From 73d6b733af2ee7434b5483876b50f84eda739435 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 18 Jan 2025 07:26:34 +0000 Subject: [PATCH 01/13] Specify shell when fetching docker-env For me this gets the set of commands for my user shell, not the shell running the script. Since we know we run the script as bash, tell that to minikube. Signed-off-by: Sorin Dumitru --- k8s/quickstart/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/quickstart/test.sh b/k8s/quickstart/test.sh index ee972f53..d18ec99a 100755 --- a/k8s/quickstart/test.sh +++ b/k8s/quickstart/test.sh @@ -24,7 +24,7 @@ start_minikube() { if [ -z "${GITHUB_WORKFLOW}" ]; then echo "${bold}Starting minikube... ${norm}" ${MINIKUBECMD} start - eval $(${MINIKUBECMD} docker-env) + eval $(${MINIKUBECMD} docker-env --shell=bash) fi } From a33dd9944279fb3387db4d9b0d5e16ca77437308 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 18 Jan 2025 07:32:29 +0000 Subject: [PATCH 02/13] Switch from k8s_sat to k8s_psat Signed-off-by: Sorin Dumitru --- k8s/quickstart/agent-configmap.yaml | 2 +- k8s/quickstart/agent-daemonset.yaml | 9 +++++++++ k8s/quickstart/server-cluster-role.yaml | 7 +++++-- k8s/quickstart/server-configmap.yaml | 3 +-- k8s/quickstart/test.sh | 2 +- 5 files changed, 17 insertions(+), 6 deletions(-) diff --git a/k8s/quickstart/agent-configmap.yaml b/k8s/quickstart/agent-configmap.yaml index 78687b25..d619dee1 100644 --- a/k8s/quickstart/agent-configmap.yaml +++ b/k8s/quickstart/agent-configmap.yaml @@ -16,7 +16,7 @@ data: } plugins { - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { # NOTE: Change this to your cluster name cluster = "demo-cluster" diff --git a/k8s/quickstart/agent-daemonset.yaml b/k8s/quickstart/agent-daemonset.yaml index 1a946a23..e51170c7 100644 --- a/k8s/quickstart/agent-daemonset.yaml +++ b/k8s/quickstart/agent-daemonset.yaml @@ -44,6 +44,8 @@ spec: - name: spire-agent-socket mountPath: /run/spire/sockets readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live @@ -69,3 +71,10 @@ spec: hostPath: path: /run/spire/sockets type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/k8s/quickstart/server-cluster-role.yaml b/k8s/quickstart/server-cluster-role.yaml index 00925d1e..e715c429 100644 --- a/k8s/quickstart/server-cluster-role.yaml +++ b/k8s/quickstart/server-cluster-role.yaml @@ -24,12 +24,15 @@ roleRef: kind: Role name: spire-server-configmap-role --- -# ClusterRole to allow spire-server node attestor to query Token Review API +# ClusterRole to allow spire-server node attestor to read pods and nodes, and query Token Review API kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spire-server-trust-role rules: +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] @@ -46,4 +49,4 @@ subjects: roleRef: kind: ClusterRole name: spire-server-trust-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/k8s/quickstart/server-configmap.yaml b/k8s/quickstart/server-configmap.yaml index 9cdf269d..37029f08 100644 --- a/k8s/quickstart/server-configmap.yaml +++ b/k8s/quickstart/server-configmap.yaml @@ -30,12 +30,11 @@ data: } } - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { clusters = { # NOTE: Change this to your cluster name "demo-cluster" = { - use_token_review_api_validation = true service_account_allow_list = ["spire:spire-agent"] } } diff --git a/k8s/quickstart/test.sh b/k8s/quickstart/test.sh index d18ec99a..a5d237b4 100755 --- a/k8s/quickstart/test.sh +++ b/k8s/quickstart/test.sh @@ -115,7 +115,7 @@ check_for_node_attestation() { sleep ${CHECKINTERVAL} echo -n "${bold}Checking for node attestation... ${norm}" kubectl -n spire logs ${SPIRE_SERVER_POD_NAME} > ${SERVERLOGS} || true - if grep -sxq -e ".