cert-manager / csi-driver-spiffe Goto Github PK

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

Home Page: https://cert-manager.io/docs/usage/csi-driver-spiffe/

License: Apache License 2.0

Makefile 36.90% Go 57.90% Mustache 1.02% Shell 4.18%

csi-driver-spiffe's Introduction

cert-manager

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.

It supports issuing certificates from a variety of sources, including Let's Encrypt (ACME), HashiCorp Vault, and Venafi TPP / TLS Protect Cloud, as well as local in-cluster issuance.

cert-manager also ensures certificates remain valid and up to date, attempting to renew certificates at an appropriate time before expiry to reduce the risk of outages and remove toil.

Documentation

Documentation for cert-manager can be found at cert-manager.io.

For the common use-case of automatically issuing TLS certificates for Ingress resources, see the cert-manager nginx-ingress quick start guide.

For a more comprehensive guide to issuing your first certificate, see our getting started guide.

Installation

Installation is documented on the website, with a variety of supported methods.

Developing cert-manager

We actively welcome contributions and we support both Linux and macOS environments for development.

Different platforms have different requirements; we document everything on our Building cert-manager website page.

Note in particular that macOS has several extra requirements, to ensure that modern tools are installed and available. Read the page before getting started!

Troubleshooting

If you encounter any issues whilst using cert-manager, we have a number of ways to get help:

A troubleshooting guide on our website.
Our official Kubernetes Slack channel - the quickest way to ask! (#cert-manager and #cert-manager-dev)
Searching for an existing issue.

If you believe you've found a bug and cannot find an existing issue, feel free to open a new issue! Be sure to include as much information as you can about your environment.

Community

The cert-manager-dev Google Group is used for project wide announcements and development coordination. Anybody can join the group by visiting here and clicking "Join Group". A Google account is required to join the group.

Meetings

We have several public meetings which any member of our Google Group is more than welcome to join!

Check out the details on our website. Feel free to drop in and ask questions, chat with us or just to say hi!

Contributing

We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project. The contributing guide will help you get started.

Coding Conventions

Code style guidelines are documented on the coding conventions page of the cert-manager website. Please try to follow those guidelines if you're submitting a pull request for cert-manager.

Importing cert-manager as a Module

⚠️ Please note that cert-manager does not currently provide a Go module compatibility guarantee. That means that most code under pkg/ is subject to change in a breaking way, even between minor or patch releases and even if the code is currently publicly exported.

The lack of a Go module compatibility guarantee does not affect API version guarantees under the Kubernetes Deprecation Policy.

For more details see Importing cert-manager in Go on the cert-manager website.

The import path for cert-manager versions 1.8 and later is github.com/cert-manager/cert-manager.

For all versions of cert-manager before 1.8, including minor and patch releases, the import path is github.com/jetstack/cert-manager.

Security Reporting

Security is the number one priority for cert-manager. If you think you've found a security vulnerability, we'd love to hear from you.

Follow the instructions in SECURITY.md to make a report.

Changelog

Every release on GitHub has a changelog, and we also publish release notes on the website.

History

cert-manager is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.

_{^{Logo design by Zoe Paterson}}

csi-driver-spiffe's People

Contributors

Stargazers

Watchers

Forkers

joshvanl irbekrm sgtcodfish isabella232 ktaf sitaramkm rueian jamesglennan kesselborn dherbrich chaosinthecrd saydulaev inteon thatsmrtalbot mattiasgees otterize

csi-driver-spiffe's Issues

Investigate test timeouts

In #126, we bumped test timeouts.
However, it was not clear why the test is taking that long.
This issue aims to track any similar issues that might indicate that there is an underlying issue to these timeouts.

Support imagePullSecrets in Helm for installing csi-driver-spiffe from private repos

Currently there is no Helm chart support to include imagePullSecrets for csi-driver-spiffe

Intermittent csi-driver-spiffe failure: Unable to mount cert

We have encountered intermittent issues where the CSI driver spiffe fails to mount the certificate on a pod.
This problem appears to occur more frequently when the CSI driver spiffe pod restarts.
Upon restarting the CSI driver spiffe pod, it seems to lose track of which pod certificates need to be renewed.
Interestingly, manually restarting the affected pod results in the correct mounting of new certificates.

