Enable Istio-style SPIFFE IDs; custom namespaces, and trust domains #1011
Conversation
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
Signed-off-by: Volkan Özçelik <[email protected]>
|
cc: @BulldromeQ these changes will be useful for our OpenShift deployment too, since the particular cluster that we were working on was creating its own custom ClusterSPIFFEIds and was using its own custom namespaces (instead of vsecm-system). |
|
I summarized the changes in the PR body; yet, I’ll annotate the code as needed too. |
| @@ -31,6 +31,9 @@ VSECM_EKS_REGISTRY_URL ?= "public.ecr.aws/h8y1n7y7" | |||
| VSECM_NAMESPACE_SYSTEM ?= "vsecm-system" | |||
| VSECM_NAMESPACE_SPIRE ?= "spire-system" | |||
| VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server" | |||
| # VSECM_NAMESPACE_SYSTEM ?= "vsecm-system-custom" | |||
| # VSECM_NAMESPACE_SPIRE ?= "spire-system-custom" | |||
| # VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server-custom" | |||
There was a problem hiding this comment.
These commented out lines are useful to test the thing with the generated k8s manifests instead of directly using helm. — An alternative is to define the environment variables, or pass these as arguments to make. I wanted to keep them explicit as they double as documentation too.
| @@ -70,6 +70,7 @@ const VSecMSidecarSuccessThreshold VarName = "VSECM_SIDECAR_SUCCESS_THRESHOLD" | |||
| const VSecMSpiffeIdPrefixSafe VarName = "VSECM_SPIFFEID_PREFIX_SAFE" | |||
| const VSecMSpiffeIdPrefixSentinel VarName = "VSECM_SPIFFEID_PREFIX_SENTINEL" | |||
| const VSecMSpiffeIdPrefixWorkload VarName = "VSECM_SPIFFEID_PREFIX_WORKLOAD" | |||
| const VSecMWorkloadNameRegExp VarName = "VSECM_WORKLOAD_NAME_REGEXP" | |||
There was a problem hiding this comment.
This is new. It gives us the flexibility to capture any part of the SPIFFE ID as the workload’s id.
One restriction is; all regexp shall start with ^spifee://$trustDomain/ where $trustDomain is whichever trust domain has been configured.
It is also recommended for the regExps to end with a $ and make the matches as specific as possible whenever possible.
| func NameRegExpForWorkload() string { | ||
| p := env.Value(env.VSecMWorkloadNameRegExp) | ||
| if p == "" { | ||
| p = string(env.VSecMNameRegExpForWorkloadDefault) |
There was a problem hiding this comment.
Having default values in the codebase has both benefits, and liabilities; maybe we should create an ADR for this outlining why we prefer it that way (as opposed to, for example, using a configuration file, or a ConfigMap).
| }, | ||
| { | ||
| name: "safe_spiffeid_prefix_from_env", | ||
| setup: func() error { | ||
| return os.Setenv("VSECM_SPIFFEID_PREFIX_WORKLOAD", "spiffe://vsecm.com/workload/test/") | ||
| return os.Setenv("VSECM_SPIFFEID_PREFIX_WORKLOAD", "spiffe://vsecm.com/workload/test/ns/test/sa/test/n/test") |
There was a problem hiding this comment.
Thanks to the stricter SPIFFE ID validation, we had to update the tests to be stricter too. – the test do not pass if the ids do not conform to a certain pattern.
| // `^spiffe://$trustDomain` prefix for extra security. | ||
| // | ||
| // This variable shall be treated as constant and should not be modified. | ||
| var spiffeRegexPrefixStart = "^spiffe://" + env.SpiffeTrustDomain() + "/" |
There was a problem hiding this comment.
This is intentionally hard coded and kept reconfigurable because
- Any spiffe id has to start with
spiffe://as part of the standard and then followed by the trust domain. - Starting the matcher with a
^makes it more restrictive and more secure, since you cannot just use any regexp, and you have to match thing starting from the beginning of the string.
| @@ -43,13 +47,18 @@ const spiffeRegexPrefixStart = "^" | |||
| // | |||
| // bool: `true` if the SPIFFE ID belongs to VSecM Sentinel, `false` otherwise. | |||
| func IsSentinel(spiffeid string) bool { | |||
| if !IsWorkload(spiffeid) { | |||
| return false | |||
There was a problem hiding this comment.
Any VSecM entity is also a workload. So we run an IsWorkload() check before running other checks.
| @@ -26,7 +26,7 @@ data: | |||
| resourceName: 98c9c988.spiffe.io | |||
| resourceNamespace: {{ .Values.global.spire.serverNamespace }} | |||
| clusterName: vsecm-cluster | |||
| trustDomain: vsecm.com | |||
| trustDomain: {{ .Values.global.spire.trustDomain }} | |||
There was a problem hiding this comment.
We have missed this; the recent customization test helped us realize that :) .
Enable Istio-style SPIFFE IDs; custom namespaces, and trust domains
Description
This PR adds additional flexibility to VSecM deployments by enabling custom SPIFFE IDs
for workload identities, custom namespaces, and custom trust domains.
Changes
app/safe/internal/server/handle/route.goto fix a regression.env.NameRegExpForWorkload()to allow matching workload ids from spiffe idsbased on regular expressions.
WorkloadIDAndParts(spiffeid string) (string, []string)to work withthe above regexp; the implementation needs some simplification, which can be done
as a follow-up PR.
VSecMSpiffeIdPrefixSafe,VSecMSpiffeIdPrefixSentinel,VSecMSpiffeIdPrefixWorkload,VSecMNameRegExpForWorkload.values-custom.yamlto test the changes with an inline comment to how to useit. A follow-up PR will be created to add the test to integration test too.
Test Policy Compliance
Code Quality
to understand.
Documentation
There are some doc updates. The rest will be completed separately.
Additional Comments
These changes will especially be helpful for OpenShift deployments.
Checklist
Before you submit this PR, please make sure:
especially the test policy.
under the project's license.
By submitting this pull request, you confirm that my contribution is made under
the terms of the project's license and that you have the authority to grant
these rights.
Thank you for your contribution to VMware Secrets Manager
🐢⚡️!