envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

spiffe: add support for spiffe bundle format

Open briansonnenberg opened this issue 1 year ago • 6 comments

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".

Additional Description:

#35567 trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.

Risk Level: medium Testing: WIP Docs Changes: TBD Release Notes: TBD

briansonnenberg avatar Sep 18 '24 07:09 briansonnenberg

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/). envoyproxy/api-shepherds assignee is @markdroth CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/36190 was opened by briansonnenberg.

see: more, trace.

repokitteh-read-only[bot] avatar Sep 18 '24 07:09 repokitteh-read-only[bot]

/wait

jmarantz avatar Sep 23 '24 13:09 jmarantz

/lgtm api

markdroth avatar Sep 27 '24 20:09 markdroth

Please merge main. /wait

kyessenov avatar Oct 01 '24 18:10 kyessenov

/wait on CI

alyssawilk avatar Oct 08 '24 13:10 alyssawilk

Please also check the CI :)

wbpcode avatar Oct 17 '24 07:10 wbpcode

And I just find another problem, seems the SPIFFE bundle map is still a Draft.

Is this OK to accept this implementation? cc @alyssawilk

wbpcode avatar Nov 07 '24 08:11 wbpcode

/wait

wbpcode avatar Nov 07 '24 08:11 wbpcode

/lgtm api

markdroth avatar Nov 08 '24 18:11 markdroth

/wait ci

wbpcode avatar Nov 13 '24 12:11 wbpcode

@briansonnenberg please fix DCO and format https://github.com/envoyproxy/envoy/actions/runs/11732634738/job/32685328220#step:13:527 errors

/wait

yanavlasov avatar Nov 13 '24 21:11 yanavlasov

Looks like CI is failing? https://github.com/envoyproxy/envoy/actions/runs/11979451058/job/33401707343

RyanTheOptimist avatar Nov 27 '24 22:11 RyanTheOptimist

/wait

RyanTheOptimist avatar Nov 27 '24 22:11 RyanTheOptimist

@wbpcode @alyssawilk @markdroth

Finally have the CI passing. 😅

Would you folks mind taking another look?

briansonnenberg avatar Dec 12 '24 20:12 briansonnenberg

I'm still not thrilled that we're doing this instead of implementing the certificate provider framework, but at least this doesn't preclude us from doing that later.

/lgtm api

markdroth avatar Dec 13 '24 01:12 markdroth

@wbpcode seems that latest comments were addressed, PTAL.

adisuissa avatar Dec 17 '24 14:12 adisuissa

Will take a look before tomorrow night.

wbpcode avatar Dec 18 '24 15:12 wbpcode

/wait

wbpcode avatar Jan 06 '25 02:01 wbpcode

cc @tyxia could you take another look when you have some free time?

wbpcode avatar Jan 08 '25 12:01 wbpcode

If @tyxia no explict comments, I think we can merge this after the CI and nit comments are addressed. Thanks for all your time and investment. 🌹

wbpcode avatar Jan 08 '25 12:01 wbpcode

/retest

briansonnenberg avatar Jan 09 '25 21:01 briansonnenberg

Looks like it's failing for some unrelated quic test coverage issue.

briansonnenberg avatar Jan 09 '25 23:01 briansonnenberg

/retest

wbpcode avatar Jan 14 '25 02:01 wbpcode

need a main merge, then we can merge this.

wbpcode avatar Jan 16 '25 06:01 wbpcode

/retest

wbpcode avatar Jan 17 '25 01:01 wbpcode