Feat integrate spiffe #1663
Feat integrate spiffe #1663
Conversation
k8s-ci-robot
added
cncf-cla: yes
✅ Deploy Preview for kubernetes-sigs-nfd ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
4 times, most recently
from
b60483c to
2917fe1
Compare
|
/cc marquiz |
|
Let's close #1434 ;) |
k8s-ci-robot
added
the
needs-rebase
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
2 times, most recently
from
c433995 to
5e5183d
Compare
k8s-ci-robot
removed
the
needs-rebase
| @@ -91,6 +91,8 @@ func main() { | |||
| klog.InfoS("-port is deprecated, will be removed in a future release along with the deprecated gRPC API") | |||
| case "verify-node-name": | |||
| klog.InfoS("-verify-node-name is deprecated, will be removed in a future release along with the deprecated gRPC API") | |||
| case "enable-spiffe": | |||
There was a problem hiding this comment.
@marquiz should we define this as a feature-gate???
There was a problem hiding this comment.
Probably not. I think this will never be enabled by default so feature gate feels superfluous (and unintuitive). It would serve as a unnecessary second-level gate (we'd want the enable/disable setting anyway), i.e. you'd need to specify -feature-gates spiffe=true -enable-spiffe
| "github.com/stretchr/testify/assert" | ||
| "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1" |
There was a problem hiding this comment.
Is this file go imports checked?
There was a problem hiding this comment.
Does it contain any problem? My IDE does not complain about it.
k8s-ci-robot
added
the
needs-rebase
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
from
5e5183d to
4e5af99
Compare
k8s-ci-robot
removed
the
needs-rebase
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
2 times, most recently
from
65e5b03 to
aee2686
Compare
k8s-ci-robot
added
the
needs-rebase
| @@ -91,6 +91,8 @@ func main() { | |||
| klog.InfoS("-port is deprecated, will be removed in a future release along with the deprecated gRPC API") | |||
| case "verify-node-name": | |||
| klog.InfoS("-verify-node-name is deprecated, will be removed in a future release along with the deprecated gRPC API") | |||
| case "enable-spiffe": | |||
There was a problem hiding this comment.
Probably not. I think this will never be enabled by default so feature gate feels superfluous (and unintuitive). It would serve as a unnecessary second-level gate (we'd want the enable/disable setting anyway), i.e. you'd need to specify -feature-gates spiffe=true -enable-spiffe
There was a problem hiding this comment.
Wouldn't we want to depend on/refer to some official Spire Helm chart for deploying spire instead of maintaining our own?
There was a problem hiding this comment.
yes for Helm charts that would be better. But I'm wondering how we're going to do that for Kustomize.
| @@ -85,6 +90,7 @@ type NFDConfig struct { | |||
| LeaderElection LeaderElectionConfig | |||
| NfdApiParallelism int | |||
| Klog klogutils.KlogConfigOpts | |||
| EnableSpiffe bool | |||
There was a problem hiding this comment.
Hmm, looking at this maybe it would be safest to only have this as a command line argument (i.e. NOT at as a dynamically configurable config file setting). Just to make it very clear if/when the setting is changed. WDYT?
There was a problem hiding this comment.
We don't have dynamic configuration anymore so we can have both, I think.
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
from
aee2686 to
520dd72
Compare
k8s-ci-robot
added
needs-rebase
|
/milestone v0.17 |
k8s-ci-robot
added
size/XL
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
from
da1af98 to
18e6360
Compare
k8s-ci-robot
added
the
do-not-merge/work-in-progress
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
3 times, most recently
from
903a7cf to
c6c6b85
Compare
k8s-ci-robot
added
size/L
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
from
c6c6b85 to
9b0d16a
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
ping @marquiz @ArangoGutierrez Can you please take a look? |
|
/retest |
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Signed-off-by: TessaIO <[email protected]>
TessaIO
force-pushed
the
feat-integrate-spiffe
branch
from
9b0d16a to
a73437c
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: TessaIO The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/XL
|
@TessaIO: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thanks for the update @TessaIO. We need to forward this, not let it linger it in a limbo state forever. I'd want to get this in as an experimental feature soon. /assign @ArangoGutierrez |
| dependencies: | ||
| - name: spire | ||
| repository: https://spiffe.github.io/helm-charts-hardened/ | ||
| version: 0.24.1 |
There was a problem hiding this comment.
Update this. Spire v1 has been released(?)
| dependencies: | ||
| - name: spire | ||
| version: 0.24.1 | ||
| repository: https://spiffe.github.io/helm-charts-hardened/ |
There was a problem hiding this comment.
We should have a conditional for this. Only require if spiffe is enabled. Right(?)
| @@ -85,6 +90,7 @@ type NFDConfig struct { | |||
| LeaderElection LeaderElectionConfig | |||
| NfdApiParallelism int | |||
| Klog klogutils.KlogConfigOpts | |||
| EnableSpiffe bool | |||
There was a problem hiding this comment.
We don't have dynamic configuration anymore so we can have both, I think.
| @@ -597,3 +597,47 @@ prometheus: | |||
| enable: false | |||
| scrapeInterval: 10s | |||
| labels: {} | |||
|
|
|||
| spire: | |||
| enabled: true | |||
There was a problem hiding this comment.
Default should be false(?)
| path: /run/spire/agent-sockets | ||
| type: Directory |
There was a problem hiding this comment.
nit: would narrowing down work
| path: /run/spire/agent-sockets | |
| type: Directory | |
| path: /run/spire/agent-sockets/api.sock | |
| type: Socket |
| } | ||
|
|
||
| if isSignatureVerified { | ||
| klog.InfoS("NodeFeature verified", "NodeFeature name", obj.Name) |
There was a problem hiding this comment.
more comprehensive reference:
| klog.InfoS("NodeFeature verified", "NodeFeature name", obj.Name) | |
| klog.InfoS("NodeFeature verified", "nodefeature", klog.KObj(obj)) |
| klog.InfoS("NodeFeature verified", "NodeFeature name", obj.Name) | ||
| verifiedObjects = append(verifiedObjects, obj) | ||
| } else { | ||
| klog.InfoS("NodeFeature not verified, skipping...", "NodeFeature name", obj.Name) |
There was a problem hiding this comment.
| klog.InfoS("NodeFeature not verified, skipping...", "NodeFeature name", obj.Name) | |
| klog.InfoS("NodeFeature not verified, skipping...", "nodefeature", klog.KObj(obj)) |
| @@ -667,6 +682,14 @@ func (m *nfdWorker) updateNodeFeatureObject(labels Labels) error { | |||
| } | |||
| klog.InfoS("creating NodeFeature object", "nodefeature", klog.KObj(nfr)) | |||
|
|
|||
| // If Spiffe is enabled, we add the signature to the annotations section | |||
There was a problem hiding this comment.
Small note: I think we should add Namespace: namespace to the nfr created above so that the "SpiffeData" (and thus the checksum) will be identical in the next discovery cycle when we get the object from the api server (i.e. !errors.IsNotFound(err))
Resolves #1186