*Agent attestation request completed.*k8s_sat.*" ${SERVERLOGS}; then + if grep -sxq -e ".*Agent attestation request completed.*k8s_psat.*" ${SERVERLOGS}; then echo "${green}ok${norm}." return fi From 3e04cbc78b1d7a1ebb519d6426583ab06b9827d1 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 18 Jan 2025 07:46:34 +0000 Subject: [PATCH 03/13] Upgrade to SPIRE 1.11.1 Signed-off-by: Sorin Dumitru --- k8s/quickstart/agent-daemonset.yaml | 2 +- k8s/quickstart/server-statefulset.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/quickstart/agent-daemonset.yaml b/k8s/quickstart/agent-daemonset.yaml index e51170c7..47d6fe75 100644 --- a/k8s/quickstart/agent-daemonset.yaml +++ b/k8s/quickstart/agent-daemonset.yaml @@ -28,7 +28,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.1 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME diff --git a/k8s/quickstart/server-statefulset.yaml b/k8s/quickstart/server-statefulset.yaml index fd1eedf6..60f2490b 100644 --- a/k8s/quickstart/server-statefulset.yaml +++ b/k8s/quickstart/server-statefulset.yaml @@ -20,7 +20,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.1 args: - -config - /run/spire/config/server.conf From feb5160a9f62c689a1edb9915c978fe9990f16bb Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 18 Jan 2025 11:42:58 +0000 Subject: [PATCH 04/13] Also fix the node alias entry Signed-off-by: Sorin Dumitru --- k8s/quickstart/create-node-registration-entry.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/k8s/quickstart/create-node-registration-entry.sh b/k8s/quickstart/create-node-registration-entry.sh index c5da4c6f..736d5ee7 100644 --- a/k8s/quickstart/create-node-registration-entry.sh +++ b/k8s/quickstart/create-node-registration-entry.sh @@ -11,6 +11,6 @@ kubectl exec -n spire spire-server-0 -- \ /opt/spire/bin/spire-server entry create \ -node \ -spiffeID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s_sat:cluster:demo-cluster \ - -selector k8s_sat:agent_ns:spire \ - -selector k8s_sat:agent_sa:spire-agent + -selector k8s_psat:cluster:demo-cluster \ + -selector k8s_psat:agent_ns:spire \ + -selector k8s_psat:agent_sa:spire-agent From 437ccf05ab35d372a42038fc7440f99a66a05c44 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 24 Jan 2025 06:49:09 +0000 Subject: [PATCH 05/13] Increase log lookback window size Signed-off-by: Sorin Dumitru --- k8s/envoy-jwt-opa/scripts/set-env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/envoy-jwt-opa/scripts/set-env.sh b/k8s/envoy-jwt-opa/scripts/set-env.sh index 29d4f7aa..9b4d3281 100755 --- a/k8s/envoy-jwt-opa/scripts/set-env.sh +++ b/k8s/envoy-jwt-opa/scripts/set-env.sh @@ -39,7 +39,7 @@ wait_for_envoy() { LOGLINE="all dependencies initialized. starting workers" LOGLINE2="membership update for TLS cluster backend added 1 removed 1" for ((i=0;i<30;i++)); do - if ! kubectl logs --tail=100 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then + if ! kubectl logs --tail=1000 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then sleep 5 echo "Waiting until backend envoy instance is ready..." continue From c0073fab0e1d6b73d880c41251ef4e3b8563b8be Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 27 Feb 2025 21:30:23 +0000 Subject: [PATCH 06/13] Update more lookback windows Signed-off-by: Sorin Dumitru --- k8s/envoy-jwt/scripts/set-env.sh | 2 +- k8s/envoy-opa/scripts/set-env.