Add bundle endpoint client #2
Conversation
Signed-off-by: Evan Gilman <evan@scytale.io>
main.go
Outdated
| peerSpiffeID = flag.String("peerSpiffeID", "spiffe://cluster-2/spire/server", "The SPIFFE ID of the remote trust domain's bundle endpoint") | ||
|
|
||
| namespace = flag.String("namespace", "istio-system", "The namespace of the config map to keep updated with the peer's CA certificates") | ||
| configMapName = flag.String("configMapName", "cluster-2-ca-certs", "The name of the config map to keep updated with the peer's CA certificates") |
There was a problem hiding this comment.
Please use "spiffe-tb-1" for now.
main.go
Outdated
|
|
||
| namespace = flag.String("namespace", "istio-system", "The namespace of the config map to keep updated with the peer's CA certificates") | ||
| configMapName = flag.String("configMapName", "cluster-2-ca-certs", "The name of the config map to keep updated with the peer's CA certificates") | ||
| configMapKey = flag.String("configMapKey", "cluster-2-ca-certs", "The key to store the peer's CA certificates under in the configured config map") |
There was a problem hiding this comment.
What about peerTrustDomain?
I'm using the following structure for the ConfigMap:
{
trust_domain: the trust domain, like "cluster-2"
trust_bundle: the PEM file
}
My thought is for each trust domain, use a separate ConfigMap starting with "spiffe-tb-".
But anyway, I think this is a short term solution. Propagating through an API on the IFS will likely to be the ultimate goal :)
| } | ||
|
|
||
| func (b *BundleEndpointClient) updateRoots(ctx context.Context, roots, currentRoots []*x509.Certificate) error { | ||
| // TODO: Check if we need to actually update anything |
There was a problem hiding this comment.
Yes, that would be better, but we don't need it now :)
main.go
Outdated
| @@ -17,6 +17,14 @@ var ( | |||
| leafCertPath = flag.String("leafCertPath", "/etc/server/cert-chain.pem", "The leaf certificate to use for serving TLS") | |||
| leafKeyPath = flag.String("leafKeyPath", "/etc/server/key.pem", "The private key of the leaf certificate to serve TLS with") | |||
|
|
|||
| peerTrustDomainName = flag.String("peerTrustDomain", "spiffe://cluster-2", "The trust domain name to federate with") | |||
| peerEndpointAddress = flag.String("peerEndpointAddress", "35.193.205.112", "The address of the remote trust domain's bundle endpoint") | |||
There was a problem hiding this comment.
Let's use a dedicated IP "240.0.0.10" for now. In the cluster, we create a service entry with a virtual IP for the external IP. We can use DNS name, but that needs to configure CoreDNS, I just don't want to worry about it for now :)
Also set trust domain name in config map Signed-off-by: Evan Gilman <evan@scytale.io>
this commit adds a bundle endpoint client to IFS.
I have gone as far as ensuring it compiles :). There are almost certainly several bugs lurking, but I also don't have a great way to test it. @myidpt if you could do a CR pass on this, anything obvious, that would be great. We'll merge it in then test it together after that
Signed-off-by: Evan Gilman evan@scytale.io