Unix socket support for trust bundle URL #5932
Conversation
Signed-off-by: Kevin Fox <[email protected]>
kfox1111
requested review from
evan2645,
amartinezfayo,
sorindumitru,
MarcosDY and
rturner3
as code owners
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Short sort answer, so that the plugin on the other side of the unix socket can use the metadata to make educated choices on what the best process is to attest the server (fetch the trust bundle) for this particular node. Some of that is explained here: But for example, take the spiffe-ha-agent https://github.com/spiffe/spire-ha-agent. I can extend the spire-ha-agent to have such a unix socket. spire-agent@a and spire-agent@b can both be configured to point at the same unix socket. The spire-ha-agent can hand over the correct trust bundle to the right agent based on the server-address information that the agent passes along. There are other algorithms that may prioritize one source or another for fetching updated trust bundles, based on if the mode=bootstrap vs rebootstrap, the amount of time its been in the bootstrapping mode, etc.
It isnt. its switching the url from http over tcp socket to http over unix socket. But, it also adds the ability to pass on additional metadata about the current spire-agent's attestation process along so that the plugin on the other side of the socket can make policy decisions based on it. This could be added to the tls mode url as well, though probably would need to be behind a new config option in that case, to prevent breakage. |
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
There was a problem hiding this comment.
Could you please update agent_full.conf with the new trust_bundle_unix_socket setting?
We also need to update spire_agent.md with this. It would be good to have some explanation about the use cases where the UDS support for the trust bundle URL can be leveraged.
cmd/spire-agent/cli/run/run.go
Outdated
| if c.TrustBundleURL != "" { | ||
| u, err := url.Parse(c.TrustBundleURL) | ||
| if err != nil { | ||
| return fmt.Errorf("unable to parse trust bundle URL: %w", err) | ||
| } | ||
| if u.Scheme != "https" { | ||
| if c.TrustBundleUnixSocket != "" { | ||
| if u.Scheme != "https" && u.Scheme != "http" { |
There was a problem hiding this comment.
After putting some more thought on this, I think that we would support http only, at least initially. Use cases for https are not very clear for now.
Co-authored-by: Agustín Martínez Fayó <[email protected]> Signed-off-by: kfox1111 <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
kfox1111
force-pushed
the
trust-bundle-url-unix
branch
from
603972a to
801ba51
Compare
Pull Request check list
The trust_bundle_url option can talk to a unix socket in addition to an https server.
This allows code running on the local node to run without needing to race to open a tcp port increasing security and it does not require a https certificate increasing ease of maintenance while still maintaining security.
It also passes a bit of metadata to the remote so it can make programmatic policy decisions.