Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare for 0.7.2 #685

Merged
merged 27 commits into from
Jan 22, 2019
Merged

Prepare for 0.7.2 #685

merged 27 commits into from
Jan 22, 2019

Conversation

evan2645
Copy link
Member

A golang release is expected to drop tomorrow to address a yet-to-be-announced vulnerability. This PR pulls up the 0.7 branch in anticipation of a SPIRE release with the updated version.

The commits in this PR have been cherry-picked from master and thus have already undergone CR. Please review this PR from an upgrade compatibility standpoint.

The changelog-worthy updates:

evan2645 and others added 26 commits January 22, 2019 13:24
@evan2645
Bump to 0.7.2-dev
d2c77c0 
Signed-off-by: Evan Gilman <[email protected]>
@marcosy @evan2645
Add go-modules to build system
05aa15b 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Removing dep-related commands and files
77f79a0 
Signed-off-by: Marcos G. Yedro <[email protected]>
@dgervais @evan2645
incorrect syntax for aws_iid resolver example in docs
b408737 
updated example
from: arn:aws:iam::123456789012:instance-profile/Blog
to: iamrole:arn:aws:iam::123456789012:instance-profile/Blog

Signed-off-by: David Gervais <[email protected]>
@dgervais @evan2645
deprecate use of github.com/satori/go.uuid for github.com/gofrs/uuid
bbcd670 
Gopkg.toml version of [email protected] did not include non-random uuid fix:
satori/go.uuid#73

also, deprecation notice for satori/go.uuid posted via issue:
satori/go.uuid#84

community recommended replacement is available at github.com/gofrs/uuid

* updated Gopkg.toml to use github.com/gofrs/uuid @ 3.1.2
* rebuilt Gopkg.lock
* incorporate symmantics of uuid.NewV4() can return error

Signed-off-by: David Gervais <[email protected]>
@marcosy @evan2645
Makefile refactor, adding help target
acf0492 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Updating documentation
395fe58 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Updating gofrs to use modules
26702ea 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Removing missing dep references
afbfea1 
Signed-off-by: Marcos G. Yedro <[email protected]>
@evan2645
Dont allow agents to specify X509-SVID Subject
e6e639b 
Currently, SPIRE server signs certificates using the subject specified
in the CSR. Since SPIRE has no way of actually validating this
information, it should not be included.

The agent generates CSRs with a hardcoded Subject. As a quick fix, this
commit uses the same hardcoded Subject except it is set on the server
side directly.

Signed-off-by: Evan Gilman <[email protected]>
@marcosy @evan2645
Adding new module for tools/utils
955c7d4 
Signed-off-by: Marcos G. Yedro <[email protected]>
@azdagron @evan2645
registration API auth via SPIFFE
cd962b6 
- added "admin" flag to registration entries
- updated CLI to support "admin" flag
- refactored registration handler tests to unify code and remove mocking

Signed-off-by: Andrew Harding <[email protected]>
@marcosy @evan2645
Move utils to tools folder (recommended name)
d01f0fd 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Run 'go mod tidy' in tools module
8ba3a12 
Signed-off-by: Marcos G. Yedro <[email protected]>
@azdagron @evan2645
refactor to require handler to handle authorization
b69a8c6 
Signed-off-by: Andrew Harding <[email protected]>
@azdagron @evan2645
additional error info when no auth implemented
c496148 
Signed-off-by: Andrew Harding <[email protected]>
@marcosy @evan2645
Selecting node resolver based on attestation type
5f0d8b4 
Signed-off-by: Marcos G. Yedro <[email protected]>
@marcosy @evan2645
Improve test cases based on PR comments
6bf97a9 
Signed-off-by: Marcos G. Yedro <[email protected]>
@evan2645
Fix debug message formatting in node resolver
c84765c 
Signed-off-by: Scott Emmons <[email protected]>
@evan2645
proto/agent/keymanager: Add StorePrivateKey to plugin API
1d8c5b1 
Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
pkg/agent: Update KeyManager implementations and svid rotator logic
8f0ea4e 
Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
agent/svid: Refactor key storage, add atomic disk writes
bee8f6f 
Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
Fixup protobuf docs
ed378c6 
Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
Fix agent keymanager protobuf generation
9ad67c8 
Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
agent/nodeattestor/gcp: Use FQDN to find metadata server
c03b9c5 
In GCP node attestation, we request the instance identity token using
the `metadata` DNS record. This uses `/etc/resolv.conf` to expand into
`metadata.google.internal`; however, this means that node attestation
has a dependency on GCP's default resolution, which makes it difficult
for consumers with custom DNS resolvers.

```
$ cat /etc/resolv.conf
domain foo.internal
search foo.internal. google.internal.
nameserver 169.254.169.254
```

This change removes the dependency on `/etc/resolv.conf` by querying the
metadata server using its FQDN `metadata.google.internal`.

Signed-off-by: R. Tyler Julian <[email protected]>
@evan2645
agent/common/cgroups: Move cgroup logic from k8s attestor to common
1adef15 
This change moves cgroup-related logic in the k8s plugin to a shared
agentutil package, since workload attestation using other docker-based
orchestration platforms needs to do similar cgroup lookups.

Signed-off-by: R. Tyler Julian <[email protected]>
azdagron
azdagron previously approved these changes Jan 22, 2019
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I think we're ok on compatability.

@evan2645
Fix node api handler test following conflict resolution
3be05dc 
Looks like I flubbed some of the conflict resolution when cherry-picking
from master. This small commit corrects the error and pulls the node api
handler tests up to equal the contents in master.

Signed-off-by: Evan Gilman <[email protected]>
@evan2645 evan2645 merged commit d4ef3f8 into spiffe:v0.7 Jan 22, 2019
@evan2645 evan2645 deleted the prepare-for-0.7.2 branch January 22, 2019 22:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azdagron azdagron azdagron approved these changes

@ajessup ajessup Awaiting requested review from ajessup

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@drrt drrt Awaiting requested review from drrt

@MarcosDY MarcosDY Awaiting requested review from MarcosDY

@martincapello martincapello Awaiting requested review from martincapello

@walmav walmav Awaiting requested review from walmav

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@evan2645 @azdagron @marcosy @dgervais