Implement Secret Discovery Service #898
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/feature
Categorizes issue or PR as related to a new feature.
priority/important-longterm
Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
Comments
|
@vaamarnath we have a requirement to have SDS implementation in contour as well. Do you have a design that you can share with the details ? |
|
@khgandhi The current requirement for SDS came in through #862. There is no design available for this issue at this point in time. \cc @davecheney |
davecheney
added
kind/feature
|
@davecheney If you are ok, I can pick up this task. I can come up with a rough design doc and a list of possible changes in a couple of days. |
|
@bmadhavan sure, feel free to discuss the design here or in a design document. Please note that I will be travelling until the 1st of April and may not be able to reply during that time. |
|
ok. Sure. |
|
@davecheney I have created an initial design draft for SDS support. Can you please take a look. |
|
Due to the need to ship Contour 0.11 to address a security issue in Envoy 1.9.0 this has been bumped to the 0.12 milestone. |
davecheney
added
priority/important-longterm
davecheney
added a commit
that referenced
this issue
Apr 16, 2019
Updates #898 Remove the parts of the design about integrating SDS into LDS and CDS, we'll do those at a later date. For now, just get this work started. Signed-off-by: Dave Cheney <dave@cheney.net>
davecheney
removed
the
blocked/needs-design
|
With #901 falling off the 0.12 milestone @vaamarnath and I have talked and the plan is to implement the basic SDS plumbing and we'll revisit the integration points with the rest of Contour later. I was going to sit down and write down the steps to add SDS to I'm not going to mark this issue as 0.12 as @vaamarnath nor I can commit to taking this one by the 0.12 deadline, but consider the design for adding SDS up for grabs. Note to implementors: please work incrementally, one PR per high level design point. Please don't send one giant ass PR for the whole thing, that's not cool. You should also add some tests to Thanks Dave |
|
@vaamarnath @davecheney Thanks for the notes. I've been building up the full solution over the last few days, adding tests, and verifying functionality. I'll split up the change set into a few PRs, mirroring the suggestion to provide 1 per major design point. |
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 25, 2019
Addresses the first high-level design bullet point, creatign a gRPC server for SDS by adding an SDS cache interface, implementing FetchSecrets and StreamSecrets, and registering the server as an SDS handler. Updates projectcontour#898
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 25, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 25, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
This was referenced Apr 25, 2019
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the first high-level design bullet point, creatign a gRPC server for SDS by adding an SDS cache interface, implementing FetchSecrets and StreamSecrets, and registering the server as an SDS handler. Updates projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the second high-level design bullet point, creating a SecretCache to be used by Contour to internally identify any changes. The cache is also registered as a reource type for the gRPC server, allowing it to respond to requests. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the first high-level design bullet point, creatign a gRPC server for SDS by adding an SDS cache interface, implementing FetchSecrets and StreamSecrets, and registering the server as an SDS handler. Updates projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the second high-level design bullet point, creating a SecretCache to be used by Contour to internally identify any changes. The cache is also registered as a reource type for the gRPC server, allowing it to respond to requests. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the second high-level design bullet point, creating a SecretCache to be used by Contour to internally identify any changes. The cache is also registered as a reource type for the gRPC server, allowing it to respond to requests. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the second high-level design bullet point, creating a SecretCache to be used by Contour to internally identify any changes. The cache is also registered as a reource type for the gRPC server, allowing it to respond to requests. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the third high-level design bullet point, support sds in the contour cli for debugging. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
Apr 30, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
May 6, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
mattalberts
pushed a commit
to mattalberts/contour
that referenced
this issue
May 6, 2019
Addresses the non-goals of the high0level design for secret discovery, converting auth.CommonTlsContext from TlsCertificates with inline bytes for secret data to TlsCertificateSdsSecretConfigs for secret references from the xDS gRPC server. Updates: projectcontour#898 Signed-off-by: Matt Alberts <malberts@cloudflare.com>
|
I think this issue is now complete, at least wrt. the 0.12 milestone. Thank you to @vaamarnath @mattalberts and @stevesloka for pushing this forward. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Implement Secret Discovery Service in Contour.
This enhancement request came out of the discussion on #862 for supporting rotating and invalidating certificates using SDS. More info about SDS is available here: https://www.envoyproxy.io/docs/envoy/latest/configuration/secret.
The text was updated successfully, but these errors were encountered: