Skip to content

Commit 23ccb7a

Browse files
alec-walec-w
authored
Allow cluster names in Cofide identities (#97)
* chore: Allow cluster names in Cofide identities Closes #96 Removes the regex validation of the SPIFFE IDs for access to the Connect API. Envoy will still validate the presented cert, but then which identities can do what is handled within Connect application code. On the xds service the validation remains to only allow the Cofide agent to connect to it, but the regex is updated to allow SPIFFE IDs both with and without cluster names in them. Once Connect is updated to always include the cluster name in this identity the old one can be removed.
1 parent cf1ba8c commit 23ccb7a

File tree

2 files changed

+18
-31
lines changed

2 files changed

+18
-31
lines changed

charts/cofide-connect/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ type: application
1515
# This is the chart version. This version number should be incremented each time you make changes
1616
# to the chart and its templates, including the app version.
1717
# Versions are expected to follow Semantic Versioning (https://semver.org/)
18-
version: 0.11.6
18+
version: 0.11.7
1919

2020
# This is the version number of the application being deployed. This version number should be
2121
# incremented each time you make changes to the application. Versions are not expected to

charts/cofide-connect/templates/configmap-envoy.yaml

Lines changed: 17 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -48,10 +48,16 @@ data:
4848
combined_validation_context:
4949
default_validation_context:
5050
match_typed_subject_alt_names:
51+
# cofide-agent identity without cluster name - legacy, to be removed
5152
- san_type: URI
5253
matcher:
5354
safe_regex:
54-
regex: spiffe://[^/]*/ns/cofide/sa/cofide-agent
55+
regex: spiffe://[^/]+/ns/cofide/sa/cofide-agent
56+
# cofide-agent identity with cluster name
57+
- san_type: URI
58+
matcher:
59+
safe_regex:
60+
regex: spiffe://[^/]+/cluster/[^/]+/ns/cofide/sa/cofide-agent
5561
validation_context_sds_secret_config:
5662
name: ALL
5763
sds_config:
@@ -224,35 +230,16 @@ data:
224230
grpc_services:
225231
- envoy_grpc:
226232
cluster_name: spire_agent
227-
combined_validation_context:
228-
default_validation_context:
229-
match_typed_subject_alt_names:
230-
- san_type: URI
231-
matcher:
232-
safe_regex:
233-
regex: spiffe://[^/]*/ns/cofide/sa/cofide-agent
234-
- san_type: URI
235-
matcher:
236-
safe_regex:
237-
regex: spiffe://[^/]*/spire/server
238-
- san_type: URI
239-
matcher:
240-
safe_regex:
241-
regex: spiffe://[^/]*/ns/cofide/sa/cofide-observer
242-
- san_type: URI
243-
matcher:
244-
safe_regex:
245-
regex: spiffe://[^/]*/ns/cofide/sa/trust-zone-operator
246-
validation_context_sds_secret_config:
247-
name: ALL
248-
sds_config:
249-
resource_api_version: V3
250-
api_config_source:
251-
transport_api_version: V3
252-
api_type: GRPC
253-
grpc_services:
254-
- envoy_grpc:
255-
cluster_name: spire_agent
233+
validation_context_sds_secret_config:
234+
name: ALL
235+
sds_config:
236+
resource_api_version: V3
237+
api_config_source:
238+
transport_api_version: V3
239+
api_type: GRPC
240+
grpc_services:
241+
- envoy_grpc:
242+
cluster_name: spire_agent
256243
filters:
257244
- name: envoy.filters.network.http_connection_manager
258245
typed_config:

0 commit comments

Comments
 (0)