diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml index eb29b438..6db39275 100644 --- a/.github/workflows/pr_build.yml +++ b/.github/workflows/pr_build.yml @@ -6,12 +6,12 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19.4 + GO_VERSION: 1.24.0 CHANGE_MINIKUBE_NONE_USER: true TERM: xterm jobs: test-all: - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 timeout-minutes: 30 steps: - name: Checkout diff --git a/docker-compose/federation/README.md b/docker-compose/federation/README.md index 8ea7b363..a4a69317 100644 --- a/docker-compose/federation/README.md +++ b/docker-compose/federation/README.md @@ -16,8 +16,8 @@ In this tutorial you will learn how to: The baseline components for SPIFFE federation are: -* Two SPIRE Server instances running version 1.5.1. -* Two SPIRE Agents running version 1.5.1. One connected to one SPIRE Server, and the second connected to the other SPIRE Server. +* Two SPIRE Server instances running version 1.11.2. +* Two SPIRE Agents running version 1.11.2. One connected to one SPIRE Server, and the second connected to the other SPIRE Server. * Two workloads that need to communicate each other via mTLS, and use the Workload API to get SVIDs and trust bundles. # Scenario diff --git a/docker-compose/federation/docker/spire-server-broker.example/Dockerfile b/docker-compose/federation/docker/spire-server-broker.example/Dockerfile index 05cd74e1..85541398 100644 --- a/docker-compose/federation/docker/spire-server-broker.example/Dockerfile +++ b/docker-compose/federation/docker/spire-server-broker.example/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-server:1.5.1 +FROM ghcr.io/spiffe/spire-server:1.11.2 # Override spire configurations COPY conf/server.conf /opt/spire/conf/server/server.conf diff --git a/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile b/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile index c6c4250e..bbaf606b 100644 --- a/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile +++ b/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-server:1.5.1 +FROM ghcr.io/spiffe/spire-server:1.11.2 # Override spire configurations COPY conf/server.conf /opt/spire/conf/server/server.conf diff --git a/docker-compose/metrics/docker-compose.yaml b/docker-compose/metrics/docker-compose.yaml index 785e952b..df6417f2 100644 --- a/docker-compose/metrics/docker-compose.yaml +++ b/docker-compose/metrics/docker-compose.yaml @@ -17,13 +17,13 @@ services: ports: - "9090:9090" spire-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: spire-server volumes: - ./spire/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["spire-server"] hostname: spire-agent volumes: diff --git a/docker-compose/metrics/spire/agent/bootstrap.crt b/docker-compose/metrics/spire/agent/bootstrap.crt index c946ddab..7c8af777 100644 --- a/docker-compose/metrics/spire/agent/bootstrap.crt +++ b/docker-compose/metrics/spire/agent/bootstrap.crt @@ -1,11 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBjjCCATSgAwIBAgIBADAKBggqhkjOPQQDAjAeMQswCQYDVQQGEwJVUzEPMA0G -A1UEChMGU1BJRkZFMB4XDTIwMDkwOTEyMDAzMloXDTIwMDkxMDEyMDA0MlowHjEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTBZMBMGByqGSM49AgEGCCqGSM49 -AwEHA0IABHMKPycervFjrBUtnp777XTMEFnrkyNwEPyJeW82ZWGK/a0MkJuXyVjR -E+1278Uw2+ibEhqu4t01K4H3e3pnHjijYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQl2JvBH6ei193VzV6qx+LE/DCqtDAfBgNV -HREEGDAWhhRzcGlmZmU6Ly9leGFtcGxlLm9yZzAKBggqhkjOPQQDAgNIADBFAiEA -nJ3tKeedWyqBBNtzcI/jTFAOsEfNVkLeCcnuDifPzzMCIF6ghe9ToYUA1rXutGjc -hPo/+b7/LYeSHNcCGA1/VqRD +MIICADCCAaegAwIBAgIQWb1fwpq1CRgRMWgIPjUkZDAKBggqhkjOPQQDAjBQMQsw +CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAwLgYDVQQFEycxMTkyODQ1Nzc5 +NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQwHhcNMjUwMjI3MjE0ODUyWhcN +MjUwMjI4MjE0OTAyWjBQMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAw +LgYDVQQFEycxMTkyODQ1Nzc5NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/KNCfkxzU3697S+m7zv5KjiD24BXW +shqDlv/87hPBXg3rcYMI0bKl5JYQEzfG1no9nm+zESsJBRG/G9tOR7rvo2MwYTAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6P1ZcANp +jpC1nQ+73YfelEbZYoEwHwYDVR0RBBgwFoYUc3BpZmZlOi8vZXhhbXBsZS5vcmcw +CgYIKoZIzj0EAwIDRwAwRAIgcWulpz7Sju1wQ6O821WwXajecMSR0k1Mog8iAyDL +oZsCIFT7nYK+/F3BBeOndbsrSPGd2jrlDknQrPFHsZB9sJoY -----END CERTIFICATE----- diff --git a/docker-compose/nested-spire/README.md b/docker-compose/nested-spire/README.md index 270bdbf5..86b67851 100644 --- a/docker-compose/nested-spire/README.md +++ b/docker-compose/nested-spire/README.md @@ -48,7 +48,7 @@ We define all the services for the tutorial in the [docker-compose.yaml](docker- services: # Root root-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: root-server volumes: - ./root/server:/opt/spire/conf/server @@ -56,7 +56,7 @@ We define all the services for the tutorial in the [docker-compose.yaml](docker- root-agent: # Share the host pid namespace so this agent can attest the nested servers pid: "host" - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["root-server"] hostname: root-agent volumes: @@ -91,7 +91,7 @@ The Docker Compose definition for the `nestedA-server` service in the [docker-co nestedA-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedA-server labels: # label to attest nestedA-server against root-agent diff --git a/docker-compose/nested-spire/docker-compose.yaml b/docker-compose/nested-spire/docker-compose.yaml index d7e91da4..f8b79581 100644 --- a/docker-compose/nested-spire/docker-compose.yaml +++ b/docker-compose/nested-spire/docker-compose.yaml @@ -1,7 +1,7 @@ services: # Root root-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: root-server volumes: - ./root/server:/opt/spire/conf/server @@ -9,7 +9,7 @@ services: root-agent: # Share the host pid namespace so this agent can attest the nested servers pid: "host" - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["root-server"] hostname: root-agent volumes: @@ -22,7 +22,7 @@ services: nestedA-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedA-server labels: # label to attest server against root-agent @@ -34,7 +34,7 @@ services: - ./nestedA/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] nestedA-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 hostname: nestedA-agent depends_on: ["nestedA-server"] volumes: @@ -44,7 +44,7 @@ services: nestedB-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedB-server depends_on: ["root-server","root-agent"] labels: @@ -56,7 +56,7 @@ services: - ./nestedB/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] nestedB-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 hostname: nestedB-agent depends_on: ["nestedB-server"] volumes: diff --git a/docker-compose/nested-spire/root/agent/agent.conf b/docker-compose/nested-spire/root/agent/agent.conf index 6384eea4..011d9d51 100644 --- a/docker-compose/nested-spire/root/agent/agent.conf +++ b/docker-compose/nested-spire/root/agent/agent.conf @@ -22,8 +22,6 @@ plugins { } WorkloadAttestor "docker" { plugin_data { - # GitHub worklow activate groups for testing - #container_id_cgroup_matchers = [CGROUP_MATCHERS] } } } diff --git a/docker-compose/nested-spire/scripts/set-env.sh b/docker-compose/nested-spire/scripts/set-env.sh index 23f7fbaa..1448a13a 100755 --- a/docker-compose/nested-spire/scripts/set-env.sh +++ b/docker-compose/nested-spire/scripts/set-env.sh @@ -47,15 +47,21 @@ check-entry-is-propagated() { exit 1 } +check-server-is-ready() { + # Check at most 30 times that the agent has successfully synced down the workload entry. + # Wait one second between checks. + log "Checking server is ready..." + for ((i=1;i<=30;i++)); do + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "Starting Server APIs"; then + log "${green}Server is ready.