Merged
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2641 +/- ##
==========================================
- Coverage 67.63% 67.56% -0.08%
==========================================
Files 332 332
Lines 15125 15143 +18
==========================================
+ Hits 10230 10231 +1
- Misses 4895 4912 +17
... and 1 file with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
olix0r
reviewed
Jan 12, 2024
linkerd/app/src/env.rs
Outdated
Comment on lines
824
to
840
| Some(socket) => identity::Config::Spire { | ||
| tls, | ||
| client: spire::Config { | ||
| socket_addr: std::sync::Arc::new(socket), | ||
| backoff: parse_backoff(strings, IDENTITY_SPIRE_BASE, DEFAULT_SPIRE_BACKOFF)?, | ||
| }, | ||
| }, |
Member
There was a problem hiding this comment.
I think in this case we we want to validate that the local_id is a valid SPIFFE id.
Member
Author
There was a problem hiding this comment.
I have added the check for SPIFFE scheme for now. Is that enough for the time being?
I also wonder, should we make the ID::Uri be spiffe specific and follow the requirements outlined in the SPIFFE RFC (like we do with the dns name) or we should keep it as a URI type?
Member
There was a problem hiding this comment.
On one hand, it would be useful to have a static assertion that the value has been validated; on the other hand, we want to use these types for values read from peers, and I don't think anything about Linkerd's TLS system actually cares about SPIFFE.
So for now, I think it's sufficient to handle this where we habe both the context of (1) the configured local ID and (2) how we're going to provision credentials, i.e. "when SPIRE is enabled, validate that the configured ID is a SPIFFE ID."
zaharidichev
force-pushed
the
zd/add-spire-client-config
branch
from
8012131 to
3278a27
Compare
olix0r
approved these changes
Jan 12, 2024
olix0r
reviewed
Jan 12, 2024
Signed-off-by: Zahari Dichev <[email protected]>
Signed-off-by: Zahari Dichev <[email protected]>
Signed-off-by: Zahari Dichev <[email protected]>
zaharidichev
force-pushed
the
zd/add-spire-client-config
branch
from
1a383c5 to
be89206
Compare
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jan 26, 2024
* build(deps): bump itertools from 0.10.5 to 0.11.0 (linkerd/linkerd2-proxy#2594) * build(deps): bump async-trait from 0.1.68 to 0.1.75 (linkerd/linkerd2-proxy#2595) * pool: Decompose the pool and balancer crates (linkerd/linkerd2-proxy#2597) * balance: Move endpoint state gauge into balancer (linkerd/linkerd2-proxy#2598) * cargo: Remove cyclic meshtls dependency (linkerd/linkerd2-proxy#2602) * build(deps): bump mime from 0.3.16 to 0.3.17 (linkerd/linkerd2-proxy#2599) * build(deps): bump parking_lot_core from 0.9.5 to 0.9.9 (linkerd/linkerd2-proxy#2600) * build(deps): bump prost-build from 0.12.1 to 0.12.3 (linkerd/linkerd2-proxy#2601) * outbound: Update route backend metrics implementation (linkerd/linkerd2-proxy#2603) * deps: Update to indexmap v2 (linkerd/linkerd2-proxy#2604) * build(deps): bump actions/download-artifact from 3.0.2 to 4.1.0 (linkerd/linkerd2-proxy#2569) * deps: h2 v0.3.22 (linkerd/linkerd2-proxy#2605) * tracing: Ensure that INFO-level spans are preserved (linkerd/linkerd2-proxy#2611) * build(deps): bump serde from 1.0.185 to 1.0.193 (linkerd/linkerd2-proxy#2606) * build(deps): bump tokio-boring from 3.0.4 to 3.1.0 (linkerd/linkerd2-proxy#2607) * build(deps): bump deranged from 0.3.10 to 0.3.11 (linkerd/linkerd2-proxy#2608) * build(deps): bump axum from 0.6.11 to 0.6.20 (linkerd/linkerd2-proxy#2609) * build(deps): bump proc-macro2 from 1.0.69 to 1.0.74 (linkerd/linkerd2-proxy#2610) * build(deps): bump ahash from 0.8.6 to 0.8.7 (linkerd/linkerd2-proxy#2612) * build(deps): bump cc from 1.0.79 to 1.0.83 (linkerd/linkerd2-proxy#2613) * build(deps): bump scopeguard from 1.1.0 to 1.2.0 (linkerd/linkerd2-proxy#2614) * build(deps): bump io-lifetimes from 1.0.10 to 1.0.11 (linkerd/linkerd2-proxy#2616) * build(deps): bump pem from 3.0.2 to 3.0.3 (linkerd/linkerd2-proxy#2615) * build(deps): bump anyhow from 1.0.76 to 1.0.79 (linkerd/linkerd2-proxy#2619) * build(deps): bump socket2 from 0.4.9 to 0.5.5 (linkerd/linkerd2-proxy#2622) * build(deps): bump libfuzzer-sys from 0.4.6 to 0.4.7 (linkerd/linkerd2-proxy#2620) * build(deps): bump tempfile from 3.5.0 to 3.6.0 (linkerd/linkerd2-proxy#2621) * build(deps): bump ryu from 1.0.13 to 1.0.16 (linkerd/linkerd2-proxy#2623) * identity: Update metrics to follow OpenMetrics best practices (linkerd/linkerd2-proxy#2617) * build(deps): bump tokio from 1.34.0 to 1.35.1 (linkerd/linkerd2-proxy#2627) * build(deps): bump tracing from 0.1.37 to 0.1.40 (linkerd/linkerd2-proxy#2628) * build(deps): bump slab from 0.4.8 to 0.4.9 (linkerd/linkerd2-proxy#2629) * build(deps): bump unicode-bidi from 0.3.11 to 0.3.14 (linkerd/linkerd2-proxy#2630) * build(deps): bump tokio-stream from 0.1.12 to 0.1.14 (linkerd/linkerd2-proxy#2632) * build(deps): bump boring-sys from 3.0.4 to 3.1.0 (linkerd/linkerd2-proxy#2633) * build(deps): bump rcgen from 0.11.3 to 0.12.0 (linkerd/linkerd2-proxy#2635) * build(deps): bump trust-dns-resolver from 0.22.0 to 0.23.2 (linkerd/linkerd2-proxy#2631) * build(deps): bump memchr from 2.6.4 to 2.7.1 (linkerd/linkerd2-proxy#2637) * build(deps): bump pin-project from 1.0.12 to 1.1.3 (linkerd/linkerd2-proxy#2638) * build(deps): bump futures from 0.3.28 to 0.3.30 (linkerd/linkerd2-proxy#2639) * build(deps): bump rangemap from 1.3.0 to 1.4.0 (linkerd/linkerd2-proxy#2640) * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 (linkerd/linkerd2-proxy#2636) * build(deps): bump thingbuf from 0.1.3 to 0.1.4 (linkerd/linkerd2-proxy#2642) * build(deps): bump rustix from 0.36.16 to 0.36.17 (linkerd/linkerd2-proxy#2643) * build(deps): bump httpdate from 1.0.2 to 1.0.3 (linkerd/linkerd2-proxy#2645) * build(deps): bump num_cpus from 1.15.0 to 1.16.0 (linkerd/linkerd2-proxy#2646) * Change inbound port check log level to debug. (linkerd/linkerd2-proxy#2625) * docs: Fix bad reference link (linkerd/linkerd2-proxy#2647) * identity: add spire identity client (linkerd/linkerd2-proxy#2580) * config:add spire client config (linkerd/linkerd2-proxy#2641) * discovery: consume server_name and UriLikeIdentity from proto (linkerd/linkerd2-proxy#2618) * build(deps): bump h2 from 0.3.22 to 0.3.24 (linkerd/linkerd2-proxy#2660) * build(deps): bump procfs from 0.15.1 to 0.16.0 (linkerd/linkerd2-proxy#2649) * build(deps): bump async-trait from 0.1.75 to 0.1.77 (linkerd/linkerd2-proxy#2650) * build(deps): bump semver from 1.0.20 to 1.0.21 (linkerd/linkerd2-proxy#2651) * build(deps): bump smallvec from 1.10.0 to 1.13.1 (linkerd/linkerd2-proxy#2661) * build(deps): bump either from 1.8.1 to 1.9.0 (linkerd/linkerd2-proxy#2652) * build(deps): bump actions/upload-artifact from 4.0.0 to 4.2.0 (linkerd/linkerd2-proxy#2658) * build(deps): bump shlex from 1.1.0 to 1.3.0 (linkerd/linkerd2-proxy#2664) * build(deps): bump DavidAnson/markdownlint-cli2-action (linkerd/linkerd2-proxy#2656) * build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.5 to 1.5.10 (linkerd/linkerd2-proxy#2665) * build(deps): bump serde from 1.0.193 to 1.0.195 (linkerd/linkerd2-proxy#2670) * build(deps): bump clang-sys from 1.6.0 to 1.7.0 (linkerd/linkerd2-proxy#2668) * build(deps): bump zerocopy from 0.7.31 to 0.7.32 (linkerd/linkerd2-proxy#2666) * build(deps): bump unicode-ident from 1.0.6 to 1.0.12 (linkerd/linkerd2-proxy#2667) * build(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 (linkerd/linkerd2-proxy#2671) * build(deps): bump prettyplease from 0.2.15 to 0.2.16 (linkerd/linkerd2-proxy#2673) * build(deps): bump getrandom from 0.2.8 to 0.2.12 (linkerd/linkerd2-proxy#2674) * build(deps): bump which from 4.4.0 to 4.4.2 (linkerd/linkerd2-proxy#2675) * build(deps): bump sharded-slab from 0.1.4 to 0.1.7 (linkerd/linkerd2-proxy#2676) * build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.10 to 1.5.11 (linkerd/linkerd2-proxy#2672) * build(deps): bump tj-actions/changed-files from 41.0.1 to 42.0.0 (linkerd/linkerd2-proxy#2657) Signed-off-by: Oliver Gould <[email protected]>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jan 26, 2024
* proxy: v2.220.0 * build(deps): bump itertools from 0.10.5 to 0.11.0 (linkerd/linkerd2-proxy#2594) * build(deps): bump async-trait from 0.1.68 to 0.1.75 (linkerd/linkerd2-proxy#2595) * pool: Decompose the pool and balancer crates (linkerd/linkerd2-proxy#2597) * balance: Move endpoint state gauge into balancer (linkerd/linkerd2-proxy#2598) * cargo: Remove cyclic meshtls dependency (linkerd/linkerd2-proxy#2602) * build(deps): bump mime from 0.3.16 to 0.3.17 (linkerd/linkerd2-proxy#2599) * build(deps): bump parking_lot_core from 0.9.5 to 0.9.9 (linkerd/linkerd2-proxy#2600) * build(deps): bump prost-build from 0.12.1 to 0.12.3 (linkerd/linkerd2-proxy#2601) * outbound: Update route backend metrics implementation (linkerd/linkerd2-proxy#2603) * deps: Update to indexmap v2 (linkerd/linkerd2-proxy#2604) * build(deps): bump actions/download-artifact from 3.0.2 to 4.1.0 (linkerd/linkerd2-proxy#2569) * deps: h2 v0.3.22 (linkerd/linkerd2-proxy#2605) * tracing: Ensure that INFO-level spans are preserved (linkerd/linkerd2-proxy#2611) * build(deps): bump serde from 1.0.185 to 1.0.193 (linkerd/linkerd2-proxy#2606) * build(deps): bump tokio-boring from 3.0.4 to 3.1.0 (linkerd/linkerd2-proxy#2607) * build(deps): bump deranged from 0.3.10 to 0.3.11 (linkerd/linkerd2-proxy#2608) * build(deps): bump axum from 0.6.11 to 0.6.20 (linkerd/linkerd2-proxy#2609) * build(deps): bump proc-macro2 from 1.0.69 to 1.0.74 (linkerd/linkerd2-proxy#2610) * build(deps): bump ahash from 0.8.6 to 0.8.7 (linkerd/linkerd2-proxy#2612) * build(deps): bump cc from 1.0.79 to 1.0.83 (linkerd/linkerd2-proxy#2613) * build(deps): bump scopeguard from 1.1.0 to 1.2.0 (linkerd/linkerd2-proxy#2614) * build(deps): bump io-lifetimes from 1.0.10 to 1.0.11 (linkerd/linkerd2-proxy#2616) * build(deps): bump pem from 3.0.2 to 3.0.3 (linkerd/linkerd2-proxy#2615) * build(deps): bump anyhow from 1.0.76 to 1.0.79 (linkerd/linkerd2-proxy#2619) * build(deps): bump socket2 from 0.4.9 to 0.5.5 (linkerd/linkerd2-proxy#2622) * build(deps): bump libfuzzer-sys from 0.4.6 to 0.4.7 (linkerd/linkerd2-proxy#2620) * build(deps): bump tempfile from 3.5.0 to 3.6.0 (linkerd/linkerd2-proxy#2621) * build(deps): bump ryu from 1.0.13 to 1.0.16 (linkerd/linkerd2-proxy#2623) * identity: Update metrics to follow OpenMetrics best practices (linkerd/linkerd2-proxy#2617) * build(deps): bump tokio from 1.34.0 to 1.35.1 (linkerd/linkerd2-proxy#2627) * build(deps): bump tracing from 0.1.37 to 0.1.40 (linkerd/linkerd2-proxy#2628) * build(deps): bump slab from 0.4.8 to 0.4.9 (linkerd/linkerd2-proxy#2629) * build(deps): bump unicode-bidi from 0.3.11 to 0.3.14 (linkerd/linkerd2-proxy#2630) * build(deps): bump tokio-stream from 0.1.12 to 0.1.14 (linkerd/linkerd2-proxy#2632) * build(deps): bump boring-sys from 3.0.4 to 3.1.0 (linkerd/linkerd2-proxy#2633) * build(deps): bump rcgen from 0.11.3 to 0.12.0 (linkerd/linkerd2-proxy#2635) * build(deps): bump trust-dns-resolver from 0.22.0 to 0.23.2 (linkerd/linkerd2-proxy#2631) * build(deps): bump memchr from 2.6.4 to 2.7.1 (linkerd/linkerd2-proxy#2637) * build(deps): bump pin-project from 1.0.12 