Return an error if an SDS client asks for resources that don't exist.#2020
Conversation
JonathanO
requested review from
APTy,
amartinezfayo,
azdagron,
evan2645 and
rturner3
as code owners
|
The alternative to this PR would be to simply hang up after attestation (or on first request) if no identities were issued. That would also solve the problem, and, unlike this PR, it matches the behaviour of the workload API. But I am concerned that there could be people depending on having workloads with no identities retrieving trust bundles via SDS, which such a change would break. If that isn't actually a supported use case then I'll close this PR, and raise a new one with the simpler fix. |
JonathanO
force-pushed
the
disconnect-sds-when-no-identities
branch
from
40970b7 to
adcf2d4
Compare
|
The alternative seems interesting and I'd probably be for it except the Workload API specification has recently gained an RPC that can be used to fetch X.509 bundles (optionally without requiring the workload to be attested) in order to support verifying SPIFFE IDs from a trust domain without having to actually belong to the trust domain (we have yet to implement this in SPIRE), so from a behavior parity standpoint, I think it makes most sense to continue allowing a bundle to be returned to an unauthenticated workload. |
|
TL;DR: I think this approach is alright for the time being I'm still not in love with the whole unregistered workload api consumer thing... Putting that aside, this SDS thing needs to be fixed one way or another. I've considered this approach vs the alternative (which feels better on the surface), and ultimately I agree with @azdagron and @JonathanO - this approach seems unlikely to fail in strange ways, and also unlikely to introduce pain for existing consumers that may be using the agent in surprising ways. At the same time, it doesn't prevent us from moving to the alternative behavior in the future, so... 👍 |
azdagron
left a comment
azdagron
left a comment
There was a problem hiding this comment.
This looks good to me. I left a few nitpicks to make the code a little more terse but don't feel obligated to fix them. Happy to merge without.
JonathanO
force-pushed
the
disconnect-sds-when-no-identities
branch
from
54c1fe6 to
5d58f4a
Compare
This fixes spiffe#1230 Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
Co-authored-by: Andrew Harding <azdagron@gmail.com> Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
JonathanO
force-pushed
the
disconnect-sds-when-no-identities
branch
from
5d58f4a to
ad14140
Compare
Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
This is Circle's recommended image, and should contain a version of docker-compose that supports v3.5 compose files. Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
3 participants
This will reject an SDS client if it requests resource names that don't exist.
This is a solution for SDS clients getting "stuck" if attestation fails temporarily due to some local problem (e.g. k8s attestation taking too long.)
This may cause problems if anyone is relying on a configuration where it is expected to request multiple identities/bundles in the same SDS session, some of which do not exist (yet.)
fixes #1230