> * Apply suggestions from code review Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Add external k8s bundler Adds support to sync the CA bundle to configmaps in external Kubernetes clusters Signed-off-by: Kevin Fox <[email protected]> * Update default Signed-off-by: Kevin Fox <[email protected]> * Fix config file layout. Incorperate feedback. Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Update based on parent pr feedback Signed-off-by: Kevin Fox <[email protected]> * Reformat config file Signed-off-by: Kevin Fox <[email protected]> * Fix some things Signed-off-by: Kevin Fox <[email protected]> * Reconfigure kind Signed-off-by: Kevin Fox <[email protected]> * More debugging Signed-off-by: Kevin Fox <[email protected]> * Fix up kind Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Add external spire-controller-managers Only one external controller manager is supported at a time until spiffe/spire#4898 is resolved. Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Add Entry ID Prefix support Signed-off-by: Kevin Fox <[email protected]> * Mulitcluster test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Implement cleanup setting too Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Make spire-lib bits into its own library chart. Signed-off-by: Kevin Fox <[email protected]> * Add spire-nested chart Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Fix lint issue Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Add missing file Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Add nameOverride option Signed-off-by: Kevin Fox <[email protected]> * Simplify upstream config. Reorder test for faster executation Signed-off-by: Kevin Fox <[email protected]> * Enable service account allow list to calculate namespace Signed-off-by: Kevin Fox <[email protected]> * Add identity type for child servers Signed-off-by: Kevin Fox <[email protected]> * Enable name override setting Signed-off-by: Kevin Fox <[email protected]> * Fix printing Signed-off-by: Kevin Fox <[email protected]> * Fix formatting Signed-off-by: Kevin Fox <[email protected]> * Fix name length issue Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Switch to non cluster-admin user Signed-off-by: Kevin Fox <[email protected]> * Test out adding roles Signed-off-by: Kevin Fox <[email protected]> * Namespace needs to exist Signed-off-by: Kevin Fox <[email protected]> * Remove tty Signed-off-by: Kevin Fox <[email protected]> * Fix name Signed-off-by: Kevin Fox <[email protected]> * Add missing role Signed-off-by: Kevin Fox <[email protected]> * Add kind=none to not require extra objects Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Remove unneeded code Signed-off-by: Kevin Fox <[email protected]> * Add security cluster example Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Dont preinstall crds for nested-security Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Fix address Signed-off-by: Kevin Fox <[email protected]> * Update port Signed-off-by: Kevin Fox <[email protected]> * Update psat setting Signed-off-by: Kevin Fox <[email protected]> * Update psat setting Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Fix tests Signed-off-by: Kevin Fox <[email protected]> * Remove older tests that newer tests cover Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Fix kind logic Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Seems unneeded. Try and remove Signed-off-by: Kevin Fox <[email protected]> * Update the default ports to be more user friendly Signed-off-by: Kevin Fox <[email protected]> * See if we can leave controller manager port alone Signed-off-by: Kevin Fox <[email protected]> * Change the agent default port too Signed-off-by: Kevin Fox <[email protected]> * Bump up test container Signed-off-by: Kevin Fox <[email protected]> * Swith to testing with nightly Signed-off-by: Kevin Fox <[email protected]> * Fix value name Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Upgrade to spire-controller-manager 0.5.0 Signed-off-by: Kevin Fox <[email protected]> * Try to isolate config differences just to child cluster Signed-off-by: Kevin Fox <[email protected]> * Update for released 0.5.0 Signed-off-by: Kevin Fox <[email protected]> * Merge in some of the id prefix pr Signed-off-by: Kevin Fox <[email protected]> * Entry ID Prefix (#287) * Add Entry ID Prefix support Signed-off-by: Kevin Fox <[email protected]> * Mulitcluster test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Implement cleanup setting too Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Bump up test container Signed-off-by: Kevin Fox <[email protected]> * Swith to testing with nightly Signed-off-by: Kevin Fox <[email protected]> * Fix value name Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix up doc formatting Signed-off-by: Kevin Fox <[email protected]> * Revert notes Signed-off-by: Kevin Fox <[email protected]> * Use tags for nested chart Signed-off-by: Kevin Fox <[email protected]> * Add missing tag Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix formatting Signed-off-by: Kevin Fox <[email protected]> * Fix class name Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict issue Signed-off-by: Kevin Fox <[email protected]> * Fix merge issue Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Fix merge issue Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback. Switch setting to be externalServer. Signed-off-by: Kevin Fox <[email protected]> * Update nested chart to use new setting Signed-off-by: Kevin Fox <[email protected]> * Fix merge issue Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflict Signed-off-by: Kevin Fox <[email protected]> * Add docs about which sections are used with which tags Signed-off-by: Kevin Fox <[email protected]> * Update versions Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
We've discussed this before but I failed to find the issue so I thought I'd open a new one to keep the conversation going.
SPIRE Controller Manager tries to be authoritative for the workload entries it manages. In its current design, it expects to be the sole registrar operating against a given SPIRE Server cluster. If it discovers entries that it does not think should exist, it removes them. The fallout of this choice is that SPIRE Controller Manager cannot exist side-by-side other registrars.
There has been a slow but steady trickle of asks by the community to allow SPIRE Controller Manager to coexist with other registrars (including other SPIRE Controller Managers). The reasons are varied. The weight behind the ask is growing and it's something I'd like to support somehow.
Entries IDs or hints can be (ab)used for this purpose but that is not ideal.
In the past, we've thought about adding a specific field for this purpose (e.g. "registrar", "owner", "namespace") but haven't come to agreement on things like:
For my specific use case, a simple, opaque advisory field would be sufficient.
Thoughts??
Related issues on the controller manager:
The text was updated successfully, but these errors were encountered: