Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Allow AWS IAM SigV4 for SDS AuthN #8067

Merged
merged 1 commit into from
Sep 16, 2019
Merged

docs: Allow AWS IAM SigV4 for SDS AuthN #8067

merged 1 commit into from
Sep 16, 2019

Conversation

bcelenza
Copy link
Member

Description: Per #8042, update documentation to clarify authentication required for SDS connections, and add notes about credential types in use today.
Risk Level: Low
Testing: Previewed content layout using RST parser.
Docs Changes: See description.
Release Notes: N/A

htuch
htuch suggested changes Sep 3, 2019
View reviewed changes
Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update, I think we probably should reword a bit.
/wait

docs/root/configuration/security/secret.rst Outdated
@@ -15,7 +15,10 @@ Upstream clusters are handled in a similar way, if a cluster client certificate

If a static cluster is using SDS, and it needs to define a SDS cluster (unless Google gRPC is used which doesn't need a cluster), the SDS cluster has to be defined before the static clusters using it.

The connection between Envoy proxy and SDS server has to be secure. One option is to run the SDS server on the same host and use Unix Domain Socket for the connection. Otherwise it requires mTLS between the proxy and SDS server. In this case, the client certificates for the SDS connection must be statically configured.
The connection between Envoy proxy and SDS server has to be secure. One option is to run the SDS server on the same host and use Unix Domain Socket for the connection. Otherwise it requires valid authentication between the proxy and SDS server using gRPC channel credentials, call credentials, or both. Credential types in use today are:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we confusing authentication and confidentiality here? There's two aspects:

  1. We need to ensure that there is always server TLS configured, i.e. an upstream TLS context for Envoy gRPC/REST, and not using someting like grpc::InsecureChannelCredentials() if it's the Google gRPC client.
  2. We need to authenticate. This should be over a secure channel, see (1), but this is where client certs or SigV4 come into play.
    The docs read as if we can solve (2) with (1) and don't cover Envoy gRPC/REST.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with both points, and will reword. :)

@htuch htuch self-assigned this Sep 3, 2019
@stale
Copy link

stale bot commented Sep 11, 2019

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Sep 11, 2019
@bcelenza
Copy link
Member Author

Hey @htuch, want to make sure I've addressed your feedback appropriately. Happy to field suggestions for wording changes if I still haven't quite nailed it.

@stale stale bot removed the stale stalebot believes this issue/PR has not been touched recently label Sep 11, 2019
@bcelenza bcelenza requested a review from htuch September 11, 2019 14:42
htuch
htuch approved these changes Sep 16, 2019
View reviewed changes
Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@htuch htuch merged commit 11c5fa0 into envoyproxy:master Sep 16, 2019
@bcelenza bcelenza mentioned this pull request Sep 16, 2019
Closed
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Sep 24, 2019
@bcelenza @danzh1989
docs: Allow AWS IAM SigV4 for SDS AuthN (envoyproxy#8067)
84bbdb9 
Per envoyproxy#8042, update documentation to clarify authentication required for SDS connections, and add notes about credential types in use today.

Risk Level: Low
Testing: Previewed content layout using RST parser.
Docs Changes: See description.

Signed-off-by: Brian Celenza <[email protected]>
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Oct 4, 2019
@bcelenza
docs: Allow AWS IAM SigV4 for SDS AuthN (envoyproxy#8067)
9ce9bd0 
Per envoyproxy#8042, update documentation to clarify authentication required for SDS connections, and add notes about credential types in use today.

Risk Level: Low
Testing: Previewed content layout using RST parser.
Docs Changes: See description.

Signed-off-by: Brian Celenza <[email protected]>
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Oct 4, 2019
@bcelenza
docs: Allow AWS IAM SigV4 for SDS AuthN (envoyproxy#8067)
a4852bc 
Per envoyproxy#8042, update documentation to clarify authentication required for SDS connections, and add notes about credential types in use today.

Risk Level: Low
Testing: Previewed content layout using RST parser.
Docs Changes: See description.

Signed-off-by: Brian Celenza <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@htuch htuch htuch approved these changes

Assignees

@htuch htuch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bcelenza @htuch