Skip to content

Commit

Permalink
[v16] Workload Identity: SPIFFE Federation Syncer (#46060)
Browse files Browse the repository at this point in the history 
* Start hacking on implementation

* Add new proto field

* More resilient change detection

* Calculate next synce time for https-web bundles

* Add validation of spiffesyncer paramaters

* Flesh out events watcher mechanism

* Start putting together test for SPIFFEFederationSyncer

* Add UpdateSPIFFEFederation to service

* Flesh out test for UpdateSPIFFEFederation

* Working test "TestSPIFFEFederationSyncer_syncFederation" for basic
functionality

* Add additional validation for SPIFFEFederation

* Add more cases to TestSPIFFEFederationSyncer_syncFederation

* Add retry mechanism to syncery

* Tidy up logging

* Add SPIFFEFederationSyncer to lib/service init

* Use buffered channel for firstrun

* Fix potential deadlock with syncing

* Tidying up logging/naming

* Tidy up retry calculation

* Expand test suite

* Appease linter

* Use `GetStatus` for nil safety

* switch `UpdateResource` -> `ConditionalUpdateResource`

* Fix unprotected map access

* Add seleect condition for w.Done

* Correct comment

* Fix nil panic

* Fix TestSPIFFEFederationService_UpdateSPIFFEFederation

* Tidy up logging of refresh hint adjustment
  • Loading branch information
@strideynet
strideynet authored Aug 30, 2024
1 parent c804ad5 commit 75e0387
Show file tree
Hide file tree
Showing 9 changed files with 1,104 additions and 32 deletions.
76 changes: 48 additions & 28 deletions api/gen/proto/go/teleport/machineid/v1/federation.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 14 additions & 4 deletions api/proto/teleport/machineid/v1/federation.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ syntax = "proto3";

package teleport.machineid.v1;

import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";
import "teleport/header/v1/metadata.proto";

Expand Down Expand Up @@ -72,11 +71,22 @@ message SPIFFEFederationSpec {

// FederationStatus is the status of a trust domain federation.
message SPIFFEFederationStatus {
reserved 3;
reserved "current_bundle_refresh_hint";

// The most recently fetched bundle from the federated trust domain.
string current_bundle = 1;
// The time that the most recently fetched bundle was obtained.
google.protobuf.Timestamp current_bundle_synced_at = 2;
// The duration that the current bundle suggests the next bundle should be
// refresh after.
google.protobuf.Duration current_bundle_refresh_hint = 3;
// The time that this SPIFFE federation should be synced again. This is
// usually determined by the refresh hint provided within the current bundle
// but this can be overridden by the server where the provided refresh hint
// is not appropriate.
//
// A value of zero indicates that an automatic sync is not scheduled (e.g.
// because the bundle source is static).
google.protobuf.Timestamp next_sync_at = 4;
// The SPIFFEFederationBundleSource that was used for the currently synced
// bundle. This allows the bundle to be resynced if the source changes.
SPIFFEFederationBundleSource current_bundle_synced_from = 5;
}
Loading

0 comments on commit 75e0387

Please sign in to comment.