Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Use ServiceIdentity type in catalog APIs instead of service.K8sServiceAccount #2218

Closed
2 tasks
Tracked by #3701
shashankram opened this issue Dec 17, 2020 · 5 comments
Closed
2 tasks
Tracked by #3701
Labels
area/identity size/M 7 days (~1.5 week)
Milestone

Comments

@shashankram
Copy link
Member

shashankram commented Dec 17, 2020

The type identity.ServiceIdentity was introduced to abstract the the identities assigned to services. Use this in catalog APIs instead of k8s.ServiceAccount to not leak Kubernetes primitives and identity abstraction across the MeshCataloger API boundaries.

This is where the current K8sServiceAccount is declared: https://github.com/openservicemesh/osm/blob/v0.8.2/pkg/service/types.go#L21-L25

Here is the definition of the new type we would like to use instead of K8sServiceAccount: https://github.com/openservicemesh/osm/blob/v0.8.2/pkg/identity/types.go#L5

Service identities can be abstracted without leaking kubernetes identity primitives to XDS code.


Related tasks:

@shashankram shashankram changed the title Use ServiceIdentity type catalog APIs instead of ServiceAccount Use ServiceIdentity type in catalog APIs instead of ServiceAccount Dec 17, 2020
@draychev draychev added the size/M 7 days (~1.5 week) label Jan 26, 2021
@draychev draychev added this to the v0.9.0 milestone Mar 5, 2021
@michelleN michelleN added the priority/P2 P2 priority label Mar 9, 2021
@draychev draychev added good first issue Good for newcomers area/osm-onboarding Related to creating a smooth osm install and onboarding experience labels Mar 30, 2021
@draychev draychev changed the title Use ServiceIdentity type in catalog APIs instead of ServiceAccount Use ServiceIdentity type in catalog APIs instead of service.K8sServiceAccount Apr 2, 2021
@draychev draychev assigned shashankram and draychev and unassigned shalier and shashankram Apr 2, 2021
@shashankram
Copy link
Member Author

This issue needs further discussions and review. The motivation to create this issue is summarized below.

  1. To not leak k8s identity primitives such as service accounts into the XDS code, and leverage the identity.ServiceIdentity type instead which also encodes the trust domain (cluster.local) in the identity
  2. SMI's traffic access has a Kind attribute for the source and destination. It seems as though in the future there is room for using a different Kind (maybe ingress?) as a source, which would mean the ServiceAccount primitive might not determine the Kind for a service's identity
  3. Using the fully qualified ServiceIdentity type (..) is cluster aware, where the trust domain is of the form cluster.local or cluster.foo. Since the mesh-catalog is responsible for aggregating information from the runtime platform (k8s), using the fully qualified ServiceIdentity type should be feasible.

This change might look trivial on the eye but isn't. There is a lot of refactoring that needs to be done to complete this task.
/cc @draychev

@draychev
Copy link
Contributor

@shashankram I'd like to resolve this one step at a time. To me this is a baby step forward:

@shashankram
Copy link
Member Author

@draychev thanks for taking this on.

One thing I wanted to clarify in this issue is the distinction between identity.ServiceIdentity and K8sServiceAccount. In the XDS verticals, identity.ServiceIdentity represents the fully qualified service identity including the trust domain, ex. svc-acc.namespace.cluster.local, whereas K8sServiceAccount does not include the trust domain.

So for multicluster environments where the trust domain for a service in another cluster could be of the form svc-acc.namespace.cluster.other, the fully qualified ServiceIdentity could provide additional metadata.

@draychev
Copy link
Contributor

draychev commented Apr 15, 2021

The plan so far:

  1. Rename the pkg/catalog MeshCataloger interface functions: ...ServiceAccount -> ...ServiceIdentity:
  1. Add helpers to be able to switch from K8sServiceAccount to ServiceIdentity and reverse - some of these will be used short term to transition a step at a time. Others - for ServiceAccounts coming from K8s for instance - could stay long term:
  1. Migrate to ServiceIdentity:

@shashankram
Copy link
Member Author

All catalog APIs have been updated to use ServiceIdentity.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/identity size/M 7 days (~1.5 week)
Projects
None yet
Development

No branches or pull requests

4 participants