feat(k8s): register system identities through cli command#2378
feat(k8s): register system identities through cli command#2378
Conversation
gsanchezgavier
left a comment
gsanchezgavier
left a comment
There was a problem hiding this comment.
Thanks! i left some doubts
| })?; | ||
|
|
||
| let private_key = LocalFile | ||
| .read(identity.private_key_path.as_path()) |
There was a problem hiding this comment.
are we storing the pk in the fs and the reading it?
There was a problem hiding this comment.
We are! Thanks for pointing out, I'm looking for alternatives to avoid it.
There was a problem hiding this comment.
I finally changing by using a custom key::Creator for the k8s use-case (it actually doesn't create anything but it allow us referencing to the key pair without external components). LMKWYT.
sigilioso
force-pushed
the
feat/k8s-cli-system-identity
branch
from
aa0e099 to
2f6bdf6
Compare
sigilioso
force-pushed
the
feat/k8s-cli-system-identity
branch
from
2f6bdf6 to
6d98da8
Compare
| } | ||
|
|
||
| impl Creator for PublicKeyHolder { | ||
| type Error = Infallible; |
gsanchezgavier
left a comment
gsanchezgavier
left a comment
There was a problem hiding this comment.
thanks for addressing the comments!
sigilioso
force-pushed
the
feat/k8s-cli-system-identity
branch
from
77a5477 to
0c7d509
Compare
| public_key: PublicKeyPem, | ||
| } | ||
|
|
||
| impl Creator for PublicKeyHolder { |
There was a problem hiding this comment.
why can't it generate and return the key without storing it?
Would make sense to have a inMemoryCreator instead of the hack?
There was a problem hiding this comment.
I started with a in-memory creator but it was adding complexity: the create() method would mutate the internal state and it would need to provide something to access to the private key.
| let KeyPair { | ||
| private_key, | ||
| public_key, | ||
| } = rsa(&KeyType::Rsa4096).map_err(|err| { |
There was a problem hiding this comment.
I am not sure this should have been public after all 😅
I think it would have been cleaner to have a inMemory creator
There was a problem hiding this comment.
I agree but then I'd polish the Creator trait first. I'll leave it as it is for now and re-consider a future refactor for newrelic-auth-rs, if that's OK
There was a problem hiding this comment.
We'll improve this in a PR on top of this after newrelic/newrelic-auth-rs#201 is merged
There was a problem hiding this comment.
Addressed here: #2399 (there is no Creator anymore!)
paologallinaharbur
left a comment
paologallinaharbur
left a comment
There was a problem hiding this comment.
I have doubts regarding the keyHolder, but it is something internal, therefore I do not want to block it
|
Now that newrelic/newrelic-auth-rs#201 is ready, I'm working on a PR on top of this to simplify things. It should address: #2378 (comment) |
sigilioso
force-pushed
the
feat/k8s-cli-system-identity
branch
from
c51a3c8 to
8e82dca
Compare
4 participants
Summary
Adds a
register-system-identitysubcommand to the Kubernetes CLI binary. This command provisions a New Relic system identity (client ID + private key) and stores it as a Kubernetes Secret, making it available for Agent Control to authenticate with Fleet Control. The operation is idempotent — if the secret already exists, it exits early without modifying anything.This aligns the approach between k8s and on-host for System Identity provisioning, leveraging the CLI to do so in both cases, it also allows simplifying the corresponding job in the helm chart.
Notes for reviewers
provide_system_identity_secretfunction takes the identity provider as a parameter specifically to enable unit testing without hitting real auth endpoints (the k8s client is also taken as a parameter for the same purpose).SystemIdentityArgsstruct to clarify the broader tradeoff between arguments and sub-commands.🚧 newrelic-auth-rs update
newrelic-auth-rswas needed, check feat: extract rsa key generation into public module newrelic-auth-rs#195We are currently pointing to main, but this won't be merged until the changes innewrelic-auth-rsare released