Skip to content

Commit

Permalink
Merge pull request #53 from /issues/52
Browse files Browse the repository at this point in the history
Check if trust zone is deployed in commands that exec into SPIRE server
  • Loading branch information
markgoddard authored Dec 2, 2024
2 parents 109e756 + ae29fcb commit 5de2941
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 6 deletions.
18 changes: 17 additions & 1 deletion cmd/cofidectl/cmd/federation/federation.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ import (
trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
cmdcontext "github.com/cofide/cofidectl/cmd/cofidectl/cmd/context"

kubeutil "github.com/cofide/cofidectl/pkg/kube"
"github.com/cofide/cofidectl/internal/pkg/provider/helm"
"github.com/cofide/cofidectl/internal/pkg/spire"
kubeutil "github.com/cofide/cofidectl/pkg/kube"
"github.com/olekukonko/tablewriter"
"github.com/spf13/cobra"
)
Expand Down Expand Up @@ -118,6 +119,12 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
compare := make(map[*trust_zone_proto.TrustZone]bundles)

for _, tz := range []*trust_zone_proto.TrustZone{from, to} {
if deployed, err := isTrustZoneDeployed(ctx, tz); err != nil {
return "", err
} else if !deployed {
return "Inactive", nil
}

client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, tz.GetKubernetesContext())
if err != nil {
return "", err
Expand Down Expand Up @@ -148,6 +155,15 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
return "Healthy", nil
}

// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
if err != nil {
return false, err
}
return prov.CheckIfAlreadyInstalled()
}

var federationAddCmdDesc = `
This command will add a new federation to the Cofide configuration state.
`
Expand Down
23 changes: 22 additions & 1 deletion cmd/cofidectl/cmd/workload/workload.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
cmdcontext "github.com/cofide/cofidectl/cmd/cofidectl/cmd/context"
"github.com/cofide/cofidectl/internal/pkg/provider/helm"
"github.com/cofide/cofidectl/internal/pkg/workload"
"github.com/olekukonko/tablewriter"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -111,6 +112,12 @@ func renderRegisteredWorkloads(ctx context.Context, kubeConfig string, trustZone
data := make([][]string, 0, len(trustZones))

for _, trustZone := range trustZones {
if deployed, err := isTrustZoneDeployed(ctx, trustZone); err != nil {
return err
} else if !deployed {
return fmt.Errorf("trust zone %s has not been deployed", trustZone.Name)
}

registeredWorkloads, err := workload.GetRegisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext())
if err != nil {
return err
Expand Down Expand Up @@ -205,7 +212,12 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo
data := make([][]string, 0, len(trustZones))

for _, trustZone := range trustZones {
registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext(), includeSecrets)
deployed, err := isTrustZoneDeployed(ctx, trustZone)
if err != nil {
return err
}

registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext(), includeSecrets, deployed)
if err != nil {
return err
}
Expand Down Expand Up @@ -237,3 +249,12 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo

return nil
}

// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
if err != nil {
return false, err
}
return prov.CheckIfAlreadyInstalled()
}
11 changes: 7 additions & 4 deletions internal/pkg/workload/workload.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func GetRegisteredWorkloads(ctx context.Context, kubeConfig string, kubeContext
}

// GetUnregisteredWorkloads will discover workloads in a Kubernetes cluster that are not (yet) registered
func GetUnregisteredWorkloads(ctx context.Context, kubeCfgFile string, kubeContext string, secretDiscovery bool) ([]Workload, error) {
func GetUnregisteredWorkloads(ctx context.Context, kubeCfgFile string, kubeContext string, secretDiscovery bool, checkSpire bool) ([]Workload, error) {
// Includes the initial Kubernetes namespaces.
ignoredNamespaces := map[string]int{
"kube-node-lease": 1,
Expand All @@ -82,9 +82,12 @@ func GetUnregisteredWorkloads(ctx context.Context, kubeCfgFile string, kubeConte
return nil, err
}

registeredEntries, err := spire.GetRegistrationEntries(ctx, client)
if err != nil {
return nil, err
var registeredEntries map[string]*spire.RegisteredEntry
if checkSpire {
registeredEntries, err = spire.GetRegistrationEntries(ctx, client)
if err != nil {
return nil, err
}
}

pods, err := client.Clientset.CoreV1().Pods("").List(ctx, metav1.ListOptions{})
Expand Down

0 comments on commit 5de2941

Please sign in to comment.