Revision 1fae8644a50ce7fbcf603a6d5d82eca56050e906 authored by John Fastabend on 18 January 2019, 18:58:08 UTC, committed by Thomas Graf on 25 January 2019, 20:35:12 UTC
[ upstream commit a7beef597de252fdc008b3e34612410857c9c7dd ]

Initially, we will support a pre-shared key model where all endpoints
have a pre-shared keys loaded from a file. The file layout is as
follows with a key per line.

authname authkey encname enckey [scope]

This allows keys to be scoped so that it is possible to have a key
per node if desired. If scope is omitted the key is considered a
default key used if a more specific key is not found. My three node
testing file reads as follows,

hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF ubuntu-kvm1
hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF ubuntu-kvm2
hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF

The file is loaded at init time so any changes will have to be consumed
by a restart. In the future we can add watchers for the file and allow
using etcd secrets (files).

Also note the logic is built so that other methods of key exchanges
can be added later if folks want a different model.

Looking forward we can more specific scope types to do per identity
keys if needed.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
1 parent 8cafbc6
History
File Mode Size
.github
.travis
Documentation
api
bpf
bugtool
cilium
cilium-health
common
contrib
daemon
envoy
examples
hack
monitor
operator
pkg
plugins
proxylib
test
tests
tools
vendor
.authors.aux -rw-r--r-- 416 bytes
.gitignore -rw-r--r-- 850 bytes
.gitmodules -rw-r--r-- 0 bytes
.mailmap -rw-r--r-- 737 bytes
.travis.yml -rw-r--r-- 424 bytes
AUTHORS -rw-r--r-- 5.3 KB
CODEOWNERS -rw-r--r-- 1.1 KB
CONTRIBUTING.md -rw-r--r-- 193 bytes
Dockerfile -rw-r--r-- 1.9 KB
Dockerfile.builder -rw-r--r-- 1.1 KB
Gopkg.lock -rw-r--r-- 33.6 KB
Gopkg.toml -rw-r--r-- 12.5 KB
Jenkinsfile.nightly -rw-r--r-- 4.7 KB
LICENSE -rw-r--r-- 11.1 KB
Makefile -rw-r--r-- 11.3 KB
Makefile.defs -rw-r--r-- 1.2 KB
Makefile.quiet -rw-r--r-- 456 bytes
NEWS.rst -rw-r--r-- 20 bytes
README.rst -rw-r--r-- 14.7 KB
VERSION -rw-r--r-- 10 bytes
Vagrantfile -rw-r--r-- 11.9 KB
cilium-docker-plugin.Dockerfile -rw-r--r-- 511 bytes
cilium-operator.Dockerfile -rw-r--r-- 507 bytes
docs.Jenkinsfile -rw-r--r-- 2.6 KB
ginkgo-kubernetes-all.Jenkinsfile -rw-r--r-- 6.5 KB
ginkgo.Jenkinsfile -rw-r--r-- 4.2 KB
kubernetes-upstream.Jenkinsfile -rw-r--r-- 4.2 KB

README.rst

back to top