${nn}" + return 0 + fi + sleep 1 + done -# Configure the environment-dependent CGROUP matchers for the docker workload -# attestors. -CGROUP_MATCHERS="" -if [ -n "${GITHUB_WORKFLOW}" ]; then - CGROUP_MATCHERS='"/actions_job/"' -fi -sed -i.bak "s#\#container_id_cgroup_matchers#container_id_cgroup_matchers#" "${PARENT_DIR}"/root/agent/agent.conf -sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" "${PARENT_DIR}"/root/agent/agent.conf + log "${red}timed out waiting for the entry to be progagated to the agent${norm}" + exit 1 +} # create a shared folder for root agent socket to be accessed by nestedA and nestedB servers mkdir -p "${PARENT_DIR}"/sharedRootSocket @@ -103,6 +109,8 @@ setup "${PARENT_DIR}"/nestedA/server "${PARENT_DIR}"/nestedA/agent log "Starting nestedA-server.." docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server +check-server-is-ready nestedA-server + log "bootstrapping nestedA agent..." docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt @@ -117,6 +125,8 @@ setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent log "Starting nestedB-server.." docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server +check-server-is-ready nestedB-server + log "bootstrapping nestedB agent..." docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt diff --git a/docker-compose/nested-spire/test.sh b/docker-compose/nested-spire/test.sh index e41ae1c9..c713eb2f 100755 --- a/docker-compose/nested-spire/test.sh +++ b/docker-compose/nested-spire/test.sh @@ -38,7 +38,7 @@ bash "${DIR}"/scripts/create-workload-registration-entries.sh log "checking nested JWT-SVID..." # Fetch JWT-SVID and extract token token=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \ - /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail "JWT-SVID check failed" + /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p' | tr -d '\t') || fail "JWT-SVID check failed" # Validate token validation_result=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \ diff --git a/k8s/envoy-jwt-opa/scripts/set-env.sh b/k8s/envoy-jwt-opa/scripts/set-env.sh index 29d4f7aa..9b4d3281 100755 --- a/k8s/envoy-jwt-opa/scripts/set-env.sh +++ b/k8s/envoy-jwt-opa/scripts/set-env.sh @@ -39,7 +39,7 @@ wait_for_envoy() { LOGLINE="all dependencies initialized. starting workers" LOGLINE2="membership update for TLS cluster backend added 1 removed 1" for ((i=0;i<30;i++)); do - if ! kubectl logs --tail=100 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then + if ! kubectl logs --tail=1000 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then sleep 5 echo "Waiting until backend envoy instance is ready..." continue diff --git a/k8s/envoy-jwt/scripts/set-env.sh b/k8s/envoy-jwt/scripts/set-env.sh index 1aa6e4b6..1187bc33 100755 --- a/k8s/envoy-jwt/scripts/set-env.sh +++ b/k8s/envoy-jwt/scripts/set-env.sh @@ -49,7 +49,7 @@ wait_for_envoy() { LOGLINE="all dependencies initialized. starting workers" LOGLINE2="DNS hosts have changed for backend-envoy" for ((i=0;i<30;i++)); do - if ! kubectl logs --tail=300 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then + if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then sleep 5 echo "Waiting until Envoy is ready..." continue diff --git a/k8s/envoy-opa/scripts/set-env.sh b/k8s/envoy-opa/scripts/set-env.sh index e63d1b21..b4bc61fb 100755 --- a/k8s/envoy-opa/scripts/set-env.sh +++ b/k8s/envoy-opa/scripts/set-env.sh @@ -44,7 +44,7 @@ wait_for_envoy() { echo "Waiting until backend envoy instance is ready..." continue fi - if ! kubectl logs --tail=30 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then + if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then sleep 5 echo "Waiting until frontend envoy instance is in sync with the backend envoy..." continue diff --git a/k8s/quickstart/agent-configmap.yaml