Skip to content

Prepare the v0.12 release branch for v0.12.2 #2183

Merged
azdagron merged 77 commits intospiffe:v0.12from
azdagron:v0.12.2-cherry-picks
Mar 31, 2021
Merged

Prepare the v0.12 release branch for v0.12.2 #2183
azdagron merged 77 commits intospiffe:v0.12from
azdagron:v0.12.2-cherry-picks

Conversation

@azdagron
Copy link
Member

@azdagron azdagron commented Mar 30, 2021

Cherry picks in the following PRs in preparation for the 0.12.2 release.

#2015
#2020
#2022
#2025
#2032
#2044
#2048
#2065
#2091
#2110
#2116
#2119
#2133
#2142
#2150
#2155
#2159

Andrew Harding and others added 30 commits March 23, 2021 16:28
Set TLS 1.2 minimum for all endpoints
7054064 
The server API endpoint already enforces TLS 1.2 as the minimum TLS
version. However, the bundle endpoint and k8s registrar endpoints still
accept TLS 1.0/1.1 clients. This change updates those servers to also
enforce at least TLS 1.2.

Fixes: spiffe#2024

Signed-off-by: Andrew Harding <aharding@vmware.com>
@JonathanO
Return an error if an SDS client asks for resources that don't exist.
1f95be7 
This fixes spiffe#1230

Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
@JonathanO
Please the linter.
c14ae77 
Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
@JonathanO @azdagron
Code review fixes.
c68ba66 
Co-authored-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
Log errors in failed user/group name lookup in unix workload attestor
d7c87a7 
Signed-off-by: Ryan Turner <turner@uber.com>
Fix capitalization of logs
dc4412b 
Signed-off-by: Ryan Turner <turner@uber.com>
Test that logs are emitted from unix workload attestor plugin
3a11c54 
Signed-off-by: Ryan Turner <turner@uber.com>
@ryysud
Implement the readiness endpoint for health checking
3f63656 
Signed-off-by: Ryuma Yoshida <ryuma.y1117@gmail.com>
@ryysud
Remove the checking_readiness_interval parameter
5ac72bc 
Signed-off-by: Ryuma Yoshida <ryumyosh@zlab.co.jp>
@ryysud
Avoid the gRPC connection leaks in the health system
2e9d5be 
Signed-off-by: Ryuma Yoshida <ryumyosh@zlab.co.jp>
@ryysud
Update the bind_port in the health_checks block example
e649bae 
Signed-off-by: Ryuma Yoshida <ryumyosh@zlab.co.jp>
@ryysud
Fix suites/k8s-reconcile
a47a30b 
Signed-off-by: Ryuma Yoshida <ryumyosh@zlab.co.jp>
@ryysud
Address PR comments
5d8bd42 
Signed-off-by: Ryuma Yoshida <ryumyosh@zlab.co.jp>
@kunzimariano
adds a 30 seconds timeout to keymanager plugin calls
bb12dfb 
Signed-off-by: Mariano Kunzi <kunzi.mariano@gmail.com>
@hixichen
Report uptime as metrics for spire server and agent with config (spif…
49394a0 
…fe#2032)

* Report update time as metrics for spire server and agent

Signed-off-by: CHEN XI <cxi@uber.com>
@amartinezfayo
Return an error when having an expired SVID when rotating the agent S…
24ab4ca 
…VID (spiffe#2065)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Fix error tracking for entry cache telemetry
4363298 
The lack of a named error variable (and an accidental capture) was
preventing the deferred call counter done method from picking up the
error returned from building the cache.

This change fixes the bug by naming the error variable in the closure.

