Include hint field in agent's workload api #3993
Conversation
guilhermocc
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
go.mod
Outdated
| @@ -2,6 +2,8 @@ module github.com/spiffe/spire | |||
|
|
|||
| go 1.19 | |||
|
|
|||
| replace github.com/spiffe/go-spiffe/v2 => github.com/guilhermocc/go-spiffe/v2 v2.0.0-20230308163427-b2b17d68664c | |||
There was a problem hiding this comment.
The commit that inserted this temporary dependency should be dropped after https://github.com/spiffe/go-spiffe/pull/220/files gets merged
cmd/spire-agent/cli/api/printer.go
Outdated
| @@ -31,6 +31,9 @@ func printX509SVID(env *commoncli.Env, svid *X509SVID) { | |||
| // Print SPIFFE ID first so if we run into a problem, we | |||
| // get to know which record it was | |||
| env.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID) | |||
| if svid.Hint != "" { | |||
| env.Printf("HINT:\t\t\t%s\n", svid.Hint) | |||
There was a problem hiding this comment.
Shouldn't it be printed a "Hint", as it's not an acronym?
There was a problem hiding this comment.
I thought we were using only uppercase here for all fields printed, but just saw that's not the case, you are right, going to update it!
pkg/agent/manager/cache/lru_cache.go
Outdated
|
|
||
| for hint, recordsWithSameHint := range hintsMap { | ||
| // If there is more than one entry with the same hint, remove all but the oldest one to ensure hint uniqueness | ||
| if len(recordsWithSameHint) > 1 { |
There was a problem hiding this comment.
Can this be rewritten as in the other cache method?
if len(recordsWithSameHint) <= 1 {
continue
}
4e98217
to
25cab4a
Compare
| @@ -93,6 +93,9 @@ func printPrettyResult(env *commoncli.Env, results ...interface{}) error { | |||
|
|
|||
| for _, svid := range svidResp.Svids { | |||
| env.Printf("token(%s):\n\t%s\n", svid.SpiffeId, svid.Svid) | |||
| if svid.Hint != "" { | |||
| env.Printf("hint(%s):\n\t%s\n", svid.SpiffeId, svid.Hint) | |||
There was a problem hiding this comment.
mmm looks like spiffeID here is redundant, since you already printed spiffeID with token
There was a problem hiding this comment.
We also include the spiffe ID in the printed bundle (on line 101), I tried to maintain the same logic here for hint, what do you think?
There was a problem hiding this comment.
I cant think in another good ouput... so keeping the duplicated SPIFFEID may be good
| @@ -31,6 +31,9 @@ func printX509SVID(env *commoncli.Env, svid *X509SVID) { | |||
| // Print SPIFFE ID first so if we run into a problem, we | |||
| // get to know which record it was | |||
| env.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID) | |||
| if svid.Hint != "" { | |||
| env.Printf("Hint:\t\t\t%s\n", svid.Hint) | |||
There was a problem hiding this comment.
looks like it has 3 tabs, but spiffeID has only 2, do you want to add some hierarchy level?
There was a problem hiding this comment.
Just for maintaining the output aligned
Two tabs
Three tabs
| for _, entry := range entries { | ||
| if req.SpiffeId != "" && entry.SpiffeId != req.SpiffeId { | ||
| continue | ||
| } | ||
| loopLog := log.WithField(telemetry.SPIFFEID, entry.SpiffeId) |
There was a problem hiding this comment.
NIT: since loopLog is used only on h.fetchJWTSVID may we remove the break line? and couple both lines?
| @@ -395,6 +400,7 @@ func composeX509SVIDResponse(update *cache.WorkloadUpdate) (*workload.X509SVIDRe | |||
| X509Svid: x509util.DERFromCertificates(identity.SVID), | |||
| X509SvidKey: keyData, | |||
| Bundle: bundle, | |||
| Hint: identity.Entry.Hint, | |||
There was a problem hiding this comment.
is there a warranty that entry is not nil?
There was a problem hiding this comment.
I believe so, as you can see on line 391, we are already taking the SPIFFE ID from the entry.
| var tokenIDs []spiffeid.ID | ||
| for _, svid := range resp.Svids { | ||
| parsedSVID, err := jwtsvid.ParseInsecure(svid.Svid, tt.audience) | ||
| assert.Len(t, resp.Svids, len(tt.expectedResp)) |
There was a problem hiding this comment.
why not to create a list of responses and do a equal between expected and response list? with that we can no longer validate length and get a single error message
pkg/agent/manager/cache/cache.go
Outdated
There was a problem hiding this comment.
since we are adding hint, how it will affect to SVID Store? may we add hint to persisted SVIDs too?
pkg/agent/manager/cache/cache.go
Outdated
| return records, recordsDone | ||
| } | ||
|
|
||
| func (c *Cache) removeEntriesWithNonUniqueHint(records recordSet) { |
There was a problem hiding this comment.
this worry me, so we are stop propagating Identities, just because a field is set, with the same value than another entry on response,
we MUST add documentation so users can understand than that is possible it to happens, and can result in some confusion
There was a problem hiding this comment.
and is it something we must do at cache level? it sounds to me like this must be done on workload api instead
There was a problem hiding this comment.
As discussed in the last contributor sync, we decided to move this filter to the workload API layer
There was a problem hiding this comment.
Based on comments from @MarcosDY and discussion in today's contributor sync, this will have potentially unwanted consequences on the SDS APIs and SVID store functionality. Removing my +1 until the filtering added in the Agent cache layer is moved to the Workload API handlers.
guilhermocc
force-pushed
the
include-hint-field-workload-api
branch
from
25cab4a
to
970a948
Compare
guilhermocc
requested review from
rturner3 and
MarcosDY
and removed request for
rturner3
go.mod
Outdated
| @@ -2,6 +2,8 @@ module github.com/spiffe/spire | |||
|
|
|||
| go 1.19 | |||
|
|
|||
| replace github.com/spiffe/go-spiffe/v2 => github.com/guilhermocc/go-spiffe/v2 v2.0.0-20230327182353-926e51ab6802 | |||
There was a problem hiding this comment.
The required change has been merged and released in version v2.1.4. Please update accordingly!
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
guilhermocc
force-pushed
the
include-hint-field-workload-api
branch
from
dc7741f
to
38b2cc2
Compare
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
There was a problem hiding this comment.
Thank you for your patience on this one @guilhermocc! Really appreciate the good work.
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com> Signed-off-by: Basavaraju-G <basavaraju013@gmail.com>
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com> Signed-off-by: Dmitry Gorochovsky <d.goro@yahoo.com>
Pull Request check list
Affected functionality
fetch jwtandfetch x509commandsFetchJWTSVIDandFetchX509SVIDmethodsDescription of change
Include hint field in agent's workload api responses, update cache methods for ensuring hint uniqueness amongst the fetched svids.
Which issue this PR fixes
ongoing work for #2588
Dependencies
This PR depends on spiffe/go-spiffe#220, please review it before this PR