b/k8s/quickstart/agent-configmap.yaml index 78687b25..d619dee1 100644 --- a/k8s/quickstart/agent-configmap.yaml +++ b/k8s/quickstart/agent-configmap.yaml @@ -16,7 +16,7 @@ data: } plugins { - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { # NOTE: Change this to your cluster name cluster = "demo-cluster" diff --git a/k8s/quickstart/agent-daemonset.yaml b/k8s/quickstart/agent-daemonset.yaml index 1a946a23..520fff5a 100644 --- a/k8s/quickstart/agent-daemonset.yaml +++ b/k8s/quickstart/agent-daemonset.yaml @@ -28,7 +28,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME @@ -44,6 +44,8 @@ spec: - name: spire-agent-socket mountPath: /run/spire/sockets readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live @@ -69,3 +71,10 @@ spec: hostPath: path: /run/spire/sockets type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/k8s/quickstart/create-node-registration-entry.sh b/k8s/quickstart/create-node-registration-entry.sh index c5da4c6f..736d5ee7 100644 --- a/k8s/quickstart/create-node-registration-entry.sh +++ b/k8s/quickstart/create-node-registration-entry.sh @@ -11,6 +11,6 @@ kubectl exec -n spire spire-server-0 -- \ /opt/spire/bin/spire-server entry create \ -node \ -spiffeID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s_sat:cluster:demo-cluster \ - -selector k8s_sat:agent_ns:spire \ - -selector k8s_sat:agent_sa:spire-agent + -selector k8s_psat:cluster:demo-cluster \ + -selector k8s_psat:agent_ns:spire \ + -selector k8s_psat:agent_sa:spire-agent diff --git a/k8s/quickstart/server-cluster-role.yaml b/k8s/quickstart/server-cluster-role.yaml index 00925d1e..e715c429 100644 --- a/k8s/quickstart/server-cluster-role.yaml +++ b/k8s/quickstart/server-cluster-role.yaml @@ -24,12 +24,15 @@ roleRef: kind: Role name: spire-server-configmap-role --- -# ClusterRole to allow spire-server node attestor to query Token Review API +# ClusterRole to allow spire-server node attestor to read pods and nodes, and query Token Review API kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spire-server-trust-role rules: +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] @@ -46,4 +49,4 @@ subjects: roleRef: kind: ClusterRole name: spire-server-trust-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/k8s/quickstart/server-configmap.yaml b/k8s/quickstart/server-configmap.yaml index 9cdf269d..37029f08 100644 --- a/k8s/quickstart/server-configmap.yaml +++ b/k8s/quickstart/server-configmap.yaml @@ -30,12 +30,11 @@ data: } } - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { clusters = { # NOTE: Change this to your cluster name "demo-cluster" = { - use_token_review_api_validation = true service_account_allow_list = ["spire:spire-agent"] } } diff --git a/k8s/quickstart/server-statefulset.yaml b/k8s/quickstart/server-statefulset.yaml index fd1eedf6..cd558169 100644 --- a/k8s/quickstart/server-statefulset.yaml +++ b/k8s/quickstart/server-statefulset.yaml @@ -20,7 +20,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: - -config - /run/spire/config/server.conf diff --git a/k8s/quickstart/test.sh b/k8s/quickstart/test.sh index ee972f53..a5d237b4 100755 --- a/k8s/quickstart/test.sh +++ b/k8s/quickstart/test.sh @@ -24,7 +24,7 @@ start_minikube() { if [ -z "${GITHUB_WORKFLOW}" ]; then echo "${bold}Starting minikube... ${norm}" ${MINIKUBECMD} start - eval $(${MINIKUBECMD} docker-env) + eval $(${MINIKUBECMD} docker-env --shell=bash) fi } @@ -115,7 +115,7 @@ check_for_node_attestation() { sleep ${CHECKINTERVAL} echo -n "${bold}Checking for node attestation... ${norm}" kubectl -n spire logs ${SPIRE_SERVER_POD_NAME} > ${SERVERLOGS} || true - if grep -sxq -e ".*Agent attestation request completed.*k8s_sat.*" ${SERVERLOGS}; then + if grep -sxq -e ".*Agent attestation request completed.*k8s_psat.*" ${SERVERLOGS}; then echo "${green}ok${norm}." return fi