We observed the following error messages in the csi-driver-spiffe log:

csi/manager "msg"="Failed to issue certificate, retrying after applying exponential backoff" "error"="waiting for request: certificaterequest.cert-manager.io \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" not found" "volume_id"="csi-xxxxxxxx"
.......
csi/driver "msg"="failed processing request" "error"="timed out waiting for the condition" "request"={}
"rpc_method"="/csi.v1.Node/NodePublishVolume"
.......

We have already reviewed a previously closed issue (cert-manager/csi-driver#78) and updated the CSI data directory, but this did not resolve the problem.
We are actively looking for workarounds to address this behavior. One potential solution we are considering is utilizing a liveness probe.
We are seeking guidance on how to further identify and potentially resolve this issue.
Any suggestions regarding additional information we can provide would be greatly appreciated.

The default `csiDataDir` value might collide with csi-driver

the default csiDataDir value might collide with csi-driver: https://github.com/cert-manager/csi-driver-spiffe/blob/main/deploy/charts/csi-driver-spiffe/values.yaml#L55

Add the ability to add custom annotations to certificate requests

Bit of a niche case but wanting to run the driver using firefly issuer- which when running in controller mode uses the certificate request annotation to determine which policy to apply to issue the certificate.

I have some code to do this globally and apply annotations to all certificate request resources, which seemed like the easiest way to configure it but could also configure it as volume attributes too if preferred

Increase e2e test timeouts

Currently timeouts for checking for success are scattered across tests (e.g. here) and so are hard to change.

They're also quite low and could easily flake in a resource constrained testing environment.

It would be better to have a single const controlling global timeouts to make this easier to change and to make it obvious what's happening.

The above linked code block could be rewritten to:

Eventually(func() bool {
	Expect(f.Client().Get(f.Context(), client.ObjectKeyFromObject(&certificateRequest), &certificateRequest)).NotTo(HaveOccurred())
	return apiutil.CertificateRequestIsApproved(&certificateRequest)
}).WithTimeout(testTimeout).WithInterval(pollInterval).WithContext(ctx).Should(BeTrue(), "expected request to become approved in time")

Note that this also passes the context into the Eventually function which would be useful if we were to enforce a global timeout on all e2e tests in the future

Add support for certificate expiry configuration

Currently the namespace csi.cert-manager.io supports many different volume configuration attributes.
This set of configuration can enable for example certificate renew period using the attributes csi.cert-manager.io/duration and csi.cert-manager.io/renew-before. However I've noted that it is not implemented on spiffe.csi.cert-manager.io namespace. Instead the expiry period seem to be fixed in 1 hour like image below.

What would take to implement at least the spiffe.csi.cert-manager.io/duration and spiffe.csi.cert-manager.io/renew-before attributes to enable certificate renew for csi-spiffe-driver?

Add Envoy Secret discovery service (SDS) support

subj

Incorrect logger initialisation

Loggers for the driver and the approver are currently ultimately created by klog.TODO in this section of code.

The flow control here is confusing and could be improved, and TODO is also documented as a "last resort".

csi-driver-spiffe vs csi-driver

From the documentation of the cert-manager we can see that csi-driver spiffe allows to use SVIDs to enable mTLS between pods within their trust domain (https://cert-manager.io/docs/projects/csi-driver-spiffe/). However, in the csi-driver documentation (https://cert-manager.io/docs/projects/csi-driver/) there is also a way to use SPIFFE IDs and it also adds the right to use dnsNames (csi.cert-manager.io/dns-names). I am wondering, what is the difference between using these two tools, so what is the csi-driver-spiffe providing additionally and why it would be useful. Can the csi-driver-spiffe also be used to validate dns names when it requests the certificate? And is there any relevant documentation for this?