-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include hint field in agent's workload api #3993
Include hint field in agent's workload api #3993
Conversation
go.mod
Outdated
@@ -2,6 +2,8 @@ module github.com/spiffe/spire | |||
|
|||
go 1.19 | |||
|
|||
replace github.com/spiffe/go-spiffe/v2 => github.com/guilhermocc/go-spiffe/v2 v2.0.0-20230308163427-b2b17d68664c |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit that inserted this temporary dependency should be dropped after https://github.com/spiffe/go-spiffe/pull/220/files gets merged
cmd/spire-agent/cli/api/printer.go
Outdated
@@ -31,6 +31,9 @@ func printX509SVID(env *commoncli.Env, svid *X509SVID) { | |||
// Print SPIFFE ID first so if we run into a problem, we | |||
// get to know which record it was | |||
env.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID) | |||
if svid.Hint != "" { | |||
env.Printf("HINT:\t\t\t%s\n", svid.Hint) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be printed a "Hint", as it's not an acronym?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we were using only uppercase here for all fields printed, but just saw that's not the case, you are right, going to update it!
pkg/agent/manager/cache/lru_cache.go
Outdated
|
||
for hint, recordsWithSameHint := range hintsMap { | ||
// If there is more than one entry with the same hint, remove all but the oldest one to ensure hint uniqueness | ||
if len(recordsWithSameHint) > 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be rewritten as in the other cache method?
if len(recordsWithSameHint) <= 1 {
continue
}
4e98217
to
25cab4a
Compare
@@ -93,6 +93,9 @@ func printPrettyResult(env *commoncli.Env, results ...interface{}) error { | |||
|
|||
for _, svid := range svidResp.Svids { | |||
env.Printf("token(%s):\n\t%s\n", svid.SpiffeId, svid.Svid) | |||
if svid.Hint != "" { | |||
env.Printf("hint(%s):\n\t%s\n", svid.SpiffeId, svid.Hint) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mmm looks like spiffeID here is redundant, since you already printed spiffeID with token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also include the spiffe ID in the printed bundle (on line 101), I tried to maintain the same logic here for hint, what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cant think in another good ouput... so keeping the duplicated SPIFFEID may be good
@@ -31,6 +31,9 @@ func printX509SVID(env *commoncli.Env, svid *X509SVID) { | |||
// Print SPIFFE ID first so if we run into a problem, we | |||
// get to know which record it was | |||
env.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID) | |||
if svid.Hint != "" { | |||
env.Printf("Hint:\t\t\t%s\n", svid.Hint) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like it has 3 tabs, but spiffeID has only 2, do you want to add some hierarchy level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for _, entry := range entries { | ||
if req.SpiffeId != "" && entry.SpiffeId != req.SpiffeId { | ||
continue | ||
} | ||
loopLog := log.WithField(telemetry.SPIFFEID, entry.SpiffeId) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: since loopLog is used only on h.fetchJWTSVID may we remove the break line? and couple both lines?
@@ -395,6 +400,7 @@ func composeX509SVIDResponse(update *cache.WorkloadUpdate) (*workload.X509SVIDRe | |||
X509Svid: x509util.DERFromCertificates(identity.SVID), | |||
X509SvidKey: keyData, | |||
Bundle: bundle, | |||
Hint: identity.Entry.Hint, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a warranty that entry is not nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe so, as you can see on line 391, we are already taking the SPIFFE ID from the entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
var tokenIDs []spiffeid.ID | ||
for _, svid := range resp.Svids { | ||
parsedSVID, err := jwtsvid.ParseInsecure(svid.Svid, tt.audience) | ||
assert.Len(t, resp.Svids, len(tt.expectedResp)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not to create a list of responses and do a equal between expected and response list? with that we can no longer validate length and get a single error message
pkg/agent/manager/cache/cache.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since we are adding hint, how it will affect to SVID Store? may we add hint to persisted SVIDs too?
pkg/agent/manager/cache/cache.go
Outdated
return records, recordsDone | ||
} | ||
|
||
func (c *Cache) removeEntriesWithNonUniqueHint(records recordSet) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this worry me, so we are stop propagating Identities, just because a field is set, with the same value than another entry on response,
we MUST add documentation so users can understand than that is possible it to happens, and can result in some confusion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is it something we must do at cache level? it sounds to me like this must be done on workload api instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed in the last contributor sync, we decided to move this filter to the workload API layer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on comments from @MarcosDY and discussion in today's contributor sync, this will have potentially unwanted consequences on the SDS APIs and SVID store functionality. Removing my +1 until the filtering added in the Agent cache layer is moved to the Workload API handlers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing my approval based on discussion in today's contributor sync.
25cab4a
to
970a948
Compare
go.mod
Outdated
@@ -2,6 +2,8 @@ module github.com/spiffe/spire | |||
|
|||
go 1.19 | |||
|
|||
replace github.com/spiffe/go-spiffe/v2 => github.com/guilhermocc/go-spiffe/v2 v2.0.0-20230327182353-926e51ab6802 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The required change has been merged and released in version v2.1.4. Please update accordingly!
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
dc7741f
to
38b2cc2
Compare
Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your patience on this one @guilhermocc! Really appreciate the good work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com> Signed-off-by: Basavaraju-G <basavaraju013@gmail.com>
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com> Signed-off-by: Dmitry Gorochovsky <d.goro@yahoo.com>
Pull Request check list
Affected functionality
fetch jwt
andfetch x509
commandsFetchJWTSVID
andFetchX509SVID
methodsDescription of change
Include hint field in agent's workload api responses, update cache methods for ensuring hint uniqueness amongst the fetched svids.
Which issue this PR fixes
ongoing work for #2588
Dependencies
This PR depends on spiffe/go-spiffe#220, please review it before this PR