to 1.1.3 (linkerd/linkerd2-proxy#2638) * build(deps): bump futures from 0.3.28 to 0.3.30 (linkerd/linkerd2-proxy#2639) * build(deps): bump rangemap from 1.3.0 to 1.4.0 (linkerd/linkerd2-proxy#2640) * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 (linkerd/linkerd2-proxy#2636) * build(deps): bump thingbuf from 0.1.3 to 0.1.4 (linkerd/linkerd2-proxy#2642) * build(deps): bump rustix from 0.36.16 to 0.36.17 (linkerd/linkerd2-proxy#2643) * build(deps): bump httpdate from 1.0.2 to 1.0.3 (linkerd/linkerd2-proxy#2645) * build(deps): bump num_cpus from 1.15.0 to 1.16.0 (linkerd/linkerd2-proxy#2646) * Change inbound port check log level to debug. (linkerd/linkerd2-proxy#2625) * docs: Fix bad reference link (linkerd/linkerd2-proxy#2647) * identity: add spire identity client (linkerd/linkerd2-proxy#2580) * config:add spire client config (linkerd/linkerd2-proxy#2641) * discovery: consume server_name and UriLikeIdentity from proto (linkerd/linkerd2-proxy#2618) * build(deps): bump h2 from 0.3.22 to 0.3.24 (linkerd/linkerd2-proxy#2660) * build(deps): bump procfs from 0.15.1 to 0.16.0 (linkerd/linkerd2-proxy#2649) * build(deps): bump async-trait from 0.1.75 to 0.1.77 (linkerd/linkerd2-proxy#2650) * build(deps): bump semver from 1.0.20 to 1.0.21 (linkerd/linkerd2-proxy#2651) * build(deps): bump smallvec from 1.10.0 to 1.13.1 (linkerd/linkerd2-proxy#2661) * build(deps): bump either from 1.8.1 to 1.9.0 (linkerd/linkerd2-proxy#2652) * build(deps): bump actions/upload-artifact from 4.0.0 to 4.2.0 (linkerd/linkerd2-proxy#2658) * build(deps): bump shlex from 1.1.0 to 1.3.0 (linkerd/linkerd2-proxy#2664) * build(deps): bump DavidAnson/markdownlint-cli2-action (linkerd/linkerd2-proxy#2656) * build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.5 to 1.5.10 (linkerd/linkerd2-proxy#2665) * build(deps): bump serde from 1.0.193 to 1.0.195 (linkerd/linkerd2-proxy#2670) * build(deps): bump clang-sys from 1.6.0 to 1.7.0 (linkerd/linkerd2-proxy#2668) * build(deps): bump zerocopy from 0.7.31 to 0.7.32 (linkerd/linkerd2-proxy#2666) * build(deps): bump unicode-ident from 1.0.6 to 1.0.12 (linkerd/linkerd2-proxy#2667) * build(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 (linkerd/linkerd2-proxy#2671) * build(deps): bump prettyplease from 0.2.15 to 0.2.16 (linkerd/linkerd2-proxy#2673) * build(deps): bump getrandom from 0.2.8 to 0.2.12 (linkerd/linkerd2-proxy#2674) * build(deps): bump which from 4.4.0 to 4.4.2 (linkerd/linkerd2-proxy#2675) * build(deps): bump sharded-slab from 0.1.4 to 0.1.7 (linkerd/linkerd2-proxy#2676) * build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.10 to 1.5.11 (linkerd/linkerd2-proxy#2672) * build(deps): bump tj-actions/changed-files from 41.0.1 to 42.0.0 (linkerd/linkerd2-proxy#2657) Signed-off-by: Oliver Gould <[email protected]> * Bump helm version * +changes * Update CHANGES.md Co-authored-by: Alejandro Pedraza <[email protected]> --------- Signed-off-by: Oliver Gould <[email protected]> Co-authored-by: Alejandro Pedraza <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change allows the proxy to be configured to use SPIRE
as it is credentials provider. There are three additional ENV
vars introduced:
LINKERD2_PROXY_IDENTITY_SERVER_ID- Configures the TLS Id of the proxy inbound server.LINKERD2_PROXY_IDENTITY_SERVER_NAME- Configures the server name of this proxy.ENV_IDENTITY_SPIRE_SOCKET- If this config is set, then the proxy will use Spire as the identity providerFor backward compatibility reasons if
ENV_IDENTITY_IDENTITY_LOCAL_NAMEis set bothtls id and server_name will be sourced from its value. If however it is not set, both
LINKERD2_PROXY_IDENTITY_SERVER_IDandLINKERD2_PROXY_IDENTITY_SERVER_NAMEare required.Signed-off-by: Zahari Dichev [email protected]