Skip to content

[5/8] coordinator: support insecure manifests behind opt-in#2356

Open
msanft wants to merge 1 commit into
mainfrom
split/pr-2337-coordinator
Open

[5/8] coordinator: support insecure manifests behind opt-in#2356
msanft wants to merge 1 commit into
mainfrom
split/pr-2337-coordinator

Conversation

@msanft

@msanft msanft commented Apr 27, 2026

Copy link
Copy Markdown
Member

Split from #2337 as part of a stacked review series.

Depends on: #2355

This PR wires insecure manifests into the Coordinator behind explicit opt-in:

  • manifest helpers for insecure reference values
  • Coordinator opt-in gate
  • validator registration for insecure manifests
  • user API and tests

Closes CON-212

@msanft msanft added the no changelog PRs not listed in the release notes label Apr 27, 2026
@msanft msanft force-pushed the split/pr-2337-runtime-nodeinstaller branch from 4a00b00 to 657abac Compare April 27, 2026 13:27
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 552c173 to 27802b6 Compare April 27, 2026 13:27
@msanft msanft requested review from burgerdev and charludo April 27, 2026 13:30
@msanft msanft changed the title coordinator: support insecure manifests behind opt-in [5/8] coordinator: support insecure manifests behind opt-in Apr 27, 2026
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 27802b6 to 7073c58 Compare April 27, 2026 16:17
@msanft msanft force-pushed the split/pr-2337-runtime-nodeinstaller branch from 657abac to 41b8d92 Compare April 27, 2026 16:17
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 7073c58 to af50bbe Compare May 5, 2026 12:55
@msanft msanft force-pushed the split/pr-2337-runtime-nodeinstaller branch from 41b8d92 to c596cca Compare May 5, 2026 12:55
Base automatically changed from split/pr-2337-runtime-nodeinstaller to split/pr-2337-initdata May 5, 2026 12:55
@msanft msanft force-pushed the split/pr-2337-initdata branch from 72898ef to f2897e6 Compare May 6, 2026 09:56
@msanft msanft force-pushed the split/pr-2337-coordinator branch from af50bbe to 65b519a Compare May 6, 2026 09:56
@msanft msanft force-pushed the split/pr-2337-initdata branch from f2897e6 to 91b1df7 Compare May 6, 2026 11:55
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 65b519a to 891d7f0 Compare May 6, 2026 11:55
@msanft msanft force-pushed the split/pr-2337-initdata branch from 91b1df7 to db7cd22 Compare May 6, 2026 12:00
@msanft msanft force-pushed the split/pr-2337-coordinator branch 2 times, most recently from 6223484 to acaa9fd Compare May 6, 2026 12:27
@msanft msanft force-pushed the split/pr-2337-initdata branch 2 times, most recently from a8f6eb6 to fd0d094 Compare May 11, 2026 20:39
@msanft msanft force-pushed the split/pr-2337-coordinator branch 2 times, most recently from 9eeeeba to 55e4947 Compare May 11, 2026 20:47
@msanft msanft force-pushed the split/pr-2337-initdata branch 2 times, most recently from bbf67f4 to 9da6471 Compare May 12, 2026 14:04
@msanft msanft force-pushed the split/pr-2337-coordinator branch 2 times, most recently from 21d6bec to 1cd7565 Compare May 12, 2026 14:20
@msanft msanft force-pushed the split/pr-2337-coordinator branch from abb75b8 to 2701421 Compare May 26, 2026 08:48

@charludo charludo left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Sorry review took so long. I have a couple of comments, see below; the one architectural one I want to get your opinion on is if we should allow mixed manifests. Is that something you actually require? Because if not, then I'd strongly urge to allow either all-secure, or all-insecure manifests, no mix.

Comment thread coordinator/internal/stateguard/stateguard.go Outdated
Comment thread coordinator/internal/stateguard/stateguard.go Outdated
Comment thread internal/atls/issuer/issuer_linux.go
Comment thread coordinator/internal/stateguard/credentials.go Outdated
Comment thread coordinator/main.go Outdated
@msanft msanft force-pushed the split/pr-2337-initdata branch 2 times, most recently from 9b08076 to f13a5d2 Compare June 5, 2026 17:47

@sespiros sespiros left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I second Charlotte's comment about needing to decide whether we want to allow mixed manifests. My understanding was that we actually do need to do that for the benchmarking use case that triggered this PR series.

