Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SPIRE config file requirement #129

Closed
maia-iyer opened this issue Mar 1, 2023 · 5 comments · Fixed by #266
Closed

Remove SPIRE config file requirement #129

maia-iyer opened this issue Mar 1, 2023 · 5 comments · Fixed by #266
Assignees
@maia-iyer
Labels
backend Tornjak API (Backend) blocked This issue is blocked on another issue bug Something isn't working good first issue Good for newcomers
Milestone
1.3.x

Comments

@maia-iyer
Copy link
Collaborator

Because we have split SPIRE from Tornjak container, potentially would be good to remove this requirement. Depends on #119
@maia-iyer maia-iyer added the good first issue Good for newcomers label Mar 1, 2023
@mrsabath
Copy link
Collaborator

mrsabath commented Mar 6, 2023

Currently, removing SPIRE config creates a following error:

kubectl -n tornjak logs spire-server-0 -c tornjak
-t /run/spire/tornjak-config/server.conf
/run/spire/tornjak-config/server.conf
-c SPIRE_CONFIG must be provided

@mrsabath
Copy link
Collaborator

The best solution would be to get the config directly from SPIRE via SPIRE APIs, but there are no such today.
SPIRE config is typically passed to SPIRE server container as a ConfigMap. When possible we should just be able to connect to this ConfigMap via VolumeMount on the backend container. We should remove the required file though, so when it's not available we just return an appropriate message, when access to config requested via Tornjak API.

@mrsabath mrsabath added bug Something isn't working backend Tornjak API (Backend) labels Apr 11, 2023
@mrsabath mrsabath added this to the 1.1.x milestone Apr 11, 2023
@maia-iyer
Copy link
Collaborator Author

I agree with removing the requirement for the file, though the VolumeMount even doesn't quite return the correct ConfigMap because there's the option of the SPIRE executable parsing from container environment variables, which the Tornjak sidecar does not share.

The original goal of serverinfo was to provide easy test end-to-end from Tornjak backend to SPIRE server.

#161 is a new PR implementing two new APIs; healthcheck and debugserver, which both are easy tests of the end-to-end working. In particular, maybe debugserver returns nice amount of SPIRE server information. Example:

{
    "svid_chain": [
        {
            "id": {
                "trust_domain": "example.org",
                "path": "/spire/server"
            },
            "expires_at": 111,
            "subject": "O=SPIRE,C=US,2.5.4.45=#12321"
        },
        {
            "id": {
                "trust_domain": "example.org"
            },
            "expires_at": 222
            "subject": "O=SPIFFE,C=US"
        }
    ],
    "uptime": 333,
    "federated_bundles_count": 1
}

Perhaps we could replace serverinfo implementation with a single call to debugserver.

The main caveat is that in the frontend, the Tornjak ServerInfo tab relies on serverinfo command if I am not mistaken because it parses the config plugins (@mamy-CS please confirm?). I think what's there looks nice, but if we remove the requirement of passing the config file, what should be displayed in this ServerInfo tab?

@maia-iyer maia-iyer self-assigned this Apr 20, 2023
@mrsabath
Copy link
Collaborator

I think that serverinfo API should return SPIRE Server Information. If the information is not available, e.g. no ConfigMap volume defined, this API call should return an appropriate info. I am OK with returning the content of the debugserver as a debugserver Tornjak API, but we should not change the content of the call. If we always guarantee to return some meaningful value for the debugserver call, we can switch to use this call as a default test for Frontend to validate SPIRE APIs. Same with the healthcheck call

@maia-iyer
Copy link
Collaborator Author

Offline conversation with @mamy-CS - we decided to stick with the serverinfo call as specifically not calling the spire-server and instead return information about SPIRE config if available (and if not, returning some kind of message about that). As debugServer and healthcheck are separate calls, we didn't want to make the APIs too confusing by adding redundant commands for this information

@mrsabath mrsabath modified the milestones: 1.1.x, 1.2.x Apr 25, 2023
@maia-iyer maia-iyer added the blocked This issue is blocked on another issue label Apr 26, 2023
@mrsabath mrsabath removed this from the 1.2.x milestone May 12, 2023
@maia-iyer maia-iyer mentioned this issue May 13, 2023
Closed
@mamy-CS mamy-CS added this to the 1.3.x milestone Jun 13, 2023
@maia-iyer maia-iyer mentioned this issue Jun 14, 2023
Merged
mamy-CS pushed a commit that referenced this issue Jun 14, 2023
@maia-iyer
Remove spire config requirement from backend #129 (#266)
07514aa 
* Remove serverinfo requirement

Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>

* Made clearer comments

Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>

* Added documentation

Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>

---------

Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maia-iyer maia-iyer

Labels
backend Tornjak API (Backend) blocked This issue is blocked on another issue bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
1.3.x
Development

Successfully merging a pull request may close this issue.

Remove spire config requirement from backend #129 spiffe/tornjak
3 participants
@mrsabath @maia-iyer @mamy-CS