Signed-off-by: Andrew Harding <aharding@vmware.com>
Fix Vault token auth bug (spiffe#2110)
b2b9c0d 
Signed-off-by: Tomoya Usami <tousami@zlab.co.jp>
Fixes spiffe#2026 - thanks @caleblloyd!
25959c4 
Signed-off-by: Ben Leggett <bleggett@virtru.com>
Issue spiffe#2026 - Unit tests
0b869eb 
Signed-off-by: Ben Leggett <bleggett@virtru.com>
Clarify docs
cdf4044 
Signed-off-by: Ben Leggett <bleggett@virtru.com>
Review comment - map is there to prevent dupes
68ff24e 
Signed-off-by: Ben Leggett <bleggett@virtru.com>
Comment wording was unnecessarily confusing
bd5c1ab 
Signed-off-by: Ben Leggett <bleggett@virtru.com>
show selectors
23d5dbc 
Signed-off-by: inajob <kinadu@zlab.co.jp>
fixup! show selectors
3e2157f 
Signed-off-by: inajob <kinadu@zlab.co.jp>
@amartinezfayo
Expose a configuration to disable rate limiting on JWT signing and X5…
c3d5bb3 
…09 signing (spiffe#2142)

* Expose a single config to disable rate limiting on JWT signing and X509 signing

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Use SPIRE to rotate webhook certificates
7a43631 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Stop using previous object for patch
7b90b30 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Add missing mutating webhook patches
d4733a9 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Collapse ConfigMap
d501c38 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Faisal Memon and others added 23 commits March 24, 2021 09:40
Some cleanup
a530844 
Signed-off-by: Faisal Memon <f.memon@f5.com>
@faisal-memon @azdagron
label -> webhook_label
16300bc 
Co-authored-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Faisal Memon <f.memon@f5.com>
label -> webhook_label part 2
f7da1ba 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Fix setConfig error handling
4c75609 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Update docs for webhook_label
424dbca 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Fix setConfig ordering
7dc0adf 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Aggregate errors
d2bacac 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Aggregate error messages, add comment
a574ff9 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Remove nil watchers
b76e8f3 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Cleanup unit tests
5992d14 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Set cancelWatcher to nil after calling it
965f307 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Ignore FailedPrecondition errors
42f1ddb 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Don't log when FailedPrecondition error happens
3c621e9 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Handle webhook modified case
7fe7e9c 
Signed-off-by: Faisal Memon <f.memon@f5.com>
Fix MySQL isolation level for read-modify-write ops
7f74e03 
Signed-off-by: Andrew Harding <aharding@vmware.com>
change updateAttestedNodes tx type
b0515de 
Signed-off-by: Andrew Harding <aharding@vmware.com>
Fix spiffe ID equality
0afaec1 
Signed-off-by: SirNexus <ai.carson@f5.com>
@kgtw
Introduce a new aws_iid plugin configuration option 'use_instance_pro…
01857ed 
…file_selectors'.

This is needed when spire-server is running in a secure area with no public internet access.

If an attesting node has an iam instance profile policy attached and there is no public internet access, spire-server fails to attest the nodes because it cannot reach the aws iam endpoint - iam.amazonaws.com.

Setting use_instance_profile_selectors = false, disables the api call to the iam endpoint allowing nodes to attest.

Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
@kgtw
Change config to 'disable_instance_profile_selectors' to maintain bac…
48495cb 
…kwards functionality.

Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
@kgtw
Update aws_iid documentation for disable_instance_profile_selectors c…
663008a 
…onfig option

Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
@kgtw
Update aws_iid documentation with more context around the disable_ins…
6c9ff28 
…tance_profile_selectors configuration option

Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
@kgtw
Fix wording in documentation for disable_instance_profile_selectors
38845c4 
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
@amartinezfayo
Include the attestor type in the error returned when could not find t…
2ed56a7 
…he node attestor type

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
rturner3
rturner3 approved these changes Mar 31, 2021
View reviewed changes
Copy link
Collaborator

@rturner3 rturner3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@azdagron azdagron merged commit 0a9f379 into spiffe:v0.12 Mar 31, 2021
@azdagron azdagron deleted the v0.12.2-cherry-picks branch March 31, 2021 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evan2645 evan2645 evan2645 approved these changes

@rturner3 rturner3 rturner3 approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@APTy APTy Awaiting requested review from APTy

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@azdagron @evan2645 @rturner3 @JonathanO @ryysud @kunzimariano @hixichen @amartinezfayo @faisal-memon @kgtw