If that's the case we should at least close the impersonation gap by adding a per-policy attestation-type binding (which doesn't exist today). An attacker who controls an insecure node can produce an attestation that authenticates as any CC policy in the manifest, because meshapi.NewMeshCert does Policies[hostData] without checking which validator produced the hostData.

For example like:

type PolicyEntry struct {
    SANs                   []string
    WorkloadSecretID       string
    Role                   Role
    AllowedAttestationOIDs []asn1.ObjectIdentifier `json:",omitempty"`
}

Comment thread coordinator/internal/stateguard/stateguard_test.go Outdated
Comment thread internal/manifest/manifest.go Outdated
Comment thread internal/manifest/manifest.go
@msanft msanft force-pushed the split/pr-2337-initdata branch 2 times, most recently from f7a0675 to c8c1132 Compare July 2, 2026 11:41
@linear-code

linear-code Bot commented Jul 2, 2026

Copy link
Copy Markdown

CON-212

Base automatically changed from split/pr-2337-initdata to main July 2, 2026 12:08
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 2701421 to 6bf854e Compare July 2, 2026 12:18
@msanft

msanft commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

the one architectural one I want to get your opinion on is if we should allow mixed manifests. Is that something you actually require?

I've thought about this for some time now, and couldn't think of a use-case we'd need a mixed manifest for. I second your opinion that it should not be allowed then.

@msanft msanft force-pushed the split/pr-2337-coordinator branch from 66d886c to 003a4ba Compare July 2, 2026 13:54
Comment thread coordinator/internal/stateguard/stateguard.go Outdated
Comment thread coordinator/internal/stateguard/stateguard.go Outdated
@msanft msanft force-pushed the split/pr-2337-coordinator branch 2 times, most recently from 0743b72 to b95c24d Compare July 2, 2026 14:50
@msanft msanft requested a review from sespiros July 2, 2026 15:03
@msanft

msanft commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

ping, this should be ready for another round of review @burgerdev @sespiros @charludo

@sespiros sespiros left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes. We recently did a significant refactor on our validation logic so this needs to be rebased for a final clean review.

The rest of the changes lgtm.

@msanft msanft force-pushed the split/pr-2337-coordinator branch from b95c24d to 8b08799 Compare July 10, 2026 08:48
@msanft msanft requested a review from sespiros July 10, 2026 09:22

@sespiros sespiros left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, left a few comments.

I am thinking that recovering an insecure manifest should require CONTRAST_ALLOW_INSECURE. We can check the recovered manifest in ResetState and return ErrInsecureNotAllowed when it is insecure and allowInsecure is false. We can also add a test that simulates a restart: create a Guard, call MakeInsecure, and use UpdateState to set an insecure manifest. Then create a new Guard using the same History, without calling MakeInsecure, and verify that ResetState returns ErrInsecureNotAllowed.

Comment thread coordinator/internal/stateguard/stateguard.go Outdated

@charludo charludo left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! My original concerns are all covered, and their implementation LGTM. From my side, and not including @sespiros comments of course, this is good to go.

@msanft msanft force-pushed the split/pr-2337-coordinator branch from 8b08799 to da2a787 Compare July 13, 2026 14:02
@msanft msanft requested a review from sespiros July 13, 2026 14:03

@burgerdev burgerdev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall lgtm, thanks!

Comment on lines +80 to +82
// allowInsecure controls whether manifests with insecure platforms are accepted.
// It defaults to false and can be enabled via MakeInsecure.
allowInsecure bool

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The stateguard's purpose is to store, retrieve and update state, and I tried to avoid putting unrelated business logic in here as much as possible. For example, completeness of the manifest, permission to update a manifest and recovery security are checked in userapi (we added a callback to ResetState for that). Arguably that's also not pretty, but I don't have a good alternative idea right now.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I was not clear enough: let's move this logic out of the stateguard and into the userapi for now. Slicing the userapi into subpackages for request processing, authz and such can then be done later.

Comment thread coordinator/main.go Outdated
@msanft msanft force-pushed the split/pr-2337-coordinator branch from da2a787 to 72191cb Compare July 15, 2026 13:34
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@msanft msanft force-pushed the split/pr-2337-coordinator branch from 72191cb to 794edde Compare July 16, 2026 10:57

@sespiros sespiros left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes, nothing more to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no changelog PRs not listed in the release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants