identity: add spire identity client (#2580)

This PR adds gRPC client that allows us to connect to the SPIRE workload API
and stream new certificates through the `identity::Credentials` API.  The configuration
part of this functionality will come in a later subsequent change.

Signed-off-by: Zahari Dichev <[email protected]

Cargo.lock

@@ -1145,6 +1145,7 @@ dependencies = [
  "linkerd-proxy-identity-client",
  "linkerd-proxy-resolve",
  "linkerd-proxy-server-policy",
+ "linkerd-proxy-spire-client",
  "linkerd-proxy-tap",
  "linkerd-proxy-tcp",
  "linkerd-proxy-transport",
@@ -1583,6 +1584,7 @@ dependencies = [
  "linkerd-tls-test-util",
  "linkerd-tracing",
  "pin-project",
+ "rcgen 0.11.3",
  "tokio",
  "tracing",
 ]
@@ -1636,7 +1638,7 @@ version = "0.1.0"
 dependencies = [
  "linkerd-error",
  "linkerd-identity",
- "rcgen",
+ "rcgen 0.12.0",
  "tracing",
  "x509-parser",
 ]
@@ -1903,6 +1905,29 @@ dependencies = [
  "thiserror",
 ]
 
+[[package]]
+name = "linkerd-proxy-spire-client"
+version = "0.1.0"
+dependencies = [
+ "futures",
+ "linkerd-error",
+ "linkerd-exp-backoff",
+ "linkerd-identity",
+ "linkerd-proxy-http",
+ "linkerd-stack",
+ "linkerd-tonic-watch",
+ "rcgen 0.11.3",
+ "simple_asn1",
+ "spiffe-proto",
+ "thiserror",
+ "tokio",
+ "tokio-test",
+ "tonic",
+ "tower",
+ "tracing",
+ "x509-parser",
+]
+
 [[package]]
 name = "linkerd-proxy-tap"
 version = "0.1.0"
@@ -2766,6 +2791,18 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "977b1e897f9d764566891689e642653e5ed90c6895106acd005eb4c1d0203991"
 
+[[package]]
+name = "rcgen"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52c4f3084aa3bc7dfbba4eff4fab2a54db4324965d8872ab933565e6fbd83bc6"
+dependencies = [
+ "pem",
+ "ring 0.16.20",
+ "time",
+ "yasna",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.12.0"
@@ -3059,6 +3096,18 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "simple_asn1"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "thiserror",
+ "time",
+]
+
 [[package]]
 name = "slab"
 version = "0.4.9"
@@ -3094,6 +3143,17 @@ dependencies = [
  "windows-sys 0.48.0",
 ]
 
+[[package]]
+name = "spiffe-proto"
+version = "0.1.0"
+dependencies = [
+ "bytes",
+ "prost",
+ "prost-types",
+ "tonic",
+ "tonic-build",
+]
+
 [[package]]
 name = "spin"
 version = "0.5.2"

Cargo.toml

@@ -50,6 +50,7 @@ members = [
     "linkerd/proxy/dns-resolve",
     "linkerd/proxy/http",
     "linkerd/proxy/identity-client",
+    "linkerd/proxy/spire-client",
     "linkerd/proxy/resolve",
     "linkerd/proxy/server-policy",
     "linkerd/proxy/tap",
@@ -73,6 +74,7 @@ members = [
     "linkerd/transport-metrics",
     "linkerd2-proxy",
     "opencensus-proto",
+    "spiffe-proto",
     "tools",
 ]
 

linkerd/app/core/Cargo.toml

@@ -43,6 +43,7 @@ linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
 linkerd-proxy-dns-resolve = { path = "../../proxy/dns-resolve" }
 linkerd-proxy-http = { path = "../../proxy/http" }
 linkerd-proxy-identity-client = { path = "../../proxy/identity-client" }
+linkerd-proxy-spire-client = { path = "../../proxy/spire-client" }
 linkerd-proxy-resolve = { path = "../../proxy/resolve" }
 linkerd-proxy-server-policy = { path = "../../proxy/server-policy" }
 linkerd-proxy-tap = { path = "../../proxy/tap" }

