Agentless POC #1
Conversation
MarcosDY
force-pushed
the
agentless_proposal
branch
from
50c3c44 to
9812673
Compare
…that allows agent to Put SVIDs into new platform, Implemented SVID Store - aws_secretsmanager plugin that put any update into an SVID to a Secret in AWS Secrets manager Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
MarcosDY
force-pushed
the
agentless_proposal
branch
from
9812673 to
b6b52bb
Compare
* Some fixes around selectors naming * Support storing in multiple AWS regions Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
… inside gcloud secrets manager Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
|
|
||
| for { | ||
| select { | ||
| case update := <-p.c.PipeOut.GetUpdate(): |
There was a problem hiding this comment.
for the PR we'll want some metrics around this operation
|
|
||
| log = log.WithField("plugin_name", pluginName) | ||
|
|
||
| svidStore, ok := svidStores[pluginName] |
There was a problem hiding this comment.
was it also considered to have each SVID Store plugin have its own distinct Pipe, and giving agent a mapping to push SVIDs to the correct pipe? Then we'd have multiple Store instances running, 1 for each configured Store, and we may not have to pass along the catalog or access it as much.
I'm not sure yet if there are major benefits or cons to either approach, just bringing it up as an option.
There was a problem hiding this comment.
It was something I was thinking on too, but I didnt apply something like that, just because we need things to define, for example,
is it possible to have multiples SVID Stores per agent? I dont know if we may restrict an SVID Store per agent (the same way we restrict attestor).
But I think if that we allow multiple, it is a great idea to have them separated, and we may filter "storable" SVIDs in cache. instead of actual approach of filter them on store service.
|
|
||
| hasStores := len(cat.GetSVIDStores()) > 0 | ||
| if hasStores { | ||
| pipeIn, pipeOut = pipe.BufferedPipe(1000) |
There was a problem hiding this comment.
should buffer size be an agent config? I could see operators having a wide range of typical count of secret store SVIDs they would anticipate handling. Some may be doing SVID Store pushes all day and want channels to be blocked as infrequently as possible, others (as a lesser concern given SVID size) may have very few cases and so not need the additional memory allocation.
Add an agentless POC using SPIRE-agent to push svids