Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SPIFFEFederation gRPC service and client support #45253

Merged
merged 30 commits into from
Aug 22, 2024

Conversation

strideynet
Copy link
Contributor

@strideynet strideynet commented Aug 8, 2024

Closes #44861
As per #43348

Introduces the gRPC service for the SPIFFEFederation resource and wires this into tctl as appropriate.

@strideynet strideynet added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v16 labels Aug 8, 2024
@strideynet
Copy link
Contributor Author

strideynet commented Aug 9, 2024

TODO:

  • Add verbs/resources to the default role sets!
  • Wait for dependend upon PR to emrge

@@ -76,6 +76,7 @@ var DefaultImplicitRules = []types.Rule{
types.NewRule(types.KindKubernetesCluster, RO()),
types.NewRule(types.KindUsageEvent, []string{types.VerbCreate}),
types.NewRule(types.KindVnetConfig, RO()),
types.NewRule(types.KindSPIFFEFederation, RO()),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My gut feeling is that these are very similar to the concept of a "Certificate Authority" and thus could belong here in the implicit set. Realistically, if you omit this, then both tbot/tctl will have an incomplete view of what the trust bundle should be, so you'd have to include this on all roles you expect to also generate SVIDs. There's also nothing within these that is considered "sensitive".

I'm curious if anyone has any points in opposition to this and would prefer this to be explicitly assigned to roles.

@strideynet strideynet marked this pull request as ready for review August 14, 2024 13:22
@github-actions github-actions bot added size/lg tctl tctl - Teleport admin tool labels Aug 14, 2024
@strideynet strideynet requested a review from timothyb89 August 14, 2024 13:38
tool/tctl/common/collection.go Outdated Show resolved Hide resolved
Co-authored-by: rosstimothy <[email protected]>
@strideynet strideynet enabled auto-merge August 22, 2024 08:06
@strideynet strideynet added this pull request to the merge queue Aug 22, 2024
Merged via the queue into master with commit 8495398 Aug 22, 2024
39 checks passed
@strideynet strideynet deleted the strideynet/spiffe-federation-svc branch August 22, 2024 08:46
@public-teleport-github-review-bot

@strideynet See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed

strideynet added a commit that referenced this pull request Aug 22, 2024
* Start adding `lib/services` content for SPIFFEFederation type

* Add SPIFFEFederation resource to cache

* Wire SPIFFEFederation into cache

* Fix NewTestAuthServer

* Start writing tests

* Add more test cases to validation

* Add tests to cache for SPIFFEFederation

* More test coverage

* Add test for DeleteSPIFFEFederations

* Finish off tests for SPIFFEFederation resource

* go mod tidy

* Go mod tidy

* Appease linter

* Avoid forcing kind/version in MarshalSPIFFEFederation

* more linter appeasal

* Add basics of SPIFFEFederation gRPC service

* Add support into tctl for create/delete/get/list

* Rely on default page size

* Prevent configuration of status field

* Add test for TestSPIFFEFederationService_CreateSPIFFEFederation

* Add TestSPIFFEFederationService_DeleteSPIFFEFederation

* Add test for TestSPIFFEFederationService_GetSPIFFEFederation

* Add TestSPIFFEFederationService_ListSPIFFEFederations

* Add mising error asserrtiion

* Add Verbs to default roles for SPIFFEFederation

* Remove test cases that are now unneeded due to adding to implicit roleset

* Tidier if statement

Co-authored-by: rosstimothy <[email protected]>

---------

Co-authored-by: rosstimothy <[email protected]>
strideynet added a commit that referenced this pull request Aug 22, 2024
* Start adding `lib/services` content for SPIFFEFederation type

* Add SPIFFEFederation resource to cache

* Wire SPIFFEFederation into cache

* Fix NewTestAuthServer

* Start writing tests

* Add more test cases to validation

* Add tests to cache for SPIFFEFederation

* More test coverage

* Add test for DeleteSPIFFEFederations

* Finish off tests for SPIFFEFederation resource

* go mod tidy

* Go mod tidy

* Appease linter

* Avoid forcing kind/version in MarshalSPIFFEFederation

* more linter appeasal

* Add basics of SPIFFEFederation gRPC service

* Add support into tctl for create/delete/get/list

* Rely on default page size

* Prevent configuration of status field

* Add test for TestSPIFFEFederationService_CreateSPIFFEFederation

* Add TestSPIFFEFederationService_DeleteSPIFFEFederation

* Add test for TestSPIFFEFederationService_GetSPIFFEFederation

* Add TestSPIFFEFederationService_ListSPIFFEFederations

* Add mising error asserrtiion

* Add Verbs to default roles for SPIFFEFederation

* Remove test cases that are now unneeded due to adding to implicit roleset

* Tidier if statement

Co-authored-by: rosstimothy <[email protected]>

---------

Co-authored-by: rosstimothy <[email protected]>
github-merge-queue bot pushed a commit that referenced this pull request Aug 22, 2024
* Start adding `lib/services` content for SPIFFEFederation type

* Add SPIFFEFederation resource to cache

* Wire SPIFFEFederation into cache

* Fix NewTestAuthServer

* Start writing tests

* Add more test cases to validation

* Add tests to cache for SPIFFEFederation

* More test coverage

* Add test for DeleteSPIFFEFederations

* Finish off tests for SPIFFEFederation resource

* go mod tidy

* Go mod tidy

* Appease linter

* Avoid forcing kind/version in MarshalSPIFFEFederation

* more linter appeasal

* Add basics of SPIFFEFederation gRPC service

* Add support into tctl for create/delete/get/list

* Rely on default page size

* Prevent configuration of status field

* Add test for TestSPIFFEFederationService_CreateSPIFFEFederation

* Add TestSPIFFEFederationService_DeleteSPIFFEFederation

* Add test for TestSPIFFEFederationService_GetSPIFFEFederation

* Add TestSPIFFEFederationService_ListSPIFFEFederations

* Add mising error asserrtiion

* Add Verbs to default roles for SPIFFEFederation

* Remove test cases that are now unneeded due to adding to implicit roleset

* Tidier if statement



---------

Co-authored-by: rosstimothy <[email protected]>
github-merge-queue bot pushed a commit that referenced this pull request Aug 22, 2024
* Start adding `lib/services` content for SPIFFEFederation type

* Add SPIFFEFederation resource to cache

* Wire SPIFFEFederation into cache

* Fix NewTestAuthServer

* Start writing tests

* Add more test cases to validation

* Add tests to cache for SPIFFEFederation

* More test coverage

* Add test for DeleteSPIFFEFederations

* Finish off tests for SPIFFEFederation resource

* go mod tidy

* Go mod tidy

* Appease linter

* Avoid forcing kind/version in MarshalSPIFFEFederation

* more linter appeasal

* Add basics of SPIFFEFederation gRPC service

* Add support into tctl for create/delete/get/list

* Rely on default page size

* Prevent configuration of status field

* Add test for TestSPIFFEFederationService_CreateSPIFFEFederation

* Add TestSPIFFEFederationService_DeleteSPIFFEFederation

* Add test for TestSPIFFEFederationService_GetSPIFFEFederation

* Add TestSPIFFEFederationService_ListSPIFFEFederations

* Add mising error asserrtiion

* Add Verbs to default roles for SPIFFEFederation

* Remove test cases that are now unneeded due to adding to implicit roleset

* Tidier if statement



---------

Co-authored-by: rosstimothy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v15 backport/branch/v16 no-changelog Indicates that a PR does not require a changelog entry size/lg tctl tctl - Teleport admin tool
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SPIFFE Federation: Resource, Audit Events, API
3 participants