Support for named pipes
Falco20019 opened this issue · 17 comments
We need support for named pipes in ghostunnel. Due to the change of the protocol from TCP to Named Pipes in 1.3.0 of the spire-server, we can not use ghostunnel anymore since it relies on workloadapi/addr.go which only supports tcp and unix.
This is related to spiffe/spire#3076.
I will also create a request to update the dependencies to use the v2 API once Named Pipes are included here.
@amartinezfayo This is blocking ghostunnel/ghostunnel#366 Is there a roadmap until then this would be planned? It would really help us since right now, we can't update SPIRE anymore and need to stick with ghostunnel + SPIRE on the TCP supporting version.
@Falco20019 Solving this issue is a priority for us right now. We are actively discussing what's the best solution and we should have an update very soon.
Due to the change of the protocol from TCP to Named Pipes in 1.3.0 of the
spire-server, we can not use ghostunnel anymore since it relies onworkloadapi/addr.gowhich only supports tcp and unix.
@Falco20019 I'm confused if you really meant spire-server or wanted to refer to spire-agent?
I meant the spire-agent of course. Sorry for the confusion.
@amartinezfayo Just wanted to ping you if there is a timeline for resolving this. It is still a blocking issue to use other libs like ghostunnel (which just recently updated the libs but since this is not done yet, won't help anyone yet).
@Falco20019 I've been meaning to update this issue, sorry for the silence here.
We have merged #198 that adds support to Named Pipes in gRPC target strings in go-spiffe. The npipe URI scheme is now supported to specify a named pipe target address, through an opaque URI: npipe:<pipeName> where pipeName is the named pipe name in the local host.
I've noticed that ghostunnel was updated to use go-spiffe v2 (2.1.0). What's remaining is to update it to leverage the latest changes introduced in #198. @MarcosDY has been looking at this and he could work on a PR to have ghostunnel updated with that. @MarcosDY would you be able to take that work?
Looks like they already updated their code to support go-spiffe V2, so we may need to add a new config to provide a named pipe to use, and verify it works on a windows environment, and maybe add a demo on doc folder, where you can found one for linux version (that demo is not updated and will not work with current spire, I'll try to update it too
We probably need to do a release of go-spiffe with that change. We haven't done a release since the merge.
Adding a new config should not be necessary, as they are just forwarding the URI to parseTargetFromURLAddr of your addr.go code. But since 2.1.0 did not include it, we still missed it by an inch :)
We released 2.1.1 yesterday, which includes this change.
I verified that ghostunnel is able to works using latest go-spiffe, I created a PR with that upgrade, and added a copy of actual demo with spire/ghostunnel integration but using windows.
can you share the demo video or complete steps to run workload on windows ?
can you share the demo video or complete steps to run workload on windows ?
An example can be found here: https://github.com/ghostunnel/ghostunnel/tree/master/docs/spiffe-workload-api-demo/windows
I‘m just not sure if it‘s still in experimental or if it was moved into the regular block.
I have followed the steps which are there in the README file. and I do have the
Prerequisites
ghostunnel binary from Ghostunnel
spire-server and spire-agent binaries from SPIRE
socat (https://github.com/tech128/socat-1.7.3.0-windows)
After that I am started executing the .sh file one by one.
from 1 to 4 I just got popup prompt and for the 5 and 6 I am getting the following error
[9856] 2023/12/28 05:08:59.917513 starting ghostunnel in server mode
[9856] 2023/12/28 05:08:59.930390 using SPIFFE Workload API as certificate sourc
e
[9856] 2023/12/28 05:08:59.968656 using target address localhost:9003
[9856] 2023/12/28 05:08:59.971015 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:08:59.971153 spiffe/error: Failed to watch the Workload API
: rpc error: code = Unavailable desc = connection error: desc = "transport: Erro
r while dialing: open \\.\pipe\backend-agent\public\api: The system cannot
find the file specified."
[9856] 2023/12/28 05:08:59.971717 spiffe/debug: Retrying watch in 1s
[9856] 2023/12/28 05:09:00.973466 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:09:00.973466 spiffe/error: Failed to watch the Workload API
: rpc error: code = Unavailable desc = connection error: desc = "transport: Erro
r while dialing: open \\.\pipe\backend-agent\public\api: The system cannot
find the file specified."
[9856] 2023/12/28 05:09:00.973466 spiffe/debug: Retrying watch in 2s
[9856] 2023/12/28 05:09:21.007586 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:09:21.008159 spiffe/debug: Retrying watch in 7s
[9856] 2023/12/28 05:09:28.011339 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:09:28.011475 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:09:28.012035 spiffe/debug: Retrying watch in 8s
[9856] 2023/12/28 05:09:36.022908 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:09:36.022908 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:09:36.023453 spiffe/debug: Retrying watch in 9s
[9856] 2023/12/28 05:09:45.036016 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:09:45.036016 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:09:45.036576 spiffe/debug: Retrying watch in 10s
[9856] 2023/12/28 05:09:55.050117 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:09:55.050329 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:09:55.050329 spiffe/debug: Retrying watch in 11s
[9856] 2023/12/28 05:10:06.052072 spiffe/debug: Watching X.509 contexts
[9856] 2023/12/28 05:10:06.052072 spiffe/error: Failed to watch the Workload API: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dial
ing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified."
[9856] 2023/12/28 05:10:06.052072 spiffe/debug: Retrying watch in 12s
Any reason ?. and it is specifically looking for the path (\\.\pipe\backend-agent\public\api). In windows where it will be created, or we have to create it manually ?.
and path of the repo is : C:\Users\prasanth_allu\SPIRE\ghostunnel\docs\spiffe-workload-api-demo\windows
Can you show the output of the first 4? Especially 01? Just run them from the command line if it would go away to fast. I assume you have to adjust the configuration since the pipe is not experimental anymore.
It might be better to open an issue over at ghostunnel/ghostunnel so that it get‘s fixed as well.
like from 01 to 04, executed through command line, it is just a popup windows, coming and going very fast, not able to see the logs of it.
what are the configuration changes that I have to do.
I will open new issue on this.
Sadly not sure anymore since it‘s been some time and I‘m not at home, so I can’t check. You need to run ‚wsl‘ to see the output. Shell scripts would run in a wsl environment on windows, which is the popups. You can also just switch the scripts to bat files to run natively.