docs: add tutorial for securing internal traffic with SPIRE (mTLS)#364
docs: add tutorial for securing internal traffic with SPIRE (mTLS)#364mahil-2040 wants to merge 4 commits into
Conversation
volcano-sh-bot
added
the
kind/documentation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a new tutorial documentation file explaining how SPIRE is used to secure internal traffic with mTLS in AgentCube. The reviewer pointed out two critical discrepancies between the documentation and the actual codebase: the documentation references a CertWatcher and hot-reloading mechanism that does not exist in the code, and it lists incorrect CLI flags (--mtls-* and --tls-ca) that are not supported by the current implementation.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #364 +/- ##
===========================================
+ Coverage 47.57% 57.90% +10.33%
===========================================
Files 30 34 +4
Lines 2819 3181 +362
===========================================
+ Hits 1341 1842 +501
+ Misses 1338 1154 -184
- Partials 140 185 +45
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
hzxuzhonghu
left a comment
hzxuzhonghu
left a comment
There was a problem hiding this comment.
This isnot a good tutorial, think about if you are a new user, can you run it by this guide?
mahil-2040
force-pushed
the
docs/add-spire-auth-guide
branch
from
625d1fd to
8c07a2f
Compare
I have completely rewritten the guide with step by step instructions, commands and expected outputs of each step, PTAL! |
Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
- Added klog.Infof to wait.go so expected output is conistent with what actually appears in logs, matching the tutorial's expected output - Helm upgrade removes SPIRE workloads and sidecars, not CRDs (those are removed separately via kubectl) - added --reuse-values flag to preserve the install-time values Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
- Replaced generalized output placeholders (xxxxx pod hashes, ... UUIDs, and XX-XX timestamps) with actual outputs to prevent ambiguity. - Updated expected log outputs for Router and WorkloadManager to accurately reflect the format emitted by the codebase. - Fixed agentcube-system namespace inconsistencies across the documentation to align with the core getting-started guide. Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
mahil-2040
force-pushed
the
docs/add-spire-auth-guide
branch
from
a145259 to
bd05fe5
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
| agentcube-router-574d98b76-tr2nr 2/2 Running 5 (2m24s ago) 3m17s | ||
| spire-agent-8r9jx 1/1 Running 3 (2m44s ago) 3m17s |
There was a problem hiding this comment.
what's the cause of restart?
| agentcube-router-574d98b76-tr2nr 2/2 Running 5 (2m24s ago) 3m17s | ||
| spire-agent-8r9jx 1/1 Running 3 (2m44s ago) 3m17s |
| podTemplate: | ||
| spec: | ||
| containers: | ||
| - name: agent |
5 participants
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Description
This PR adds a comprehensive user guide (
docs/tutorials/internal-auth-spire.md) for the newly implemented SPIRE mTLS internal authentication system.The tutorial explains the architecture of our zero-trust control plane and acts as a definitive reference for developers and operators.
Key Additions
CertWatcherachieves zero-downtime certificate rotation viafsnotify.--mtls-*for Router,--tls-*for WorkloadManager).spiffe-helpersidecar is deployed alongside the control plane pods to automatically provision and rotate SVIDs.PicoDandAgentRuntimesandboxes continue to use JWT authentication (avoiding TLS handshake overhead to preserve ultra-low cold-start latency, and keeping user-defined runtimes pure).Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NO