Improve usability of sconecas_sessionmanager svidstore plugin
#1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SilvaMatteus
changed the title
sconecas_sessionmanager svidstore plugin
SilvaMatteus
force-pushed
the
improve-usability
branch
from
3599a7c to
b0afd83
Compare
amand-io
reviewed
Nov 9, 2021
Benardi
reviewed
Nov 11, 2021
Benardi
reviewed
Nov 12, 2021
SilvaMatteus
force-pushed
the
improve-usability
branch
from
3cccddd to
61e2c57
Compare
|
@SilvaMatteus, I've been led to believe we might have an inconsistency in the debugging logging when posting the "svid-session" in my most recent test. Whether the session has been posted or not, there's no debug log stating it has been posted like there is for the spire-ca session: time="2021-11-17T14:31:08Z" level=debug msg="SVID stored successfully" entry=a74c6921-8ec1-44ee-aa5a-55224fa51d5a revision_number=2 spiffe_id="spiffe://example.org/scone-service" subsystem_name=svid_store_service svid_store=sconecas_sessionmanagerOBS: Informing the SVID has been stored successfully should not be an INFO level log? Sounds way too important to be relegated into a DEBUG level log. Server's EntryEntry ID : a74c6921-8ec1-44ee-aa5a-55224fa51d5a
SPIFFE ID : spiffe://example.org/scone-service
Parent ID : spiffe://example.org/spire/agent/k8s_sat/minikube/1cbfcf70-d6f7-4c1c-a531-808f83a79898
Revision : 0
TTL : default
Selector : sconecas_sessionmanager:session_hash:e4ff1d56ecbe4cc8e59dc732fb51de0a48a679ca81cc8236c6aa85f98708360d
Selector : sconecas_sessionmanager:session_name:fMlPiGTFGdupNoZ/svid-session
Selector : sconecas_sessionmanager:trust_bundle_session_name:fMlPiGTFGdupNoZ/bundle-session
StoreSvid : true
Agent's log once entry is created:time="2021-11-17T14:31:06Z" level=debug msg="SVID updated" entry=a74c6921-8ec1-44ee-aa5a-55224fa51d5a spiffe_id="spiffe://example.org/scone-service" subsystem_name=svid_store_cache
time="2021-11-17T14:31:08Z" level=warning msg="cannot read predecessor for session " external=false open /run/spire/data/store-svid-scone/spire-svid-fMlPiGTFGdupNoZ/svid-session: no such file or directory="<unknown>" plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=info msg="Posting Session:" external=false name: spire-svid-fMlPiGTFGdupNoZ/svid-session
version: "0.3"
predecessor: ~
secrets:
- name: svid
kind: x509
value: |
-----BEGIN CERTIFICATE-----
MIIB6jCCAY+gAwIBAgIQQFyvzsEGZi3bZXQtux4ZxzAKBggqhkjOPQQDAjAeMQsw
CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMB4XDTIxMTExNzE0MzA1NloXDTIx
MTExODAwMzEwNlowHTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBVNQSVJFMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEZC+aGIP2XmReoc0oHCOyzHWkW+7JA19vwQOV
eFY4lbnCkAGjpAMQzSysWKm/mbfdJwrAbTe1f45vOPqwgNEHW6OBrzCBrDAOBgNV
HQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFBfO4qrG0PPyiS7IakIz4Ctekg+SMB8GA1UdIwQY
MBaAFMkuAGRouHsUDYO5WZAl1TuvEctLMC0GA1UdEQQmMCSGInNwaWZmZTovL2V4
YW1wbGUub3JnL3Njb25lLXNlcnZpY2UwCgYIKoZIzj0EAwIDSQAwRgIhAMQ4Dx/G
qhmI6AmfR8JLiTM4AjLN354zq+4QCmrpOlf1AiEA/A38J5Rn2UnNZA1ioN54e3XY
WK08xj028nBQ/UzOeVk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB4TCCAWagAwIBAgIQNaMETvG863jgrgXJAsajYDAKBggqhkjOPQQDAzAeMQsw
CQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMB4XDTIxMTExNzEzMTczMFoXDTIx
MTExODEzMTc0MFowHjELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABOa0ra94d58HYIzcLSYeDAMewWNlwefkevQ6
fhUOkG6xHpcAH82+amvPs31+Mu9BBDxidIzpQtPtbr1zNc9lrh+jgYUwgYIwDgYD
VR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMkuAGRouHsU
DYO5WZAl1TuvEctLMB8GA1UdIwQYMBaAFIel81ei8DWswPhkxFTnbtO6OcjoMB8G
A1UdEQQYMBaGFHNwaWZmZTovL2V4YW1wbGUub3JnMAoGCCqGSM49BAMDA2kAMGYC
MQD/dlCVHDasdsPBmz0I8E+Z/BtRHcuvw+10hSxxybBmMuHMz2U+0Yi6C4ibkAFs
OfgCMQDj9jXh/DqBYwP9JYC9gH6AwNCHmEsUZzFr+ekaW8j3WBVkoOihex5HpFls
L+56iqY=
-----END CERTIFICATE-----
export:
session: fMlPiGTFGdupNoZ/svid-session
session_hash: e4ff1d56ecbe4cc8e59dc732fb51de0a48a679ca81cc8236c6aa85f98708360d
private_key: svid_key
- name: svid_key
kind: private-key
value: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgn8WL2ZJopJf7403H
FFH4FJRoYZUJD8JHG3pRQWIl5tehRANCAARkL5oYg/ZeZF6hzSgcI7LMdaRb7skD
X2/BA5V4VjiVucKQAaOkAxDNLKxYqb+Zt90nCsBtN7V/jm84+rCA0Qdb
-----END PRIVATE KEY-----
export:
session: fMlPiGTFGdupNoZ/svid-session
