Support downstream entries/spiffeIds (closes #43) #44
Conversation
keeganwitt
force-pushed
the
support_downstream_entries
branch
from
81f9a0b to
fe2e29d
Compare
|
This code seems to only support a parentID, err := spiffeid.FromPathf(trustDomain, "/spire/agent/k8s_psat/%s/%s", clusterName, node.UID)I think this would need to be changed in this PR also. |
keeganwitt
force-pushed
the
support_downstream_entries
branch
2 times, most recently
from
000292a to
7f9644d
Compare
|
Do we need to bump the version of the crd for this change? |
Were you able to specify the parent with k8s-workload-registrar? |
Yes, this is what we're doing today with the Registrar. |
Yea, I suppose so. Bumped. |
keeganwitt
force-pushed
the
support_downstream_entries
branch
from
78b5009 to
aad2dbe
Compare
I think I was mistaken, we don't need to bump the version for just adding a new field. https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md#adding-a-field |
|
Created #54 for the parentID part. |
keeganwitt
force-pushed
the
support_downstream_entries
branch
from
aad2dbe to
3d5c98b
Compare
OK. Dropped that commit. |
|
Thanks @keeganwitt for the updates. Changes look good to me. |
There was a problem hiding this comment.
Thanks for opening this contribution, @keeganwitt!
Looks like a spot was missed in api/v1alpha1/clusterspiffeid_webhook.go where the spec is parsed into the ParsedClusterSPIFFEID struct. Downstream is not being set on the parsed spec, which ultimately results in the downstream bit not being set on the registration entry.
I'd encourage you to test out your changes before submitting. It would have found the issue.
| @@ -48,6 +48,9 @@ spec: | |||
| items: | |||
| type: string | |||
| type: array | |||
| downstream: | |||
| description: Downstream indicates that the entry describes a downstream SPIRE server. | |||
There was a problem hiding this comment.
Was make manifests run after adding the field to the CRD? The formatting seems different here than what was generated for me locally...
There was a problem hiding this comment.
No. I didn't know about that script. I did this by hand. We should document this in a CONTRIBUTING.md.
| @@ -48,6 +48,9 @@ spec: | |||
| items: | |||
| type: string | |||
| type: array | |||
| downstream: | |||
There was a problem hiding this comment.
This might need to be updated based the answer to my question about make manifests...
| @@ -48,6 +48,9 @@ spec: | |||
| items: | |||
| type: string | |||
| type: array | |||
| downstream: | |||
There was a problem hiding this comment.
This might need to be updated based the answer to my question about make manifests...
No testing, as noted in the description, this was my best guess what changes were needed. Do you have a recommendation for how to test? I couldn't test with my deployment because we're still using the registrar. Sounds like we could use a CONTRIBUTING.md? |
|
We definitely need a CONTRIBUTING.md :) To test, I normally run |
Signed-off-by: Keegan Witt <[email protected]>
keeganwitt
force-pushed
the
support_downstream_entries
branch
from
3d5c98b to
ef4cfeb
Compare
I looked at all the places using
Adminand used that to determine what I probably needed for addingDownstream. I haven't tested that this actually works though.