Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(dp-token): allow validator to define keys not scoped to a mesh #8169

Merged
merged 4 commits into from
Oct 27, 2023
Merged

feat(dp-token): allow validator to define keys not scoped to a mesh #8169

merged 4 commits into from
Oct 27, 2023

Conversation

nicoche
Copy link
Contributor

@nicoche nicoche commented Oct 27, 2023
edited
Loading

This permits dpServer.authn.dpPRoxy.dpToken.validator.publicKeys to omit the .mesh field. Keys without the .mesh field will be considered to verify the signature of dataplane tokens, no matter the mesh of the dataplane.

Checklist prior to review

  • Link to relevant issue https://kuma-mesh.slack.com/archives/CN2GN4HE1/p1698324155036599 --
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Tests (Unit test, E2E tests, manual test on universal and k8s) --
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --

@nicoche
feat(dp-token): allow keys not scoped to a mesh
d0809e2 
This permits dpServer.authn.dpPRoxy.dpToken.validator.publicKeys to omit
the .mesh field. Keys without the .mesh field will be considered to
verify the signature of dataplane tokens, no matter the mesh of the
dataplane.

Signed-off-by: nicoche <78445450+nicoche@users.noreply.github.com>
@nicoche nicoche requested a review from a team as a code owner October 27, 2023 11:51
@nicoche nicoche requested review from michaelbeaumont and lukidzi and removed request for a team October 27, 2023 11:51
@nicoche nicoche changed the title feat(dp-token): allow keys not scoped to a mesh feat(dp-token): allow validator to define keys not scoped to a mesh Oct 27, 2023
@jakubdyszkiewicz
Copy link
Contributor

Nice!

Could you also add E2E test for it?
We could improve test/e2e_env/universal/auth/offline_auth.go:13

  • generate another sample key here test/keys/README.md
  • add a new entry in cpConfig#dpServer.authn.dpProxy.validator.publicKeys in test
  • add another It( (or change to DescribeTable if you want) with the new key

This way we can validate this functionality and also check if we can combine meshed and not meshed keys.

Let me know if you need help

@nicoche
Copy link
Contributor Author

nicoche commented Oct 27, 2023

Great! Honestly, I did not know where to look for, regarding the tests. I'll add that

@nicoche
feat(dp-token): add test for keys not scoped to a mesh
cf02961 
Signed-off-by: nicoche <78445450+nicoche@users.noreply.github.com>
@nicoche
Merge branch 'master' into multi-mesh-offline-dp-token
dc5a2dd 
Signed-off-by: nicoche <78445450+nicoche@users.noreply.github.com>
@nicoche
Copy link
Contributor Author

nicoche commented Oct 27, 2023

Should be good now, the e2e tests pass locally 🙂

@nicoche
feat(dp-token): fix tests' public keys names
aed9b21 
Signed-off-by: nicoche <78445450+nicoche@users.noreply.github.com>
@jakubdyszkiewicz jakubdyszkiewicz merged commit 3234b91 into kumahq:master Oct 27, 2023
5 checks passed
@nicoche nicoche deleted the multi-mesh-offline-dp-token branch October 27, 2023 15:17
nicoche added a commit to koyeb/kuma that referenced this pull request Oct 28, 2023
@nicoche
feat(dp-token): allow validator to define keys not scoped to a mesh (k…
ede8587 
…umahq#8169)

This permits dpServer.authn.dpPRoxy.dpToken.validator.publicKeys to omit
the .mesh field. Keys without the .mesh field will be considered to
verify the signature of dataplane tokens, no matter the mesh of the
dataplane.

Signed-off-by: nicoche <78445450+nicoche@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request Nov 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubdyszkiewicz jakubdyszkiewicz jakubdyszkiewicz approved these changes

@michaelbeaumont michaelbeaumont Awaiting requested review from michaelbeaumont michaelbeaumont is a code owner automatically assigned from kumahq/kuma-maintainers

@lukidzi lukidzi Awaiting requested review from lukidzi lukidzi is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicoche @jakubdyszkiewicz