Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull identity initialization out of app building #2866

Closed
wants to merge 1 commit into from
Closed

Pull identity initialization out of app building #2866

wants to merge 1 commit into from

Conversation

zaharidichev
Copy link
Member

@zaharidichev zaharidichev commented Apr 8, 2024
edited

The purpose of this change is to allow a SPIRE identity to obtained without prior knowledge of the TLS id or the roots. In addition to that, the change enables us to construct and initialize the identity before we construct the proxy App. In order to achieve that:

  • the identity config has been split into Spire and Linkerd structs
  • metrics related components can be passed to the Config::build method
  • the Credentials trait has been modified to accept roots in addition to the rest of the credentials
  • when the app is constrcuted, it is assumed that identity has already been initialized.

TODO:

  • pull pkix pem parsing crate functionality into our codebase
  • conage/fix proxy initialization tests

@zaharidichev zaharidichev requested a review from a team as a code owner April 8, 2024 08:07
@zaharidichev
pull identity initialization out of app building
d967649 
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
olix0r
olix0r reviewed Apr 8, 2024
View reviewed changes
linkerd/app/Cargo.toml
@@ -34,3 +34,4 @@ tokio-stream = { version = "0.1", features = ["time", "sync"] }
tonic = { version = "0.10", default-features = false, features = ["prost"] }
tower = "0.4"
tracing = "0.1"
pkix = "0.2.3"
Copy link
Member

@olix0r olix0r Apr 8, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to be conservative about pulling in random dependencies of various maintenance statuses... especially for our TLS related dependencies.

Can we use rustls-pemfile, since we already depend on it and have a relationship with the maintainers?

Or is it possible to update the store contract to take roots as EITHER Der or PEM? Can the underlying TLS impls take either?

olix0r
olix0r reviewed Apr 8, 2024
View reviewed changes
Cargo.lock
Comment on lines +343 to +355
[[package]]
name = "chrono"
version = "0.4.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a0d04d43504c61aa6c7531f1871dd0d418d91130162063b789da00fd7057a5e"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"wasm-bindgen",
"windows-targets 0.52.0",
]
Copy link
Member

@olix0r olix0r Apr 8, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to avoid a dependency on Chrono, unless we are actually using some advanced timezone-aware time calculation feature. There's history.

@olix0r olix0r marked this pull request as draft April 8, 2024 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r olix0r left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zaharidichev @olix0r