Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Production Identity Day: SPIFFE + SPIRE 2020 / 4 Dec 2020
Cloud Native Computing Foundation / Production Identity Day: SPIFFE + SPIRE 2020 / 4 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SPIRE Project Updates - Agustín Martínez Fayó

Description

SPIRE Project Updates - Agustín Martínez Fayó

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

A

Well, yes, I am, um I was team, martinez fascio and I am a spire maintainer and I've been lucky to be part of the project since the beginning.

A

So we will share some uh project updates.

A

um So, uh let's, uh let's start by sharing some numbers to have an idea of how the the project has been evolving during the last year. So I will show some some numbers since last kubecon in san diego.

A

So we we had seven releases.

A

That included more than 20 features.

A

And around 40 buck fixes and improvements.

A

That were done in more than uh 230 merchant beers um uh and all that uh was done by um 36 different contributors. um So it's uh it's really nice to see a lot of contributions from the community and see how this is growing and growing over time. This really shows that the project is really healthy.

A

So uh well, let's, let's get right into some of the the recent accomplishment uh done in the project, uh so we will refactor it the aspire server apis in a in a set of more like more resource oriented apis.

A

We we realized that the original apis.

A

That were organized in the in the node and registration apis started to show some structural problems uh in terms of how how the apis were organized.

A

For example, uh when adding some some new functionality, it was uh difficult to find the right place to add it, uh maybe simply because it it didn't actually fit well in the in the node or registration apis.

A

So, after after a lot of design, work and feedback, they they were refactored in different apis, depending on the on the resource like asian bundle, entry uh or resvit, um and we also took the opportunity to improve the the consistency across the apis in terms of uh things like passionation and filtering of fields.

A

So one other thing is that a lot of work has been done uh to update the spire documentation, uh adding examples um and tutorial uh for the most used and critical use cases included well, kubernetes oidc authentication, a lot of different use cases using envoy nested aspire federation, the use of telemetry inspire, so we have now a lot of guides that can help you get started with the with the most user use cases so yeah that that that is good and we just heard from kesley that he enjoyed looking at the documentation um so um well back back in april, we had uh the spire uh 0.10 release where we completed all the work uh needed to have uh support for judd svitz in nested aspire, topologies.

A

And other things important to mention is that over over the past few months, we have been working on.

A

Improving the the client libraries that we have in go and java.

A

So, um uh regarding the the gold spf library, we saw that the ghost p51 uh started to show some signs uh that it it needed an update uh because um it was not as flexible as we wanted.

A

It was missing some key functionality like federation and just as much support.

A

So earlier this year, we we worked on on a refresh of the library, rethinking it from scratch, and we uh we worked on on the v2, which provides uh low, uh both low and high level uh interfaces to handle the common use cases that includes establishing mutually authenticated tls between workflows that are powered by spf.

A

uh It also makes makes it easy to obtain and validate um both x5 online and just beats it well. It also provides all the resources needed to further rate trust between trust domains using spf, bundles and all all the functionality needed to perform things like uh bundle, management, spiffidi handle or sv verification.

A

So you can do that now in with with tiny amount of code. um Also, a lot of work uh has been done in the java spf library to provide again new functionality through new interfaces, and all this has been done in a more modular way.

A

That makes makes it easier to to have a more testable library.

A

So, let's, let's take a look at the the recent releases of the fire, so the most the most recent release is 0 11 1. That will really set. I think, at the end, at the end of september, uh that uh that included um an improvement in the aws pca of upstream authority, plugging and also the option to disable rate limiting of node attestation request among, among other improvements and fixes.

A

In 0 11, we introduced the the refactored server apis that I just talked about.

A

Also an improvement in the unix workload tester and the the kubernetes workload resistor was extended to support the tune modes that are the the crd and the reconcile modes.

A

In 0 10 1, the main the main new feature was the addition to support vault as an uptrend authority.

A

And in 0 10, where we had a bunch of new things and improvements, including the the support for test with in nested spire, um introducing the the upstream authority plug-in. uh There were other uh other improvements like um the reduction of database load in certain configurations and the ability of asians to proactively rotate in the workloads aspects.

A

When, when there are an update in the registration.

A

So.

A

Let's, let's talk a little bit about uh what is keeping us busy now? uh What are the things that uh we're spending time on now so uh well, for for, for many reasons, uh we have been kind of deferring 1.00 for some time.

A

uh There were some uh reasons for that, uh like the the refactor of the server apis, um we thought that uh having a a well established set of server apis in one of those would be a good thing uh rather than releasing one the row and and then do a big refactor right uh so um that that was one thing.

A

uh There were other things that are maybe less technical but still important to decide uh in order to to have a clear path towards wonderou and also after one row like process decisions, including um the release, cadence compatibility and how we will manage versioning going forward.

A

So there have been a lot of things to decide uh and to work on uh to be able to to finally um have 1.0, uh but um at this point we we are getting closer to that and we really think that uh we should be able to have a wonderful reason.

A

So uh there are a lot of proposals being discussed at this moment, which is something great. uh One of of them is a proposal for tpm node at the station. That is based on on an approach following a draft specification from the trusted computing group. That deliberations divide the certificate to authenticate each device.

A

There is also an ongoing effort to add support uh for aws, uh kms and manager signing keys um since, since this this would be the the first uh key management plugin that depends on an external service.

A

So one of the things that are under discussion is the like the exact behavior on failures, including timeouts and retries strategies, so that is also being discussed now um there is a proposal for updating the this fire data store to have a simple plugable solution that would be able to to support both sql and key value stores.

A

So again, a lot of discussion around that, so obviously we're a bit short in time. We have about three minutes left uh three to four okay, yeah so uh well, there are many many different scenarios where installing expiration is not possible and that that obviously is a problem uh inspired where the the workloads running in those environment can't access the workload api.

A

So there is a proposal under discussion to address that problem. um Right now, it's focused on providing support for the for the different serverless compute services provided uh by by the by the measured cloud uh providers um as the like the primary use case. But the idea is to come up with uh with a solution uh or or a set of solutions um for the different scenarios.

A

um The good allow to be able to use um spire in those environments uh where you can't install a nation and then quickly, we we had the forced rotation and revocation, as pending roadmap item for a while, but now there is a a concrete proposal to scope the work needed to provide a quick, reliable and automated mechanism of like recovering from key compromise.

A

So the the proposal defines some some steps to accomplish that and also introduces some new apis in order to achieve that process. So that's under active discussion. Now um uh there is a proposal to add the certificate uh certificate transparency, support inspired through a new plugin type. um This this is being discussed also, so let's try to go quickly through this, so we uh we already talked about the things that are keeping missing us now, but there are some other things that we have in the horizon, like in the implementation of the break class mode.

A

It's it's well known that spire is a since it's it's a critical piece in any production system that relies on aspire uh to provide identities on workloads.

A

So if, if spy is not able to properly provide new speeds or renew existing ones, it that will result in in service interruptions, so a break last mode would be a way to provide a mechanism that allows fire to continue providing identities even in the states where um a failure would prevent the spire from missing aspects.

A

So there is a currently a request for comment issue for that, although we haven't actively discussed that yet so that's something pending, uh so the health check system inspire uh can become improved. We recently added the back end points to get information about the agent and the server, but there is room to improve uh the current uh way to um to check the health of aspire, server and nation to make it more reliable and complete.

A

um We also uh one of the things that we we have in the roma is to to review the there are messages to have um that we have uh to make sure that they are not only descriptive of the error, but also that helps to have a resolution for the condition we have some work to do in order to productionize kubernetes deployments to adhere to security, best practices, and we also plan to look at how does the the correspond exposed service facilities, plugins and plugins exposed services? Spirocore can utilize in exchange.

A

And in terms of secret, less authentication to google compute platform and microsoft azure, we have plans to expand the the ioidc federation integration support to those platforms.

B

Augustine uh amazon.

A

Web services is.

B

Already supported correct, that's the reason why it's not in that list.

A

Yeah correct yes, so this is only for future future work.

B

Great augustine, where a time thanks for the update this this is a lot. There is certainly a lot of momentum going on for the project very excited fired up to see this uh slides will be made available. I know you had a few extra spikes, but we do need to move on to the to the next section. Is there a place? uh You would like to call out folks to come check out, perhaps the spy repo or where can they find this information you've been talking about.

A

Yeah, I guess the spy repo and also looking at the the roadmap that we have in the inspire repo, yeah and obviously through slug. You can contact me.

B

Fantastic. Thank you very much great updates from both the core of spiffy and the core of spire. There's a lot under development, a lot of new directions being contemplated in the future to further enhance the projects.