Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add profile configuration to bundle endpoint #4476

Merged
merged 7 commits into from
Sep 13, 2023
Merged

Add profile configuration to bundle endpoint #4476

merged 7 commits into from
Sep 13, 2023

Conversation

MarcosDY
Copy link
Collaborator

@MarcosDY MarcosDY commented Sep 4, 2023

Add profile configuration to bundle endpoint

Which issue this PR fixes
fixes #2670

@MarcosDY
Add federation.bundle_endpoint.profile configuration
be4918a 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
evan2645
evan2645 reviewed Sep 12, 2023
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR Marcos 🙌 one less point of confusion 🚤

cmd/spire-server/cli/run/run.go Outdated Show resolved Hide resolved
cmd/spire-server/cli/run/run.go
return nil, errors.New("bundle endpoint 'acme' or 'profile' can be set")

case config.ACME != nil:
return configToACMEConfig(config.ACME, dataDir), nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should log a warning when we do this because config will need to be updated before 1.9, similar to profile nil case. We should probably mention something about ACME configuration without defining it as part of the https_web profile is deprecated

cmd/spire-server/cli/run/run.go Outdated
return configToACMEConfig(config.ACME, dataDir), nil

case config.Profile == nil:
log.Warn("bundle endpoint has no profile set, using https_spiffe as default, please choose a profile.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest sentence case, plus warning that this will be an error condition in the future

Suggested change
log.Warn("bundle endpoint has no profile set, using https_spiffe as default, please choose a profile.")
log.Warn("Bundle endpoint is configured but has no profile set, using https_spiffe as default; please configure a profile explicitly. This will be fatal in a future release.")

cmd/spire-server/cli/run/run.go
if acme != nil {
acmeConfig = configToACMEConfig(acme, dataDir)
}
return acmeConfig, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will be a nil pointer if https_web is set but acme block isn't declared. I think we need a check that it is set? I think it's mandatory for https_web profile

cmd/spire-server/cli/run/run.go Outdated
return nil, nil

default:
return nil, errors.New(`no bundle endpoint profile defined; current supported profiles are "https_spiffe" and 'https_web"`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be a bit clearer if we talk about configuration explicitly. If we're hitting this, then a profile is set but it's unknown? It would be nice if we could also say what the value of the unknown profile was so the user can more easily find it. I don't think we should block on that though

Suggested change
return nil, errors.New(`no bundle endpoint profile defined; current supported profiles are "https_spiffe" and 'https_web"`)
return nil, errors.New(`unknown bundle endpoint profile configured; current supported profiles are "https_spiffe" and 'https_web"`)

cmd/spire-server/cli/run/run.go Outdated
@@ -695,6 +751,23 @@ func parseBundleEndpointProfile(config federatesWithConfig) (trustDomainConfig *
}, nil
}

func parseSingleAstNode(node ast.Node) (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may consider renaming this function since it has logic specifically for bundle endpoint profile handling e.g. parseBundleEndpointProfileASTNode or maybe something shorter 😂

doc/spire_server.md Outdated
|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| address | IP address where this server will listen for HTTP requests |
| port | TCP port number where this server will listen for HTTP requests |
| acme | Automated Certificate Management Environment configuration section (see below) |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove this from the docs since we're trying to deprecate it?

@MarcosDY
PR changes
450d3d1 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
@MarcosDY
resolve lint
79d7f0d 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
evan2645
evan2645 reviewed Sep 12, 2023
View reviewed changes
cmd/spire-server/cli/run/run.go Outdated
if acme != nil {
acmeConfig = configToACMEConfig(acme, dataDir)
if acme == nil {
return nil, fmt.Errorf("falformed https_web: ACME is required")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor typo

Suggested change
return nil, fmt.Errorf("falformed https_web: ACME is required")
return nil, fmt.Errorf("malformed https_web profile configuration: ACME is required")

doc/spire_server.md
refresh_hint = "10m"
profile "https_web" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking: Sorry I missed this before, but I think we need to document this in ### Configuration options for federation.bundle_endpoint section?

@MarcosDY
More PR changes
3d85356 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
@MarcosDY
some rewording
1094417 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
@MarcosDY
resolve lint issues
b1a3d6f 
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
@rturner3 rturner3 added this to the 1.8.0 milestone Sep 13, 2023
@rturner3 rturner3 merged commit 2b392e8 into spiffe:main Sep 13, 2023
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evan2645 evan2645 evan2645 approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@evan2645 evan2645

Labels
None yet
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.

SPIRE bundle endpoint server should be configurable in terms of profile
3 participants
@MarcosDY @evan2645 @rturner3