linkerd/app/core/src/lib.rs

@@ -50,7 +50,10 @@ pub use linkerd_transport_header as transport_header;
 pub mod identity {
     pub use linkerd_identity::*;
     pub use linkerd_meshtls::*;
-    pub use linkerd_proxy_identity_client as client;
+    pub mod client {
+        pub use linkerd_proxy_identity_client as linkerd;
+        pub use linkerd_proxy_spire_client as spire;
+    }
 }
 
 pub const CANONICAL_DST_HEADER: &str = "l5d-dst-canonical";

linkerd/app/src/env.rs

@@ -793,7 +793,7 @@ pub fn parse_config<S: Strings>(strings: &S) -> Result<super::Config, EnvError>
         .unwrap_or(super::tap::Config::Disabled);
 
     let identity = {
-        let (addr, certify, params) = identity_config?;
+        let (addr, certify, tls) = identity_config?;
         // If the address doesn't have a server identity, then we're on localhost.
         let connect = if addr.addr.is_loopback() {
             inbound.proxy.connect.clone()
@@ -805,17 +805,17 @@ pub fn parse_config<S: Strings>(strings: &S) -> Result<super::Config, EnvError>
         } else {
             outbound.http_request_queue.failfast_timeout
         };
-        identity::Config {
+        identity::Config::Linkerd {
             certify,
-            control: ControlConfig {
+            tls,
+            client: ControlConfig {
                 addr,
                 connect,
                 buffer: QueueConfig {
                     capacity: DEFAULT_CONTROL_QUEUE_CAPACITY,
                     failfast_timeout,
                 },
             },
-            params,
         }
     };
 
@@ -1215,7 +1215,14 @@ pub fn parse_control_addr<S: Strings>(
 
 pub fn parse_identity_config<S: Strings>(
     strings: &S,
-) -> Result<(ControlAddr, identity::certify::Config, identity::TlsParams), EnvError> {
+) -> Result<
+    (
+        ControlAddr,
+        identity::client::linkerd::Config,
+        identity::TlsParams,
+    ),
+    EnvError,
+> {
     let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
     let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
         if s.is_empty() {
@@ -1225,7 +1232,7 @@ pub fn parse_identity_config<S: Strings>(
     });
     let dir = parse(strings, ENV_IDENTITY_DIR, |ref s| Ok(PathBuf::from(s)));
     let tok = parse(strings, ENV_IDENTITY_TOKEN_FILE, |ref s| {
-        identity::TokenSource::if_nonempty_file(s.to_string()).map_err(|e| {
+        identity::client::linkerd::TokenSource::if_nonempty_file(s.to_string()).map_err(|e| {
             error!("Could not read {ENV_IDENTITY_TOKEN_FILE}: {e}");
             ParseError::InvalidTokenSource
         })
@@ -1253,17 +1260,19 @@ pub fn parse_identity_config<S: Strings>(
             min_refresh,
             max_refresh,
         ) => {
-            let certify = identity::certify::Config {
+            let certify = identity::client::linkerd::Config {
                 token,
                 min_refresh: min_refresh.unwrap_or(DEFAULT_IDENTITY_MIN_REFRESH),
                 max_refresh: max_refresh.unwrap_or(DEFAULT_IDENTITY_MAX_REFRESH),
-                documents: identity::certify::Documents::load(dir).map_err(|error| {
-                    error!(%error, "Failed to read identity documents");
-                    EnvError::InvalidEnvVar
-                })?,
+                documents: identity::client::linkerd::certify::Documents::load(dir).map_err(
+                    |error| {
+                        error!(%error, "Failed to read identity documents");
+                        EnvError::InvalidEnvVar
+                    },
+                )?,
             };
             let params = identity::TlsParams {
-                server_id: identity::Id::Dns(local_name.clone()),
+                id: identity::Id::Dns(local_name.clone()),
                 server_name: local_name,
                 trust_anchors_pem,
             };