From b5a6795ec07601378ee66dd80b5156ccc3e8f83d Mon Sep 17 00:00:00 2001 From: mnm678 Date: Fri, 12 Dec 2025 21:13:07 +0000 Subject: [PATCH 1/6] Add rpc to request a SPIRE identifier for a given zoneid --- protect/control/v1/control.proto | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index b2acfae..d3c7381 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -61,6 +61,8 @@ service ControlService { rpc SetHostPowerManagementPolicy(SetHostPowerManagementPolicyRequest) returns (SetHostPowerManagementPolicyReply); rpc DialNetworkSocket(stream DialNetworkSocketRequest) returns (stream DialNetworkSocketReply); + + rpc SpireMetadata(stream SpireMetadataRequest) returns (stream SpireMetadataReply); } // Requests info about the current Edera daemon/host on this machine. @@ -213,6 +215,14 @@ message ZoneKernelEventStreamUpdate { // Stops the current syscall event stream subscription. message ZoneKernelEventStreamStop {} +message SpireMetadataRequest { + string zoneID = 1; +} + +message SpireMetadataReply { + string identifier = 1; +} + // roughly maps to libscap's `scap_threadinfo` type. // See https://github.com/falcosecurity/libs/blob/af6e6f276bf3a847159b3cdfdbcc9efda9a620b9/userspace/libscap/scap.h#L244 message ZoneKernelThreadInfo { From 36d1fcc970cc4bf77a3a43c043062b526f3af742 Mon Sep 17 00:00:00 2001 From: mnm678 Date: Mon, 15 Dec 2025 15:27:45 +0000 Subject: [PATCH 2/6] Make Spire metadata not steaming --- protect/control/v1/control.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index d3c7381..2b2551d 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -62,7 +62,7 @@ service ControlService { rpc DialNetworkSocket(stream DialNetworkSocketRequest) returns (stream DialNetworkSocketReply); - rpc SpireMetadata(stream SpireMetadataRequest) returns (stream SpireMetadataReply); + rpc SpireMetadata(SpireMetadataRequest) returns (SpireMetadataReply); } // Requests info about the current Edera daemon/host on this machine. From 6c2834e6b984295c3bce5ece62a28d44238e7442 Mon Sep 17 00:00:00 2001 From: mnm678 Date: Mon, 15 Dec 2025 20:33:12 +0000 Subject: [PATCH 3/6] Add proto for zone services and spire --- protect/control/v1/common.proto | 10 ++++++++ protect/control/v1/control.proto | 40 ++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/protect/control/v1/common.proto b/protect/control/v1/common.proto index cb6111f..93afbe3 100644 --- a/protect/control/v1/common.proto +++ b/protect/control/v1/common.proto @@ -290,6 +290,11 @@ message ZoneNetworkNeighborEntry { uint32 kind = 6; } +message ZoneServiceConfig { + string zone_id = 1; + string service = 2; +} + message ZoneNetworkConfig { repeated ZoneNetworkInterfaceConfig interfaces = 1; repeated ZoneNetworkRoute routes = 2; @@ -366,6 +371,11 @@ message NetworkReservation { string gateway_mac = 7; } +message ServiceEntry { + string zone_id = 1; + string service_name = 2; +} + message WorkloadSpec { string name = 1; string zone_id = 2; diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index 2b2551d..4b5d289 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -33,10 +33,15 @@ service ControlService { rpc ResolveZoneIds(ResolveZoneIdsRequest) returns (ResolveZoneIdsReply); rpc GetZone(GetZoneRequest) returns (GetZoneReply); rpc ListZones(ListZonesRequest) returns (stream ListZonesReply); + rpc DiscoverServices(DiscoverServicesRequest) returns (stream DiscoverServicesReply); + rpc GetSpireBundle(SpireBundleRequest) returns (SpireBundleReply); rpc UpdateZoneResources(UpdateZoneResourcesRequest) returns (UpdateZoneResourcesReply); rpc ConfigureZoneNetwork(ConfigureZoneNetworkRequest) returns (ConfigureZoneNetworkReply); + rpc AdvertiseZoneService(AdvertiseZoneServiceRequest) returns (AdvertiseZoneServiceReply); + rpc UnadvertiseZoneService(UnadvertiseZoneServiceRequest) returns (UnadvertiseZoneServiceReply); + rpc AttachZoneConsole(stream ZoneConsoleRequest) returns (stream ZoneConsoleReply); rpc ExecuteZoneCommand(stream ExecuteZoneCommandRequest) returns (stream ExecuteZoneCommandReply); rpc ReadZoneMetrics(ReadZoneMetricsRequest) returns (ReadZoneMetricsReply); @@ -431,6 +436,18 @@ message ZoneKernelEventParam { string param_type_pretty = 5; } +message DiscoverServicesRequest {} + +message DiscoverServicesReply { + repeated protect.common.v1.ServiceEntry service_entry = 1; +} + +message SpireBundleRequest {} + +message SpireBundleReply { + string bundle = 1; +} + // Client stream message for `ExecuteZoneCommand`. The first message sent must be an // `ExecuteZoneCommandStart`; subsequent messages carry stdin data or terminal resizes. message ExecuteZoneCommandRequest { @@ -518,6 +535,8 @@ message WatchEventsReply { oneof event { ZoneChangedEvent zone_changed = 1; WorkloadChangedEvent workload_changed = 2; + AdvertiseServiceEvent advertise_service = 3; + UnadvertiseServiceEvent unadvertise_service = 4; } } @@ -531,6 +550,14 @@ message WorkloadChangedEvent { Workload workload = 1; } +message AdvertiseServiceEvent { + protect.common.v1.ServiceEntry service_entry = 1; +} + +message UnadvertiseServiceEvent { + string uuid = 1; +} + // Reads the most recently collected metrics (memory, CPU, etc.) for the given zone. // Metrics are served from a daemon-managed cache. message ReadZoneMetricsRequest { @@ -829,6 +856,19 @@ message ConfigureZoneNetworkRequest { message ConfigureZoneNetworkReply {} +message AdvertiseZoneServiceRequest { + string uuid = 1; + protect.common.v1.ZoneServiceConfig config = 2; +} + +message AdvertiseZoneServiceReply {} + +message UnadvertiseZoneServiceRequest { + protect.common.v1.ZoneServiceConfig config = 2; +} + +message UnadvertiseZoneServiceReply {} + // Client stream message for `DialNetworkSocket`. The first message must be a // `DialNetworkSocketStart`. Subsequent messages carry data to write to the connection. message DialNetworkSocketRequest { From 0887c3513f44d8b67f39ac9e681412a57c2fabf1 Mon Sep 17 00:00:00 2001 From: mnm678 Date: Mon, 15 Dec 2025 21:01:28 +0000 Subject: [PATCH 4/6] fix references --- protect/control/v1/control.proto | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index 4b5d289..5fec6a6 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -439,7 +439,7 @@ message ZoneKernelEventParam { message DiscoverServicesRequest {} message DiscoverServicesReply { - repeated protect.common.v1.ServiceEntry service_entry = 1; + repeated ServiceEntry service_entry = 1; } message SpireBundleRequest {} @@ -551,7 +551,7 @@ message WorkloadChangedEvent { } message AdvertiseServiceEvent { - protect.common.v1.ServiceEntry service_entry = 1; + ServiceEntry service_entry = 1; } message UnadvertiseServiceEvent { @@ -858,13 +858,13 @@ message ConfigureZoneNetworkReply {} message AdvertiseZoneServiceRequest { string uuid = 1; - protect.common.v1.ZoneServiceConfig config = 2; + ZoneServiceConfig config = 2; } message AdvertiseZoneServiceReply {} message UnadvertiseZoneServiceRequest { - protect.common.v1.ZoneServiceConfig config = 2; + ZoneServiceConfig config = 2; } message UnadvertiseZoneServiceReply {} From 3e458d45d327fc489b25db6ee71dafec7a9efde3 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Mon, 29 Jun 2026 20:53:01 -0400 Subject: [PATCH 5/6] fixup lint --- protect/control/v1/control.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index 5fec6a6..75052c6 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -221,7 +221,7 @@ message ZoneKernelEventStreamUpdate { message ZoneKernelEventStreamStop {} message SpireMetadataRequest { - string zoneID = 1; + string zone_id = 1; } message SpireMetadataReply { From bf4b54dbe2986d7c15516ddb147927dfc757f4cc Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Mon, 29 Jun 2026 23:12:18 -0400 Subject: [PATCH 6/6] fixup --- protect/control/v1/control.proto | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index 75052c6..c4847db 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -226,6 +226,10 @@ message SpireMetadataRequest { message SpireMetadataReply { string identifier = 1; + // The zone the identifier was resolved for. When the request omits zoneID, + // the daemon fills it from the authenticated in-zone control channel and + // echoes it here so the caller learns its own zone without a side channel. + string zone_id = 2; } // roughly maps to libscap's `scap_threadinfo` type.