deprecate support to Envoy SDS v2 API #4228
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
MarcosDY
requested review from
evan2645,
amartinezfayo,
azdagron and
rturner3
as code owners
rturner3
reviewed
Jun 6, 2023
cmd/spire-agent/cli/run/run.go
Outdated
| @@ -496,6 +497,10 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) | |||
| ac.JoinToken = c.Agent.JoinToken | |||
| ac.DataDir = c.Agent.DataDir | |||
| ac.DefaultSVIDName = c.Agent.SDS.DefaultSVIDName | |||
| ac.EnableEnvoySDSv2 = c.Agent.SDS.EnableSDSv2 | |||
| if ac.EnableEnvoySDSv2 { | |||
| logger.Warn("The support to Envoy SDS v2 API has been deprecated in SPIRE and is no longer supported by Envoy. Enabling SDS v2 is not recommended and this config setting will be removed in a future version.") | |||
There was a problem hiding this comment.
Suggested change
| logger.Warn("The support to Envoy SDS v2 API has been deprecated in SPIRE and is no longer supported by Envoy. Enabling SDS v2 is not recommended and this config setting will be removed in a future version.") | |
| logger.Warn("The Envoy SDS v2 API is now deprecated in SPIRE and is no longer supported by Envoy. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version.") |
Just a few wording suggestions:
has been->isto make it clear that the current status of the SDS v2 API is that it's deprecated- Rather than saying using the SDS v2 API is not recommended (also implied by saying it's deprecated), point users currently dependent on the SDS v2 API to the supported successor, the SDS v3 API
- Clarify that the SDS v2 API itself will also be removed, not just the config. As written, users might interpret that the API will still be available, but only this config field will be removed.
cmd/spire-agent/cli/run/run.go
Outdated
| @@ -104,6 +104,7 @@ type sdsConfig struct { | |||
| DefaultBundleName string `hcl:"default_bundle_name"` | |||
| DefaultAllBundlesName string `hcl:"default_all_bundles_name"` | |||
| DisableSPIFFECertValidation bool `hcl:"disable_spiffe_cert_validation"` | |||
| EnableSDSv2 bool `hcl:"enable_sds_v2"` | |||
There was a problem hiding this comment.
Suggested change
| EnableSDSv2 bool `hcl:"enable_sds_v2"` | |
| EnableDeprecatedv2API bool `hcl:"enable_deprecated_v2_api"` |
- I think it would be good to include the term
deprecatedinto the configurable name to clarify the intent behind the configurable. - We can probably omit the term
sdsin the name of the configurable since the field is already inside thesdsconfiguration section
pkg/agent/endpoints/sdsv2/handler.go
Outdated
| @@ -26,6 +26,10 @@ import ( | |||
| "google.golang.org/protobuf/types/known/anypb" | |||
| ) | |||
|
|
|||
| const ( | |||
| deprecatedAPIErrorMsg = "support to Envoy SDS v2 API has been deprecated in SPIRE and is no longer supported by Envoy. Please refer to: https://www.envoyproxy.io/docs/envoy/latest/api/api_supported_versions. It can be enabled using the config setting 'enable_sds_v2': https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#sds-configuration. Please note that enabling SDS v2 is not recommended and this config setting will be removed in a future version." | |||
There was a problem hiding this comment.
Suggested change
| deprecatedAPIErrorMsg = "support to Envoy SDS v2 API has been deprecated in SPIRE and is no longer supported by Envoy. Please refer to: https://www.envoyproxy.io/docs/envoy/latest/api/api_supported_versions. It can be enabled using the config setting 'enable_sds_v2': https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#sds-configuration. Please note that enabling SDS v2 is not recommended and this config setting will be removed in a future version." | |
| deprecatedAPIErrorMsg = "The Envoy SDS v2 API is now deprecated in SPIRE and is no longer supported by Envoy. Please refer to: https://www.envoyproxy.io/docs/envoy/latest/api/api_supported_versions. The SDS v2 API can be enabled using the config setting 'enable_deprecated_v2_api': https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#sds-configuration. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version." |
There was a problem hiding this comment.
it is an error, so I'll change the message start from The to the
| @@ -204,6 +213,10 @@ func (h *Handler) DeltaSecrets(discovery_v2.SecretDiscoveryService_DeltaSecretsS | |||
| } | |||
There was a problem hiding this comment.
