github-actions[bot]
commented
7 months ago This issue is stale because it has been open for 365 days with no activity.
Open evan2645 opened 2 years ago
github-actions[bot]
commented
7 months ago This issue is stale because it has been open for 365 days with no activity.
azdagron
commented
7 months ago This is the plan of action. Commenting to keep the issue open.
When the notifier interface was introduced, the intention was to fill a handful of use cases we had around arbitrary event-driven actions. Updating the bundle in a remote location any time it changed was one use case .. another use case was pushing to a certificate transparency log when we sign or rotate. We suspected that other use cases would arise in due time
Well it's been a few years now and those use cases haven't materialized. We have also not picked up the Notifier for use as a certificate transparency plugin, and in previous discussions around this feature preferred a core implementation. The result is that the notifier plugin has only ever been used for pushing bundle updates.
Some time ago, we attempted to create a notifier plugin for AWS S3 (https://github.com/spiffe/spire/issues/1512). We never quite got there due to a mismatch in the consistency requirements. S3 is eventually consistent across its API calls, while the notifier expects tight consistency and is built to handle read-modify-write cycle.
The realization coming from this work is that this tightly consistent model is likely not ideal for bundle management (mostly because it makes it hard to push the bundle to an eventually consistent source). Since authorities are prepared in advance, and pruning happens prior to expiration, it is (generally) ok for the bundle to be eventually consistent ... it is eventually consistent internally to SPIRE already (e.g. between servers and agents or workloads).
I propose that we deprecate the notifier plugin in favor of a new BundlePublisher plugin, which is purpose built for pushing bundles to remote locations. This interface will be very simple, and not generalized in the way that the Notifier interface is. There are some technical challenges to sort out (e.g. @azdagron has pointed out that we need a relatively small eventual consistency window in order to support SPIRE cluster cold start), but I think these are generally solvable.
If folks are amenable, we can start by proposing a proto for this new plugin interface.