="<unknown>" plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=info msg="Saving predecessor hash=16a9a38ebb38f7235133c5d852b5dcf2b9428ebdc426171d6d76c60ddb989619 session_name=spire-svid-fMlPiGTFGdupNoZ/svid-session dir=/run/spire/data/store-svid-scone" external=false plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=warning msg="cannot read predecessor for session " external=false open /run/spire/data/store-svid-scone/spire-ca-fMlPiGTFGdupNoZ/bundle-session: no such file or directory="<unknown>" plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=info msg="Posting Session:" external=false name: spire-ca-fMlPiGTFGdupNoZ/bundle-session
version: "0.3"
predecessor: ~
secrets:
- name: spire-ca
kind: x509-ca
export_public: true
value: |
-----BEGIN CERTIFICATE-----
MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkz
MzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7m
CBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXw
cCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3Bp
ZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZ
IbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDF
D7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc=
-----END CERTIFICATE-----
="<unknown>" plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=info msg="Saving predecessor hash=a7e84069cb234425bef2918ffd8c3367886e3c868f3054be01108065b769605e session_name=spire-ca-fMlPiGTFGdupNoZ/bundle-session dir=/run/spire/data/store-svid-scone" external=false plugin_name=sconecas_sessionmanager plugin_type=SVIDStore subsystem_name=catalog
time="2021-11-17T14:31:08Z" level=debug msg="SVID stored successfully" entry=a74c6921-8ec1-44ee-aa5a-55224fa51d5a revision_number=2 spiffe_id="spiffe://example.org/scone-service" subsystem_name=svid_store_service svid_store=sconecas_sessionmanager |
SilvaMatteus
force-pushed
the
improve-usability
branch
from
8d9174c to
efa9f86
Compare
Benardi
suggested changes
Nov 26, 2021
| | `sconecas_sessionmanager:session_hash` | `sconecas_sessionmanager:session_hash:03aa3f5e2779b625a455651b54866447f995a2970d164581b4073044435359ed` | HASH of the session returned by the SCONE CLI or CAS API | | ||
| | `sconecas_sessionmanager:trust_bundle_session_name` | `sconecas_sessionmanager:trust_bundle_session_name:spire-ca` | Name that replaces the `<\trust-bundle-session-name>` placeholder in the `bundle_session_template_file` | | ||
| | `sconecas_sessionmanager:fed_bundles_session_name` | `sconecas_sessionmanager:trust_bundle_session_name:fed-bundles` | Name that replaces the `<\fed-bundles-session-name>` placeholder in the `federated_bundles_session_template_file` | |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| predecessorName := strings.ReplaceAll(p.templateInfo.sessionSvidNameTemplate, sessionNameSelectorPlaceholder, workloadInfo.CasSessionName) | ||
| session := strings.ReplaceAll(p.templateInfo.svidSessionTemplate, predecessorPlaceholder, p.readPredecessor(predecessorName)) | ||
| session = strings.ReplaceAll(session, svidPlaceholder, pemToSconeInjectionFile(svidChain)) | ||
| func (p *SessionManagerPlugin) generateSVIDSessionText(svidChain string, privKey string, workloadInfo *sconeWorkloadInfo, sessionName string) string { |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
There was a problem hiding this comment.
Hi @Benardi, It seems like this has nothing to do with the plugin. You should create the entry with the -dns option to set the common name to secret-service. You can read more about that in the SPIRE Server docs (https://github.com/ufcg-lsd/spire/blob/main/doc/spire_server.md#spire-server-entry-create).
SilvaMatteus
force-pushed
the
improve-usability
branch
from
efa9f86 to
35b1111
Compare
|
@SilvaMatteus I've greenlighted the PR and moved the discussion on the logging to the following issue: spiffe#2641 |
@Benardi I think you moved it to the wrong place. It would be better to move this to an internal tracking system since the main SPIRE repo does not hold any SCONE plugin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Description of change
Added a new configurable to skip TLS verify in connections with CASes. Also, changed the
cas_addrconfigurable tocas_connection_string.Now, the names for sessions with the bundle and sessions with federated bundles are configurable via new placeholders and new selectors.