-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SPIFFEFederation gRPC service and client support #45253
Conversation
…end-cache-for-spiffe-federation
TODO:
|
@@ -76,6 +76,7 @@ var DefaultImplicitRules = []types.Rule{ | |||
types.NewRule(types.KindKubernetesCluster, RO()), | |||
types.NewRule(types.KindUsageEvent, []string{types.VerbCreate}), | |||
types.NewRule(types.KindVnetConfig, RO()), | |||
types.NewRule(types.KindSPIFFEFederation, RO()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My gut feeling is that these are very similar to the concept of a "Certificate Authority" and thus could belong here in the implicit set. Realistically, if you omit this, then both tbot/tctl will have an incomplete view of what the trust bundle should be, so you'd have to include this on all roles you expect to also generate SVIDs. There's also nothing within these that is considered "sensitive".
I'm curious if anyone has any points in opposition to this and would prefer this to be explicitly assigned to roles.
Co-authored-by: rosstimothy <[email protected]>
@strideynet See the table below for backport results.
|
* Start adding `lib/services` content for SPIFFEFederation type * Add SPIFFEFederation resource to cache * Wire SPIFFEFederation into cache * Fix NewTestAuthServer * Start writing tests * Add more test cases to validation * Add tests to cache for SPIFFEFederation * More test coverage * Add test for DeleteSPIFFEFederations * Finish off tests for SPIFFEFederation resource * go mod tidy * Go mod tidy * Appease linter * Avoid forcing kind/version in MarshalSPIFFEFederation * more linter appeasal * Add basics of SPIFFEFederation gRPC service * Add support into tctl for create/delete/get/list * Rely on default page size * Prevent configuration of status field * Add test for TestSPIFFEFederationService_CreateSPIFFEFederation * Add TestSPIFFEFederationService_DeleteSPIFFEFederation * Add test for TestSPIFFEFederationService_GetSPIFFEFederation * Add TestSPIFFEFederationService_ListSPIFFEFederations * Add mising error asserrtiion * Add Verbs to default roles for SPIFFEFederation * Remove test cases that are now unneeded due to adding to implicit roleset * Tidier if statement Co-authored-by: rosstimothy <[email protected]> --------- Co-authored-by: rosstimothy <[email protected]>
* Start adding `lib/services` content for SPIFFEFederation type * Add SPIFFEFederation resource to cache * Wire SPIFFEFederation into cache * Fix NewTestAuthServer * Start writing tests * Add more test cases to validation * Add tests to cache for SPIFFEFederation * More test coverage * Add test for DeleteSPIFFEFederations * Finish off tests for SPIFFEFederation resource * go mod tidy * Go mod tidy * Appease linter * Avoid forcing kind/version in MarshalSPIFFEFederation * more linter appeasal * Add basics of SPIFFEFederation gRPC service * Add support into tctl for create/delete/get/list * Rely on default page size * Prevent configuration of status field * Add test for TestSPIFFEFederationService_CreateSPIFFEFederation * Add TestSPIFFEFederationService_DeleteSPIFFEFederation * Add test for TestSPIFFEFederationService_GetSPIFFEFederation * Add TestSPIFFEFederationService_ListSPIFFEFederations * Add mising error asserrtiion * Add Verbs to default roles for SPIFFEFederation * Remove test cases that are now unneeded due to adding to implicit roleset * Tidier if statement Co-authored-by: rosstimothy <[email protected]> --------- Co-authored-by: rosstimothy <[email protected]>
* Start adding `lib/services` content for SPIFFEFederation type * Add SPIFFEFederation resource to cache * Wire SPIFFEFederation into cache * Fix NewTestAuthServer * Start writing tests * Add more test cases to validation * Add tests to cache for SPIFFEFederation * More test coverage * Add test for DeleteSPIFFEFederations * Finish off tests for SPIFFEFederation resource * go mod tidy * Go mod tidy * Appease linter * Avoid forcing kind/version in MarshalSPIFFEFederation * more linter appeasal * Add basics of SPIFFEFederation gRPC service * Add support into tctl for create/delete/get/list * Rely on default page size * Prevent configuration of status field * Add test for TestSPIFFEFederationService_CreateSPIFFEFederation * Add TestSPIFFEFederationService_DeleteSPIFFEFederation * Add test for TestSPIFFEFederationService_GetSPIFFEFederation * Add TestSPIFFEFederationService_ListSPIFFEFederations * Add mising error asserrtiion * Add Verbs to default roles for SPIFFEFederation * Remove test cases that are now unneeded due to adding to implicit roleset * Tidier if statement --------- Co-authored-by: rosstimothy <[email protected]>
* Start adding `lib/services` content for SPIFFEFederation type * Add SPIFFEFederation resource to cache * Wire SPIFFEFederation into cache * Fix NewTestAuthServer * Start writing tests * Add more test cases to validation * Add tests to cache for SPIFFEFederation * More test coverage * Add test for DeleteSPIFFEFederations * Finish off tests for SPIFFEFederation resource * go mod tidy * Go mod tidy * Appease linter * Avoid forcing kind/version in MarshalSPIFFEFederation * more linter appeasal * Add basics of SPIFFEFederation gRPC service * Add support into tctl for create/delete/get/list * Rely on default page size * Prevent configuration of status field * Add test for TestSPIFFEFederationService_CreateSPIFFEFederation * Add TestSPIFFEFederationService_DeleteSPIFFEFederation * Add test for TestSPIFFEFederationService_GetSPIFFEFederation * Add TestSPIFFEFederationService_ListSPIFFEFederations * Add mising error asserrtiion * Add Verbs to default roles for SPIFFEFederation * Remove test cases that are now unneeded due to adding to implicit roleset * Tidier if statement --------- Co-authored-by: rosstimothy <[email protected]>
Closes #44861
As per #43348
Introduces the gRPC service for the SPIFFEFederation resource and wires this into
tctl
as appropriate.