Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ClusterStaticEntry support #174

Merged
merged 3 commits into from
Jul 7, 2023
Merged

Added ClusterStaticEntry support #174

merged 3 commits into from
Jul 7, 2023

Conversation

azdagron
Copy link
Member

Resolves #149

@azdagron azdagron requested a review from MarcosDY as a code owner June 27, 2023 03:28
@azdagron
Added ClusterStaticEntry support
fb9bcf5 
Signed-off-by: Andrew Harding <[email protected]>
@azdagron azdagron force-pushed the azdagron/clusterstaticentry branch from ddfeb88 to fb9bcf5 Compare June 27, 2023 13:54
MarcosDY
MarcosDY reviewed Jun 27, 2023
View reviewed changes
README.md
The SPIRE APIs used by the SPIRE Controller Manager are generally stable and
supported since at least SPIRE v1.0. However, the API has gained support for
additional entry fields beyond what was supported in SPIRE v1.0. Notably, these
include both the `jwt_svid_ttl` and the `hint` fields. The ClusterStaticEntry
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know there is an issue to add jwt_svid_ttl to regular reconciler, and we may add another one for hint,
are you worried about adding those fields there too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jwt_svid_ttl makes sense but hint is harder to reason about. I'd probably side with waiting until somebody has a use case for it before adding it to the ClusterSPIFFEID CRD.

api/v1alpha1/clusterstaticentry_types.go Outdated
@@ -0,0 +1,76 @@
/*
Copyright 2021 SPIRE Authors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since it is a new crd, may we update year to 2023? and what happens with another crds that got updates?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we'd only bump the year if there were significant updates. I'll change the year for this CRD.

config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml Outdated
x509SVIDTTL:
type: string
required:
- dnsNames
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it intntional to make dns, federatesWith, hint and ttls required?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I've updated the json tags and regenerated manifests.

@azdagron
Address PR comments
2a0b383 
Signed-off-by: Andrew Harding <[email protected]>
@azdagron azdagron force-pushed the azdagron/clusterstaticentry branch from 00b00f8 to 2a0b383 Compare June 29, 2023 11:23
ugoenyioha
ugoenyioha reviewed Jul 2, 2023
View reviewed changes
config/samples/spire_v1alpha1_clusterstaticentry.yaml Outdated
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should complete the sample here no? else what would users have to anchor on?

MarcosDY
MarcosDY approved these changes Jul 3, 2023
View reviewed changes
Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!!

@matthewdevenny
Copy link

Nice! This is definitely needed - what about the node setting? If I am using the boxboat/spire-tpm-plugin for node tpm attestation I would also need to be able to set the node flag correct?

@azdagron
Copy link
Member Author

azdagron commented Jul 7, 2023

The -node flag doesn't actually have a first class field on the entry. Instead it sets the parent ID to the SPIFFE ID of the spire server (i.e., spiffe://TRUSTDOMAIN/spire/server), which implies that the entry is a node alias.

@azdagron azdagron merged commit 9ae90ef into main Jul 7, 2023
6 checks passed
@azdagron azdagron deleted the azdagron/clusterstaticentry branch July 7, 2023 20:00
@abhishek44sharma abhishek44sharma mentioned this pull request Jul 10, 2023
Merged
@matthewdevenny
Copy link

@azdagron when do you think will we see this in a release?

@azdagron
Copy link
Member Author

This will be released in 0.3.0. There are currently two outstanding issues that have to be fixed before we can release the ClusterStaticEntry CRD.

https://github.com/spiffe/spire-controller-manager/milestone/1

I'm personally slammed this week but may have some cycles next week to wrap this up. Unless @MarcosDY has some cycles, it will probably be at least then.

@keeganwitt
Copy link
Contributor

We should probably also create a migration guide.

@kfox1111
Copy link
Contributor

Yeah.... upgrading the chart will likely have some issues with the crds.

@kfox1111 kfox1111 mentioned this pull request Jul 26, 2023
Open
@MarcosDY MarcosDY added this to the 0.3.0 milestone Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ugoenyioha ugoenyioha ugoenyioha left review comments

@MarcosDY MarcosDY MarcosDY approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.3.0
Development

Successfully merging this pull request may close these issues.

Proposal: ClusterStaticEntry CRD for registering workloads that live outside the cluster
6 participants
@azdagron @matthewdevenny @keeganwitt @kfox1111 @MarcosDY @ugoenyioha