diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml index 8e6626e..d58d97b 100644 --- a/internal/pkg/config/testdata/config/full.yaml +++ b/internal/pkg/config/testdata/config/full.yaml @@ -18,10 +18,12 @@ trust_zones: extra_helm_values: global: spire: - namespaces: - create: true + caSubject: + commonName: cn.example.com + organization: acme-org spire-server: logLevel: INFO + nameOverride: custom-server-name bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE profile: kubernetes external_server: false diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go index a75b6cb..482167e 100644 --- a/internal/pkg/test/fixtures/fixtures.go +++ b/internal/pkg/test/fixtures/fixtures.go @@ -46,13 +46,18 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust ev := map[string]any{ "global": map[string]any{ "spire": map[string]any{ - "namespaces": map[string]any{ - "create": true, + // Modify multiple values in the same map. + "caSubject": map[string]any{ + "organization": "acme-org", + "commonName": "cn.example.com", }, }, }, "spire-server": map[string]any{ + // Modify an existing value. "logLevel": "INFO", + // Customise a new value. + "nameOverride": "custom-server-name", }, } value, err := structpb.NewStruct(ev) diff --git a/internal/pkg/trustprovider/trustprovider.go b/internal/pkg/trustprovider/trustprovider.go index 3a460a0..4d56211 100644 --- a/internal/pkg/trustprovider/trustprovider.go +++ b/internal/pkg/trustprovider/trustprovider.go @@ -36,27 +36,18 @@ func (tp *TrustProvider) GetValues() error { switch tp.Kind { case "kubernetes": tp.AgentConfig = TrustProviderAgentConfig{ - WorkloadAttestor: KubernetesTrustProvider, - WorkloadAttestorEnabled: true, + WorkloadAttestor: KubernetesTrustProvider, WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "enabled": true, + "disableContainerSelectors": true, }, - NodeAttestor: kubernetesPsat, - NodeAttestorEnabled: true, + NodeAttestor: kubernetesPsat, } tp.ServerConfig = TrustProviderServerConfig{ - NodeAttestor: kubernetesPsat, - NodeAttestorEnabled: true, + NodeAttestor: kubernetesPsat, NodeAttestorConfig: map[string]any{ - "enabled": true, - "serviceAccountAllowList": []string{"spire:spire-agent"}, - "audience": []string{"spire-server"}, - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, + "enabled": true, + "audience": []string{"spire-server"}, }, } default: @@ -66,17 +57,14 @@ func (tp *TrustProvider) GetValues() error { } type TrustProviderAgentConfig struct { - WorkloadAttestor string `yaml:"workloadAttestor"` - WorkloadAttestorEnabled bool `yaml:"workloadAttestorEnabled"` - WorkloadAttestorConfig map[string]any `yaml:"workloadAttestorConfig"` - NodeAttestor string `yaml:"nodeAttestor"` - NodeAttestorEnabled bool `yaml:"nodeAttestorEnabled"` + WorkloadAttestor string + WorkloadAttestorConfig map[string]any + NodeAttestor string } type TrustProviderServerConfig struct { - NodeAttestor string `yaml:"nodeAttestor"` - NodeAttestorEnabled bool `yaml:"nodeAttestorEnabled"` - NodeAttestorConfig map[string]any `yaml:"nodeAttestorConfig"` + NodeAttestor string + NodeAttestorConfig map[string]any } // GetTrustProviderKindFromProfile returns the valid kind of trust provider for the diff --git a/internal/pkg/workload/workload.go b/internal/pkg/workload/workload.go index d008da4..67cacd0 100644 --- a/internal/pkg/workload/workload.go +++ b/internal/pkg/workload/workload.go @@ -77,12 +77,15 @@ func GetRegisteredWorkloads(ctx context.Context, kubeConfig string, kubeContext // GetUnregisteredWorkloads will discover workloads in a Kubernetes cluster that are not (yet) registered func GetUnregisteredWorkloads(ctx context.Context, kubeCfgFile string, kubeContext string, secretDiscovery bool, checkSpire bool) ([]Workload, error) { // Includes the initial Kubernetes namespaces. - ignoredNamespaces := map[string]int{ - "kube-node-lease": 1, - "kube-public": 2, - "kube-system": 3, - "local-path-storage": 4, - "spire": 5, + ignoredNamespaces := map[string]bool{ + "kube-node-lease": true, + "kube-public": true, + "kube-system": true, + "local-path-storage": true, + "spire": true, + "spire-server": true, + "spire-system": true, + "spire-mgmt": true, } client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeCfgFile, kubeContext) diff --git a/pkg/provider/helm/helm.go b/pkg/provider/helm/helm.go index f31b597..28bbf27 100644 --- a/pkg/provider/helm/helm.go +++ b/pkg/provider/helm/helm.go @@ -34,7 +34,8 @@ const ( SPIRECRDsChartName = "spire-crds" SPIRECRDsChartVersion = "0.4.0" - SPIRENamespace = "spire" + // Kubernetes namespace in which Helm charts and CRDs will be installed. + SPIREManagementNamespace = "spire-mgmt" ) // Type assertion that HelmSPIREProvider implements the Provider interface. @@ -261,7 +262,7 @@ func newInstall(cfg *action.Configuration, chart string, version string) *action install := action.NewInstall(cfg) install.Version = version install.ReleaseName = chart - install.Namespace = SPIRENamespace + install.Namespace = SPIREManagementNamespace install.CreateNamespace = true return install } @@ -308,7 +309,7 @@ func installChart(ctx context.Context, cfg *action.Configuration, client *action func newUpgrade(cfg *action.Configuration, version string) *action.Upgrade { upgrade := action.NewUpgrade(cfg) - upgrade.Namespace = SPIRENamespace + upgrade.Namespace = SPIREManagementNamespace upgrade.Version = version upgrade.ReuseValues = true return upgrade diff --git a/pkg/provider/helm/values.go b/pkg/provider/helm/values.go index e7f537c..bf05131 100644 --- a/pkg/provider/helm/values.go +++ b/pkg/provider/helm/values.go @@ -23,18 +23,25 @@ type HelmValuesGenerator struct { type globalValues struct { deleteHooks bool installAndUpgradeHooksEnabled bool + spireCASubject caSubject spireClusterName string - spireCreateRecommendations bool spireJwtIssuer string + spireNamespacesCreate bool + spireRecommendationsEnabled bool spireTrustDomain string } +type caSubject struct { + commonName string + country string + organization string +} + type spireAgentValues struct { - agentConfig trustprovider.TrustProviderAgentConfig - fullnameOverride string - logLevel string - sdsConfig map[string]any - spireServerAddress string + agentConfig trustprovider.TrustProviderAgentConfig + fullnameOverride string + logLevel string + sdsConfig map[string]any } type spireServerValues struct { @@ -72,9 +79,15 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) { } gv := globalValues{ + spireCASubject: caSubject{ + commonName: "cofide.io", + country: "UK", + organization: "Cofide", + }, spireClusterName: g.trustZone.GetKubernetesCluster(), - spireCreateRecommendations: true, spireJwtIssuer: g.trustZone.GetJwtIssuer(), + spireNamespacesCreate: true, + spireRecommendationsEnabled: true, spireTrustDomain: g.trustZone.TrustDomain, installAndUpgradeHooksEnabled: false, deleteHooks: false, @@ -91,11 +104,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) { } sav := spireAgentValues{ - fullnameOverride: "spire-agent", - logLevel: "DEBUG", - agentConfig: tp.AgentConfig, - sdsConfig: sdsConfig, - spireServerAddress: "spire-server.spire", + fullnameOverride: "spire-agent", + logLevel: "DEBUG", + agentConfig: tp.AgentConfig, + sdsConfig: sdsConfig, } spireAgentValues, err := sav.generateValues() if err != nil { @@ -242,9 +254,13 @@ func (g *globalValues) generateValues() (map[string]any, error) { values := map[string]any{ "global": map[string]any{ "spire": map[string]any{ + "caSubject": g.spireCASubject.generateValues(), "clusterName": g.spireClusterName, + "namespaces": map[string]any{ + "create": g.spireNamespacesCreate, + }, "recommendations": map[string]any{ - "create": g.spireCreateRecommendations, + "enabled": g.spireRecommendationsEnabled, }, "trustDomain": g.spireTrustDomain, }, @@ -274,6 +290,15 @@ func (g *globalValues) generateValues() (map[string]any, error) { return values, nil } +// generateValues generates the global.spire.caSubject Helm values map. +func (c *caSubject) generateValues() map[string]any { + return map[string]any{ + "country": c.country, + "organization": c.organization, + "commonName": c.commonName, + } +} + // generateValues generates the spire-agent Helm values map. func (s *spireAgentValues) generateValues() (map[string]any, error) { if s.fullnameOverride == "" { @@ -308,23 +333,16 @@ func (s *spireAgentValues) generateValues() (map[string]any, error) { return nil, fmt.Errorf("agentConfig.WorkloadAttestorConfig value is empty") } - if s.spireServerAddress == "" { - return nil, fmt.Errorf("spireServerAddress value is empty") - } - return map[string]any{ "spire-agent": map[string]any{ "fullnameOverride": s.fullnameOverride, "logLevel": s.logLevel, "nodeAttestor": map[string]any{ s.agentConfig.NodeAttestor: map[string]any{ - "enabled": s.agentConfig.NodeAttestorEnabled, + "enabled": true, }, }, "sds": s.sdsConfig, - "server": map[string]any{ - "address": s.spireServerAddress, - }, "workloadAttestors": map[string]any{ s.agentConfig.WorkloadAttestor: s.agentConfig.WorkloadAttestorConfig, }, diff --git a/pkg/provider/helm/values_test.go b/pkg/provider/helm/values_test.go index 58296e4..e2e0133 100644 --- a/pkg/provider/helm/values_test.go +++ b/pkg/provider/helm/values_test.go @@ -46,10 +46,18 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "enabled": false, }, "spire": Values{ + "caSubject": Values{ + "commonName": "cofide.io", + "country": "UK", + "organization": "Cofide", + }, "clusterName": "local1", - "recommendations": Values{ + "namespaces": Values{ "create": true, }, + "recommendations": Values{ + "enabled": true, + }, "trustDomain": "td1", }, }, @@ -73,16 +81,10 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - "server": Values{ - "address": "spire-server.spire", - }, "workloadAttestors": Values{ "k8s": Values{ - "disableContainerSelectors": true, - "enabled": true, - "skipKubeletVerification": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "disableContainerSelectors": true, + "enabled": true, }, }, }, @@ -104,15 +106,8 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "logLevel": "DEBUG", "nodeAttestor": Values{ "k8sPsat": Values{ - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, - "audience": []string{ - "spire-server", - }, - "enabled": true, - "serviceAccountAllowList": []string{ - "spire:spire-agent", - }, + "audience": []string{"spire-server"}, + "enabled": true, }, }, "service": Values{ @@ -133,13 +128,18 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "enabled": false, }, "spire": Values{ + "caSubject": Values{ + "country": "UK", + "organization": "acme-org", + "commonName": "cn.example.com", + }, "clusterName": "local1", "jwtIssuer": "https://tz1.example.com", "namespaces": Values{ "create": true, }, "recommendations": Values{ - "create": true, + "enabled": true, }, "trustDomain": "td1", }, @@ -164,16 +164,10 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - "server": Values{ - "address": "spire-server.spire", - }, "workloadAttestors": Values{ "k8s": Values{ - "disableContainerSelectors": true, - "enabled": true, - "skipKubeletVerification": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "disableContainerSelectors": true, + "enabled": true, }, }, }, @@ -216,17 +210,11 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { }, "fullnameOverride": "spire-server", "logLevel": "INFO", + "nameOverride": "custom-server-name", "nodeAttestor": Values{ "k8sPsat": Values{ - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, - "audience": []string{ - "spire-server", - }, - "enabled": true, - "serviceAccountAllowList": []string{ - "spire:spire-agent", - }, + "audience": []string{"spire-server"}, + "enabled": true, }, }, "service": Values{ @@ -247,10 +235,18 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "enabled": false, }, "spire": Values{ + "caSubject": Values{ + "commonName": "cofide.io", + "country": "UK", + "organization": "Cofide", + }, "clusterName": "local4", - "recommendations": Values{ + "namespaces": Values{ "create": true, }, + "recommendations": Values{ + "enabled": true, + }, "trustDomain": "td4", }, }, @@ -274,16 +270,10 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "defaultBundleName": "null", "defaultAllBundlesName": "ROOTCA", }, - "server": Values{ - "address": "spire-server.spire", - }, "workloadAttestors": Values{ "k8s": Values{ - "disableContainerSelectors": true, - "enabled": true, - "skipKubeletVerification": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "disableContainerSelectors": true, + "enabled": true, }, }, }, @@ -305,15 +295,8 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { "logLevel": "DEBUG", "nodeAttestor": Values{ "k8sPsat": Values{ - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, - "audience": []string{ - "spire-server", - }, - "enabled": true, - "serviceAccountAllowList": []string{ - "spire:spire-agent", - }, + "audience": []string{"spire-server"}, + "enabled": true, }, }, "service": Values{ @@ -385,10 +368,18 @@ func TestHelmValuesGenerator_GenerateValues_AdditionalValues(t *testing.T) { "enabled": false, }, "spire": Values{ + "caSubject": Values{ + "commonName": "cofide.io", + "country": "UK", + "organization": "Cofide", + }, "clusterName": "local1", - "recommendations": Values{ + "namespaces": Values{ "create": true, }, + "recommendations": Values{ + "enabled": true, + }, "trustDomain": "td1", }, }, @@ -412,16 +403,10 @@ func TestHelmValuesGenerator_GenerateValues_AdditionalValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - "server": Values{ - "address": "spire-server.spire", - }, "workloadAttestors": Values{ "k8s": Values{ - "disableContainerSelectors": true, - "enabled": true, - "skipKubeletVerification": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "disableContainerSelectors": true, + "enabled": true, }, }, }, @@ -452,15 +437,8 @@ func TestHelmValuesGenerator_GenerateValues_AdditionalValues(t *testing.T) { "logLevel": "DEBUG", "nodeAttestor": Values{ "k8sPsat": Values{ - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, - "audience": []string{ - "spire-server", - }, - "enabled": true, - "serviceAccountAllowList": []string{ - "spire:spire-agent", - }, + "audience": []string{"spire-server"}, + "enabled": true, }, }, "service": Values{ @@ -972,10 +950,18 @@ func TestGlobalValues_GenerateValues(t *testing.T) { want: map[string]any{ "global": map[string]any{ "spire": map[string]any{ + "caSubject": Values{ + "commonName": "", + "country": "", + "organization": "", + }, "clusterName": "local1", - "recommendations": map[string]any{ + "namespaces": Values{ "create": false, }, + "recommendations": map[string]any{ + "enabled": false, + }, "trustDomain": "td1", }, "installAndUpgradeHooks": map[string]any{ @@ -998,10 +984,18 @@ func TestGlobalValues_GenerateValues(t *testing.T) { want: map[string]any{ "global": map[string]any{ "spire": map[string]any{ + "caSubject": Values{ + "commonName": "", + "country": "", + "organization": "", + }, "clusterName": "local1", - "recommendations": map[string]any{ + "namespaces": Values{ "create": false, }, + "recommendations": map[string]any{ + "enabled": false, + }, "trustDomain": "td1", }, "installAndUpgradeHooks": map[string]any{ @@ -1024,11 +1018,19 @@ func TestGlobalValues_GenerateValues(t *testing.T) { want: map[string]any{ "global": map[string]any{ "spire": map[string]any{ + "caSubject": Values{ + "commonName": "", + "country": "", + "organization": "", + }, "clusterName": "local1", "jwtIssuer": "https://tz1.example.com", - "recommendations": map[string]any{ + "namespaces": Values{ "create": false, }, + "recommendations": map[string]any{ + "enabled": false, + }, "trustDomain": "td1", }, "installAndUpgradeHooks": map[string]any{ @@ -1079,17 +1081,12 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-agent", logLevel: "DEBUG", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "k8s", - WorkloadAttestorEnabled: true, + WorkloadAttestor: "k8s", WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, - }, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + "enabled": true, + "disableContainerSelectors": true, + }, + NodeAttestor: "k8sPsat", }, sdsConfig: map[string]any{ "enabled": true, @@ -1097,7 +1094,6 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - spireServerAddress: "spire-server.spire", }, want: map[string]any{ "spire-agent": map[string]any{ @@ -1114,16 +1110,10 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - "server": map[string]any{ - "address": "spire-server.spire", - }, "workloadAttestors": map[string]any{ "k8s": map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, + "enabled": true, + "disableContainerSelectors": true, }, }, }, @@ -1135,17 +1125,12 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { input: spireAgentValues{ fullnameOverride: "spire-agent", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "k8s", - WorkloadAttestorEnabled: true, + WorkloadAttestor: "k8s", WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, - }, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + "enabled": true, + "disableContainerSelectors": true, + }, + NodeAttestor: "k8sPsat", }, sdsConfig: map[string]any{ "enabled": true, @@ -1153,7 +1138,6 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - spireServerAddress: "spire-server.spire", }, want: nil, wantErr: true, @@ -1165,11 +1149,9 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-agent", logLevel: "DEBUG", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "k8s", - WorkloadAttestorEnabled: true, - WorkloadAttestorConfig: map[string]any{}, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + WorkloadAttestor: "k8s", + WorkloadAttestorConfig: map[string]any{}, + NodeAttestor: "k8sPsat", }, sdsConfig: map[string]any{ "enabled": true, @@ -1177,7 +1159,6 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - spireServerAddress: "spire-server.spire", }, want: nil, wantErr: true, @@ -1189,17 +1170,12 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-agent", logLevel: "DEBUG", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "", - WorkloadAttestorEnabled: true, + WorkloadAttestor: "", WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, - }, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + "enabled": true, + "disableContainerSelectors": true, + }, + NodeAttestor: "k8sPsat", }, sdsConfig: map[string]any{ "enabled": true, @@ -1207,7 +1183,6 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { "defaultBundleName": "ROOTCA", "defaultAllBundlesName": "ALL", }, - spireServerAddress: "spire-server.spire", }, want: nil, wantErr: true, @@ -1219,20 +1194,14 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-agent", logLevel: "DEBUG", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "", - WorkloadAttestorEnabled: true, + WorkloadAttestor: "", WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, - }, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + "enabled": true, + "disableContainerSelectors": true, + }, + NodeAttestor: "k8sPsat", }, - sdsConfig: map[string]any{}, - spireServerAddress: "spire-server.spire", + sdsConfig: map[string]any{}, }, want: nil, wantErr: true, @@ -1244,20 +1213,14 @@ func TestSpireAgentValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-agent", logLevel: "DEBUG", agentConfig: trustprovider.TrustProviderAgentConfig{ - WorkloadAttestor: "", - WorkloadAttestorEnabled: true, + WorkloadAttestor: "", WorkloadAttestorConfig: map[string]any{ - "enabled": true, - "skipKubeletVerification": true, - "disableContainerSelectors": true, - "useNewContainerLocator": false, - "verboseContainerLocatorLogs": false, - }, - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + "enabled": true, + "disableContainerSelectors": true, + }, + NodeAttestor: "k8sPsat", }, - sdsConfig: nil, - spireServerAddress: "spire-server.spire", + sdsConfig: nil, }, want: nil, wantErr: true, @@ -1296,14 +1259,10 @@ func TestSpireServerValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-server", logLevel: "DEBUG", serverConfig: trustprovider.TrustProviderServerConfig{ - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + NodeAttestor: "k8sPsat", NodeAttestorConfig: map[string]any{ - "enabled": true, - "serviceAccountAllowList": []string{"spire:spire-agent"}, - "audience": []string{"spire-server"}, - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, + "enabled": true, + "audience": []string{"spire-server"}, }, }, serviceType: "LoadBalancer", @@ -1320,15 +1279,8 @@ func TestSpireServerValues_GenerateValues(t *testing.T) { "logLevel": "DEBUG", "nodeAttestor": Values{ "k8sPsat": Values{ - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, - "audience": []string{ - "spire-server", - }, - "enabled": true, - "serviceAccountAllowList": []string{ - "spire:spire-agent", - }, + "audience": []string{"spire-server"}, + "enabled": true, }, }, "service": map[string]any{ @@ -1360,14 +1312,11 @@ func TestSpireServerValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-server", logLevel: "DEBUG", serverConfig: trustprovider.TrustProviderServerConfig{ - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, + NodeAttestor: "k8sPsat", + //NodeAttestorEnabled: true, NodeAttestorConfig: map[string]any{ - "enabled": true, - "serviceAccountAllowList": []string{"spire:spire-agent"}, - "audience": []string{"spire-server"}, - "allowedNodeLabelKeys": []string{}, - "allowedPodLabelKeys": []string{}, + "enabled": true, + "audience": []string{"spire-server"}, }, }, serviceType: "", @@ -1386,9 +1335,9 @@ func TestSpireServerValues_GenerateValues(t *testing.T) { fullnameOverride: "spire-server", logLevel: "DEBUG", serverConfig: trustprovider.TrustProviderServerConfig{ - NodeAttestor: "k8sPsat", - NodeAttestorEnabled: true, - NodeAttestorConfig: map[string]any{}, + NodeAttestor: "k8sPsat", + //NodeAttestorEnabled: true, + NodeAttestorConfig: map[string]any{}, }, serviceType: "", }, diff --git a/pkg/spire/spire.go b/pkg/spire/spire.go index 52c2848..7e1d011 100644 --- a/pkg/spire/spire.go +++ b/pkg/spire/spire.go @@ -24,14 +24,16 @@ import ( ) const ( - namespace = "spire" + serverNamespace = "spire-server" serverStatefulsetName = "spire-server" serverPodName = "spire-server-0" serverContainerName = "spire-server" serverServiceName = "spire-server" serverExecutable = "/opt/spire/bin/spire-server" scmContainerName = "spire-controller-manager" - agentDaemonSetName = "spire-agent" + + agentNamespace = "spire-system" + agentDaemonSetName = "spire-agent" ) // ServerStatus contains status information about a running SPIRE server cluster. @@ -80,7 +82,7 @@ func GetServerStatus(ctx context.Context, client *kubeutil.Client) (*ServerStatu func getServerStatefulSet(ctx context.Context, client *kubeutil.Client) (*appsv1.StatefulSet, error) { return client.Clientset.AppsV1(). - StatefulSets(namespace). + StatefulSets(serverNamespace). Get(ctx, serverStatefulsetName, metav1.GetOptions{}) } @@ -88,7 +90,7 @@ func getPodsForStatefulSet(ctx context.Context, client *kubeutil.Client, statefu set := labels.Set(statefulset.Spec.Selector.MatchLabels) listOptions := metav1.ListOptions{LabelSelector: set.AsSelector().String()} return client.Clientset.CoreV1(). - Pods(namespace). + Pods(serverNamespace). List(ctx, listOptions) } @@ -210,7 +212,7 @@ func addAgentK8sStatus(ctx context.Context, client *kubeutil.Client, agents []Ag func getAgentDaemonSet(ctx context.Context, client *kubeutil.Client) (*appsv1.DaemonSet, error) { return client.Clientset.AppsV1(). - DaemonSets(namespace). + DaemonSets(agentNamespace). Get(ctx, agentDaemonSetName, metav1.GetOptions{}) } @@ -218,7 +220,7 @@ func getPodsforDaemonSet(ctx context.Context, client *kubeutil.Client, daemonset set := labels.Set(daemonset.Spec.Selector.MatchLabels) listOptions := metav1.ListOptions{LabelSelector: set.AsSelector().String()} return client.Clientset.CoreV1(). - Pods(namespace). + Pods(agentNamespace). List(ctx, listOptions) } @@ -343,7 +345,7 @@ func GetBundle(ctx context.Context, client *kubeutil.Client) (string, error) { func createPodWatcher(ctx context.Context, client *kubeutil.Client) (watch.Interface, error) { watchFunc := func(opts metav1.ListOptions) (watch.Interface, error) { timeout := int64(120) - return client.Clientset.CoreV1().Pods(namespace).Watch(ctx, metav1.ListOptions{ + return client.Clientset.CoreV1().Pods(serverNamespace).Watch(ctx, metav1.ListOptions{ FieldSelector: fmt.Sprintf("metadata.name=%s", serverPodName), TimeoutSeconds: &timeout, }) @@ -360,7 +362,7 @@ func createPodWatcher(ctx context.Context, client *kubeutil.Client) (watch.Inter func createServiceWatcher(ctx context.Context, client *kubeutil.Client) (watch.Interface, error) { watchFunc := func(opts metav1.ListOptions) (watch.Interface, error) { timeout := int64(120) - return client.Clientset.CoreV1().Services(namespace).Watch(ctx, metav1.ListOptions{ + return client.Clientset.CoreV1().Services(serverNamespace).Watch(ctx, metav1.ListOptions{ FieldSelector: fmt.Sprintf("metadata.name=%s", serverServiceName), TimeoutSeconds: &timeout, }) diff --git a/pkg/spire/spire_server_cli.go b/pkg/spire/spire_server_cli.go index eb6293d..1dd9580 100644 --- a/pkg/spire/spire_server_cli.go +++ b/pkg/spire/spire_server_cli.go @@ -35,7 +35,7 @@ func execInServerContainer(ctx context.Context, client *kubeutil.Client, command client.Clientset, client.RestConfig, serverPodName, - namespace, + serverNamespace, serverContainerName, command, stdin, diff --git a/pkg/spire/spire_server_cli_test.go b/pkg/spire/spire_server_cli_test.go index 8074422..074f076 100644 --- a/pkg/spire/spire_server_cli_test.go +++ b/pkg/spire/spire_server_cli_test.go @@ -35,7 +35,7 @@ var oneAgentList = `{ }, { "type": "k8s_psat", - "value": "agent_ns:spire" + "value": "agent_ns:spire-system" }, { "type": "k8s_psat", diff --git a/pkg/spire/spire_test.go b/pkg/spire/spire_test.go index 3f36cc1..1fde911 100644 --- a/pkg/spire/spire_test.go +++ b/pkg/spire/spire_test.go @@ -36,7 +36,7 @@ func TestGetServerStatus(t *testing.T) { ), ) _, err := clientSet.AppsV1(). - StatefulSets("spire"). + StatefulSets("spire-server"). Apply(ctx, ssConfig, metav1.ApplyOptions{}) if err != nil { t.Fatalf("failed to create statefulset: %v", err) @@ -59,7 +59,7 @@ func TestGetServerStatus(t *testing.T) { ), ) _, err = clientSet.CoreV1(). - Pods("spire"). + Pods("spire-server"). Apply(ctx, podConfig, metav1.ApplyOptions{}) if err != nil { t.Fatalf("failed to create pod: %v", err) @@ -104,7 +104,7 @@ func Test_addAgentK8sStatus(t *testing.T) { WithNumberReady(1), ) _, err := clientSet.AppsV1(). - DaemonSets("spire"). + DaemonSets("spire-system"). Apply(ctx, dsConfig, metav1.ApplyOptions{}) if err != nil { t.Fatalf("failed to create daemonset: %v", err) @@ -125,7 +125,7 @@ func Test_addAgentK8sStatus(t *testing.T) { ), ) _, err = clientSet.CoreV1(). - Pods("spire"). + Pods("spire-system"). Apply(ctx, podConfig, metav1.ApplyOptions{}) if err != nil { t.Fatalf("failed to create pod: %v", err) @@ -146,7 +146,7 @@ func Test_addAgentK8sStatus(t *testing.T) { ), ) _, err = clientSet.CoreV1(). - Pods("spire"). + Pods("spire-system"). Apply(ctx, podConfig, metav1.ApplyOptions{}) if err != nil { t.Fatalf("failed to create pod: %v", err) diff --git a/tests/integration/federation/test.sh b/tests/integration/federation/test.sh index 0158740..a549f68 100755 --- a/tests/integration/federation/test.sh +++ b/tests/integration/federation/test.sh @@ -5,6 +5,8 @@ set -euxo pipefail +source $(dirname $(dirname $BASH_SOURCE))/lib.sh + DATA_SOURCE_PLUGIN=${DATA_SOURCE_PLUGIN:-} PROVISION_PLUGIN=${PROVISION_PLUGIN:-} @@ -65,6 +67,14 @@ function up() { ./cofidectl up } +function check_spire() { + for context in $K8S_CLUSTER_1_CONTEXT $K8S_CLUSTER_2_CONTEXT; do + check_spire_server $context + check_spire_agents $context + check_spire_csi_driver $context + done +} + function list_resources() { ./cofidectl trust-zone list ./cofidectl attestation-policy list @@ -130,9 +140,9 @@ function show_workload_status() { } function teardown_federation_and_verify() { - kubectl --context $K8S_CLUSTER_2_CONTEXT delete clusterspiffeids.spire.spiffe.io spire-spire-namespace - kubectl exec --context $K8S_CLUSTER_2_CONTEXT -n spire spire-server-0 -- /opt/spire/bin/spire-server federation delete -id td1 - kubectl exec --context $K8S_CLUSTER_2_CONTEXT -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle delete -id td1 + kubectl --context $K8S_CLUSTER_2_CONTEXT delete clusterspiffeids.spire.spiffe.io spire-mgmt-spire-namespace + kubectl exec --context $K8S_CLUSTER_2_CONTEXT -n spire-server spire-server-0 -- /opt/spire/bin/spire-server federation delete -id td1 + kubectl exec --context $K8S_CLUSTER_2_CONTEXT -n spire-server spire-server-0 -- /opt/spire/bin/spire-server bundle delete -id td1 federations=$(./cofidectl federation list) if ! echo "$federations" | grep "Unhealthy | No bundle found" >/dev/null; then return 1 @@ -148,6 +158,7 @@ function main() { check_init configure up + check_spire list_resources show_config show_status diff --git a/tests/integration/lib.sh b/tests/integration/lib.sh new file mode 100644 index 0000000..6bbe644 --- /dev/null +++ b/tests/integration/lib.sh @@ -0,0 +1,25 @@ +# This file provides common library functions for use by integration tests. + +function check_spire_server() { + local context=${1:?Spire server k8s context} + if ! kubectl --context $context -n spire-server get statefulsets spire-server; then + echo "Server statefulset not found" + return 1 + fi +} + +function check_spire_agents() { + local context=${1:?Spire agent k8s context} + if ! kubectl --context $context -n spire-system get daemonsets spire-agent; then + echo "Agent daemonset not found" + return 1 + fi +} + +function check_spire_csi_driver() { + local context=${1:?Spire CSI k8s context} + if ! kubectl --context $context -n spire-system get csidrivers.storage.k8s.io csi.spiffe.io; then + echo "CSI driver not found" + return 1 + fi +} diff --git a/tests/integration/single-trust-zone/test.sh b/tests/integration/single-trust-zone/test.sh index 8de910a..490d5e7 100755 --- a/tests/integration/single-trust-zone/test.sh +++ b/tests/integration/single-trust-zone/test.sh @@ -5,6 +5,8 @@ set -euxo pipefail +source $(dirname $(dirname $BASH_SOURCE))/lib.sh + DATA_SOURCE_PLUGIN=${DATA_SOURCE_PLUGIN:-} PROVISION_PLUGIN=${PROVISION_PLUGIN:-} @@ -41,6 +43,12 @@ function up() { ./cofidectl up --quiet } +function check_spire() { + check_spire_server $K8S_CLUSTER_CONTEXT + check_spire_agents $K8S_CLUSTER_CONTEXT + check_spire_csi_driver $K8S_CLUSTER_CONTEXT +} + function list_resources() { ./cofidectl trust-zone list ./cofidectl attestation-policy list @@ -105,6 +113,7 @@ function main() { init configure up + check_spire list_resources show_config show_status