Shall we also return the same Unavailable code for the DeltaSecrets method when the SDS v2 API is not enabled to be consistent across all the methods in the SDS v2 API?
| @@ -204,6 +206,24 @@ func (s *HandlerSuite) TestStreamSecretsStreamAllSecrets() { | |||
| s.requireSecrets(resp, tdValidationContext, fedValidationContext, workloadTLSCertificate1) | |||
| } | |||
|
|
|||
| func (s *HandlerSuite) TestAPIIsNoEnabled() { | |||
There was a problem hiding this comment.
Suggested change
| func (s *HandlerSuite) TestAPIIsNoEnabled() { | |
| func (s *HandlerSuite) TestAPIIsNotEnabled() { |
| @@ -6,6 +6,9 @@ agent { | |||
| socket_path ="/opt/shared/agent.sock" | |||
| trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" | |||
| trust_domain = "domain.test" | |||
| sds = { | |||
| enable_sds_v2 = true | |||
There was a problem hiding this comment.
Suggested change
| enable_sds_v2 = true | |
| enable_deprecated_sds_v2_api = true |
doc/spire_agent.md
Outdated
| | `disable_spiffe_cert_validation` | Disable Envoy SDS custom validation | false | | ||
| | Configuration | Description | Default | | ||
| |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------| | ||
| | `enable_sds_v2` | Enable SDS v2 API. Please note that enabling SDS v2 is not recommended and this config setting will be removed in a future version. | false | |
There was a problem hiding this comment.
Suggested change
| | `enable_sds_v2` | Enable SDS v2 API. Please note that enabling SDS v2 is not recommended and this config setting will be removed in a future version. | false | | |
| | `enable_deprecated_v2_api` | Enable deprecated SDS v2 API. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version. | false | |
cmd/spire-agent/cli/run/run_test.go
Outdated
| @@ -244,6 +244,18 @@ func TestMergeInput(t *testing.T) { | |||
| require.Equal(t, "foo", c.Agent.SDS.DefaultAllBundlesName) | |||
| }, | |||
| }, | |||
| { | |||
| msg: "enable_sds_v2 should be configurable by file", | |||
There was a problem hiding this comment.
Suggested change
| msg: "enable_sds_v2 should be configurable by file", | |
| msg: "enable_deprecated_v2_api should be configurable by file", |
conf/agent/agent_full.conf
Outdated
| @@ -72,6 +72,10 @@ agent { | |||
|
|
|||
| # sds: Optional SDS configuration section. | |||
| # sds = { | |||
| # # enable_sds_v2: Enable SDS v2 API. Please note that enabling SDS v2 is not | |||
| # # recommended and this config setting will be removed in a future version. Default: false | |||
| # # enable_sds_v2 = false | |||
There was a problem hiding this comment.
Suggested change
| # # enable_sds_v2 = false | |
| # # enable_deprecated_v2_api = false |
conf/agent/agent_full.conf
Outdated
Comment on lines
75
to
76
| # # enable_sds_v2: Enable SDS v2 API. Please note that enabling SDS v2 is not | ||
| # # recommended and this config setting will be removed in a future version. Default: false |
There was a problem hiding this comment.
Suggested change
| # # enable_sds_v2: Enable SDS v2 API. Please note that enabling SDS v2 is not | |
| # # recommended and this config setting will be removed in a future version. Default: false | |
| # # enable_deprecated_v2_api: Enable deprecated SDS v2 API. It is recommended that | |
| # # users of the SDS v2 API migrate to the SDS v3 API. | |
| # # The SDS v2 API and this config setting will be removed in a future version. | |
| # # Default: false |
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
rturner3
approved these changes
Jun 6, 2023
Neniel
pushed a commit
to Neniel/spire
that referenced
this pull request
Jul 21, 2023
* deprecate support to Envoy SDS v2 API Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com> Signed-off-by: Neniel <11655196+Neniel@users.noreply.github.com>
Neniel
pushed a commit
to Neniel/spire
that referenced
this pull request
Aug 24, 2023
* deprecate support to Envoy SDS v2 API Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com> Signed-off-by: Neniel <11655196+Neniel@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Deprecate SDS v2 API, disabling it as default, but add a configurable to reactivate it.
Which issue this PR fixes
fixes #4204