Use UpstreamAuthority.SubscribeToLocalBundle RPC #6090
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sorindumitru
force-pushed
the
nested-restart
branch
5 times, most recently
from
85660f5 to
ad8c3f6
Compare
sorindumitru
changed the title
sorindumitru
force-pushed
the
nested-restart
branch
2 times, most recently
from
89f91df to
1379d0d
Compare
sorindumitru
requested review from
evan2645,
amartinezfayo,
MarcosDY and
rturner3
as code owners
sorindumitru
force-pushed
the
nested-restart
branch
from
1379d0d to
85193c8
Compare
Signed-off-by: Sorin Dumitru <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>
sorindumitru
force-pushed
the
nested-restart
branch
from
85193c8 to
9728575
Compare
MarcosDY
reviewed
Jun 12, 2025
| err := util.RunTasks(ctx, | ||
| func(ctx context.Context) error { | ||
| return r.rotateEvery(ctx, rotateInterval) | ||
| }, | ||
| func(ctx context.Context) error { | ||
| var lastError error |
There was a problem hiding this comment.
may we move this to Subscribe?
and only start when we really need to subscribe
| @@ -151,6 +151,43 @@ func TestUpstreamClientPublishJWTKey_NotImplemented(t *testing.T) { | |||
| require.Nil(t, jwtKeys) | |||
| } | |||
|
|
|||
| func TestUpstreamClientSubscribeToLocalBundle(t *testing.T) { | |||
| client, updater, ua := setUpUpstreamClientTest(t, fakeupstreamauthority.Config{ | |||
There was a problem hiding this comment.
Suggested change
| client, updater, ua := setUpUpstreamClientTest(t, fakeupstreamauthority.Config{ | |
| client, updater, ua := setupUpstreamClientTest(t, fakeupstreamauthority.Config{ |
| // We should get an update with the initial CA and a list of empty JWT keys since | ||
| // the fakeupstreamauthority does not create one by default. | ||
| require.Equal(t, ua.X509Roots(), updater.WaitForAppendedX509Roots(t)) | ||
| spiretest.RequireProtoListEqual(t, []*common.PublicKey{}, updater.WaitForAppendedJWTKeys(t)) |
| @@ -32,6 +32,16 @@ type UpstreamAuthority interface { | |||
| // the upstream authority does not support streaming updates, the stream | |||
| // will return io.EOF when called. | |||
| PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (jwtAuthorities []*common.PublicKey, stream UpstreamJWTAuthorityStream, err error) | |||
|
|
|||
| // GetUpstreamAuthorities can be used to sync the local trust bundle with | |||
There was a problem hiding this comment.
Suggested change
| // GetUpstreamAuthorities can be used to sync the local trust bundle with | |
| // SubscribeToLocalBundle can be used to sync the local trust bundle with |
| } | ||
|
|
||
| x509Authorities, err := s.v1.parseX509Authorities(resp.UpstreamX509Roots) | ||
| if len(resp.UpstreamX509Roots) != 0 && err != nil { |
There was a problem hiding this comment.
why to verify roots length? parse may return no error only when there was something to parse, right?
| @@ -1,5 +1,7 @@ | |||
| #!/bin/bash | |||
|
|
|||
| pwd | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
UpstreamAuthority plugins.
Description of change
If the UpstreamAuthority plugin implements the GetTrustBundle RPC use it to keep the trust bundle of the trust domain in sync. This allows us to get bundle updates before we create a new CA or key.
Which issue this PR fixes
fixes #6083