Consider deprecating the Notifier plugin interface in favor of a BundlePublisher interface #2909
Assignees
Labels
priority/backlog
Issue is approved and in the backlog
Comments
6 tasks
|
This issue is stale because it has been open for 365 days with no activity. |
|
This is the plan of action. Commenting to keep the issue open. |
c4rlo
added a commit
to c4rlo/spire
that referenced
this issue
Mar 6, 2024
Mention the BundlePublisher plugin type, and its built-in aws_s3 implementation, on the SPIRE Server Configuration Reference page. This plugin type was introduced in spiffe/spire-plugin-sdk#38. See also spiffe#2909, spiffe#4034. While I'm touching this, couple other tweaks: - Add CredentialComposer to plugin type list (its uniqueid implementation was already mentioned in the built-in plugin table). - Reorder the tables of plugin types and built-in plugins to hopefully make a little more sense, and to be consistent with each other. - Change a "sql" to a "SQL".
c4rlo
added a commit
to c4rlo/spire
that referenced
this issue
Mar 6, 2024
Mention the BundlePublisher plugin type, and its built-in aws_s3 implementation, on the SPIRE Server Configuration Reference page. This plugin type was introduced in spiffe/spire-plugin-sdk#38. See also spiffe#2909, spiffe#4034. While I'm touching this, a couple of other tweaks: - Add CredentialComposer to plugin type list (its uniqueid implementation was already mentioned in the built-in plugin table). - Reorder the tables of plugin types and built-in plugins to hopefully make a little more sense, and to be consistent with each other. - Change a "sql" to a "SQL".
c4rlo
added a commit
to c4rlo/spire
that referenced
this issue
Mar 6, 2024
Mention the BundlePublisher plugin type, and its built-in aws_s3 implementation, on the SPIRE Server Configuration Reference page. This plugin type was introduced in spiffe/spire-plugin-sdk#38. See also spiffe#2909, spiffe#4034. While I'm touching this, a couple of other tweaks: - Add CredentialComposer to plugin type list (its uniqueid implementation was already mentioned in the built-in plugin table). - Reorder the tables of plugin types and built-in plugins to hopefully make a little more sense, and to be consistent with each other. - Change a "sql" to a "SQL". Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
amartinezfayo
pushed a commit
that referenced
this issue
Mar 8, 2024
Mention the BundlePublisher plugin type, and its built-in aws_s3 implementation, on the SPIRE Server Configuration Reference page. This plugin type was introduced in spiffe/spire-plugin-sdk#38. See also #2909, #4034. While I'm touching this, a couple of other tweaks: - Add CredentialComposer to plugin type list (its uniqueid implementation was already mentioned in the built-in plugin table). - Reorder the tables of plugin types and built-in plugins to hopefully make a little more sense, and to be consistent with each other. - Change a "sql" to a "SQL". Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
rushi47
pushed a commit
to rushi47/spire
that referenced
this issue
Apr 11, 2024
Mention the BundlePublisher plugin type, and its built-in aws_s3 implementation, on the SPIRE Server Configuration Reference page. This plugin type was introduced in spiffe/spire-plugin-sdk#38. See also spiffe#2909, spiffe#4034. While I'm touching this, a couple of other tweaks: - Add CredentialComposer to plugin type list (its uniqueid implementation was already mentioned in the built-in plugin table). - Reorder the tables of plugin types and built-in plugins to hopefully make a little more sense, and to be consistent with each other. - Change a "sql" to a "SQL". Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When the notifier interface was introduced, the intention was to fill a handful of use cases we had around arbitrary event-driven actions. Updating the bundle in a remote location any time it changed was one use case .. another use case was pushing to a certificate transparency log when we sign or rotate. We suspected that other use cases would arise in due time
Well it's been a few years now and those use cases haven't materialized. We have also not picked up the Notifier for use as a certificate transparency plugin, and in previous discussions around this feature preferred a core implementation. The result is that the notifier plugin has only ever been used for pushing bundle updates.
Some time ago, we attempted to create a notifier plugin for AWS S3 (#1512). We never quite got there due to a mismatch in the consistency requirements. S3 is eventually consistent across its API calls, while the notifier expects tight consistency and is built to handle read-modify-write cycle.
The realization coming from this work is that this tightly consistent model is likely not ideal for bundle management (mostly because it makes it hard to push the bundle to an eventually consistent source). Since authorities are prepared in advance, and pruning happens prior to expiration, it is (generally) ok for the bundle to be eventually consistent ... it is eventually consistent internally to SPIRE already (e.g. between servers and agents or workloads).
I propose that we deprecate the notifier plugin in favor of a new BundlePublisher plugin, which is purpose built for pushing bundles to remote locations. This interface will be very simple, and not generalized in the way that the Notifier interface is. There are some technical challenges to sort out (e.g. @azdagron has pointed out that we need a relatively small eventual consistency window in order to support SPIRE cluster cold start), but I think these are generally solvable.
If folks are amenable, we can start by proposing a proto for this new plugin interface.
The text was updated successfully, but these errors were encountered: