spiffe / spire

The SPIFFE Runtime Environment
https://spiffe.io
Apache License 2.0
1.81k stars 478 forks source link

Race condition that causes envoy integration to result in an incomplete trust bundle #5638

Open dansimone opened 2 weeks ago

dansimone commented 2 weeks ago

Our setup consists of:

In this setup, we've encountered a race condition that results in the istio-proxy being sent an incomplete trust bundle.

Here's the specific sequence that reproduces the problem (which can be reliably reproduced with some node-level iptables hacks to prevent the spire-agent from talking to port 10250):

dansimone commented 2 weeks ago

In the case of this spot in the code, for example, are there any valid reasons to skip adding the federated trust bundles just because update.HasIdentity() is false? The code in that code block has no dependency on the identity.

Or, could/should this entire composeX509BundlesResponse() function fail out if update.HasIdentity()is false? Either of these behaviors would also have prevented this problem.

amartinezfayo commented 2 weeks ago

Thank you @dansimone for opening this issue. Do you have the allow_unauthenticated_verifiers agent setting set as true?

dansimone commented 2 weeks ago

We have not set this explicitly anywhere, so it looks like that is defaulting to false.

But I do see this which suggests that allow_unauthenticated_verifiers=false should prevent this situation, at least for that code path.