-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #2700: Adds support for X509 and JWT specific SVID TTLs #3445
Conversation
Note: failed compilation should be expected until spiffe/spire-api-sdk#29 is merged and the |
29d3e79
to
0bac974
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this!!! and great work
c075316
to
eff1b4c
Compare
Thank you, @MarcosDY for your feedback. Every comment with a 👍 has been corrected. The only outstanding issue is the upgrade and downgrade question, for which I've posted my thoughts. |
Hey, @dennisgove! We talked about this yesterday in our maintainer sync. We talked about a few things and are letting things marinate a bit before making a decision. We should be able to get back to you with direction early next week. |
Sorry it took so longer to get back here. I think we are good with the proposal you outlined for upgrade downgrade. Additionally, as far as the API layer is concerned, we concluded that we think the compat story is a little easier if, instead of adding two new fields, we rename the existing How does that sound? |
I have two concerns with this approach. Though please let me know if I'm misunderstanding the intent here. First, we've already added two new fields in the database for this feature. #3174 added columns Second, and I think more importantly, is that wouldn't a rename of the API field from That said, I could see value in the following approach, though there are still issues with it.
|
This would only be a breaking change at compile time, and only after the software updates their dependency on the SDK. Already built software would continue to function just fine, since the protobuf field number would remain the same, i.e., wire compatibility would not break. Consider the inverse. If we move forward then with it as-is, then software, at some point, needs to cut over to using the new x509_svid_ttl field. The software would no longer work with old versions of SPIRE. |
That is something I forgot about - thanks for clearing that up. This plan sounds good to me. I'll get started on those changes. For my own planning purposes, when are we intending to cut 1.5, so I can be sure to get these in with plenty of time? |
Yikes! Milestone wasn't updated. I just updated it with our tentative release date of Nov 2nd. We try and release every four weeks. We usually pick our commit about a week before the release, so that would give you until Oct 26th. We rarely have a hard release deadline and therefore try and be flexible, so if things drag out a little longer, that is ok. |
Thanks for picking up this work by the way. Really appreciate the meaty contribution. |
Hey @dennisgove! Just wanted to follow up and see how things were going here. Do you still feel comfortable hitting the commit pick date for the next release? No pressure. Let us know if you need anything. |
Hi @azdagron. I do still feel comfortable hitting the OCtober 26th date. I had a little issue when I swapped my laptop to an M1 but have gotten that resolved. |
Per comment spiffe/spire#3445 (comment) it was decided to 1. Rename the TTL field to X509SvidTtl 2. Add the new JwtSvidTtl field This change augments commit spiffe@3c5e450 Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Per comment spiffe/spire#3445 (comment) it was decided to 1. Rename the TTL field to X509SvidTtl 2. Add the new JwtSvidTtl field This change augments commit 3c5e450 Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
3cb94dd
to
8afdbfc
Compare
@azdagron I believe I've made all the necessary changes, including in the tests. But I'm not 100% that I haven't missed something. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we missed updating go.mod with the latest pseudo-version. CI/CD is also not passing.
@azdagron, is this something I should be changing? If so, what should I change? |
cafa109
to
ac3b5ad
Compare
Yeah, you need to update the spire-api-sdk dependency to pick up the rename change you did that was merged onto the next branch.
|
ac3b5ad
to
66b7fe1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update @dennisgove. Most comments are naming and other minutiae. Also, from the failed CI/CD run, it looks like we missed updating some of the CLI tests that only run for windows.
While that is being fixed, I'll build this and give it a run through to sanity check things.
Thanks @azdagron. I plan to have those items pushed by tonight. |
Fixes spiffe#2700 This change adds support for X509 and JWT specific SVID TTLs in each of the following places * Default values in spire-server configuration. Similar to the existing TTL value, if provided then it must be >= 0. A value of 0 is considered 'unset', meaning there is no default. * Entry records in the database and API During Entry creation and update * If the API call contains a non-zero X509SvidTtl value then that will be stored, else the config default x509SvidTtl value is used * If the API call contains a non-zero JWTSvidTtl value then that will stored, else the config default jwtSvidTtl value is used During X509-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero X509SvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default X509SvidTTL value will be used During JWT-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero JWTSvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default JWTSvidTTL value will be used X509SvidTtl and JwtSvidTtl will be considered during the following cases * All must be valid with-respect-to the configured CA TTL - they are all part of the min/max validation checks * Entry sorting now includes each of X509SvidTtl and JwtSvidTtl Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
66b7fe1
to
c4d1eea
Compare
…ng ttl Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
c4d1eea
to
cfda2e7
Compare
Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
3160ba2
to
487974c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent, @dennisgove . I feel much better about this. I've left a nitpicky comment, but will start doing some manual testing on this to build confidence. I think we can likely merge this today. Thank you for the great work and significant contribution!
I did some manual testing and I think we're good here. Once that final nit is fixed, I think we'll be ready to merge. I can push a commit if needed. |
Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Per comment spiffe/spire#3445 (comment) it was decided to 1. Rename the TTL field to X509SvidTtl 2. Add the new JwtSvidTtl field This change augments commit spiffe@3c5e450 Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Per comment spiffe/spire#3445 (comment) it was decided to 1. Rename the TTL field to X509SvidTtl 2. Add the new JwtSvidTtl field This change augments commit 3c5e450 Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
…piffe#3445) * Adds support for X509 and JWT specific SVID TTLs Fixes spiffe#2700 This change adds support for X509 and JWT specific SVID TTLs in each of the following places * Default values in spire-server configuration. Similar to the existing TTL value, if provided then it must be >= 0. A value of 0 is considered 'unset', meaning there is no default. * Entry records in the database and API During Entry creation and update * If the API call contains a non-zero X509SvidTtl value then that will be stored, else the config default x509SvidTtl value is used * If the API call contains a non-zero JWTSvidTtl value then that will stored, else the config default jwtSvidTtl value is used During X509-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero X509SvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default X509SvidTTL value will be used During JWT-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero JWTSvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default JWTSvidTTL value will be used X509SvidTtl and JwtSvidTtl will be considered during the following cases * All must be valid with-respect-to the configured CA TTL - they are all part of the min/max validation checks * Entry sorting now includes each of X509SvidTtl and JwtSvidTtl Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Fixes #2700
Depends on spiffe/spire-api-sdk#29
This change adds support for X509 and JWT specific SVID TTLs in each of the following places
During Entry creation and update
During X509-SVID creation
During JWT-SVID creation
All of Ttl, X509SvidTtl, and JwtSvidTtl will be considered during the following cases
Signed-off-by: Dennis Gove dgove1@bloomberg.net
Pull Request check list