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/envoy-jwt/scripts/set-env.sh b/k8s/envoy-jwt/scripts/set-env.sh index 1aa6e4b6..1187bc33 100755 --- a/k8s/envoy-jwt/scripts/set-env.sh +++ b/k8s/envoy-jwt/scripts/set-env.sh @@ -49,7 +49,7 @@ wait_for_envoy() { LOGLINE="all dependencies initialized. starting workers" LOGLINE2="DNS hosts have changed for backend-envoy" for ((i=0;i<30;i++)); do - if ! kubectl logs --tail=300 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then + if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then sleep 5 echo "Waiting until Envoy is ready..." continue diff --git a/k8s/envoy-opa/scripts/set-env.sh b/k8s/envoy-opa/scripts/set-env.sh index e63d1b21..b4bc61fb 100755 --- a/k8s/envoy-opa/scripts/set-env.sh +++ b/k8s/envoy-opa/scripts/set-env.sh @@ -44,7 +44,7 @@ wait_for_envoy() { echo "Waiting until backend envoy instance is ready..." continue fi - if ! kubectl logs --tail=30 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then + if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then sleep 5 echo "Waiting until frontend envoy instance is in sync with the backend envoy..." continue From 3022f4ac65c6bee16e4595ae1dafc7b3df612c0d Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 27 Feb 2025 21:46:58 +0000 Subject: [PATCH 07/13] Update to 1.11.2 now that it's available Signed-off-by: Sorin Dumitru --- k8s/quickstart/agent-daemonset.yaml | 2 +- k8s/quickstart/server-statefulset.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/quickstart/agent-daemonset.yaml b/k8s/quickstart/agent-daemonset.yaml index 47d6fe75..520fff5a 100644 --- a/k8s/quickstart/agent-daemonset.yaml +++ b/k8s/quickstart/agent-daemonset.yaml @@ -28,7 +28,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.11.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME diff --git a/k8s/quickstart/server-statefulset.yaml b/k8s/quickstart/server-statefulset.yaml index 60f2490b..cd558169 100644 --- a/k8s/quickstart/server-statefulset.yaml +++ b/k8s/quickstart/server-statefulset.yaml @@ -20,7 +20,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.11.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: - -config - /run/spire/config/server.conf From 192cddcbfe6e18ef2ed534ec36fa27621f3813d5 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 27 Feb 2025 21:55:30 +0000 Subject: [PATCH 08/13] Also update version in docker-compose Signed-off-by: Sorin Dumitru --- docker-compose/federation/README.md | 4 ++-- .../spire-server-broker.example/Dockerfile | 2 +- .../Dockerfile | 2 +- docker-compose/metrics/docker-compose.yaml | 4 ++-- .../metrics/spire/agent/bootstrap.crt | 20 ++++++++++--------- docker-compose/nested-spire/README.md | 6 +++--- .../nested-spire/docker-compose.yaml | 12 +++++------ 7 files changed, 26 insertions(+), 24 deletions(-) diff --git a/docker-compose/federation/README.md b/docker-compose/federation/README.md index 8ea7b363..a4a69317 100644 --- a/docker-compose/federation/README.md +++ b/docker-compose/federation/README.md @@ -16,8 +16,8 @@ In this tutorial you will learn how to: The baseline components for SPIFFE federation are: -* Two SPIRE Server instances running version 1.5.1. -* Two SPIRE Agents running version 1.5.1. One connected to one SPIRE Server, and the second connected to the other SPIRE Server. +* Two SPIRE Server instances running version 1.11.2. +* Two SPIRE Agents running version 1.11.2. One connected to one SPIRE Server, and the second connected to the other SPIRE Server. * Two workloads that need to communicate each other via mTLS, and use the Workload API to get SVIDs and trust bundles. # Scenario diff --git a/docker-compose/federation/docker/spire-server-broker.example/Dockerfile b/docker-compose/federation/docker/spire-server-broker.example/Dockerfile index 05cd74e1..85541398 100644 --- a/docker-compose/federation/docker/spire-server-broker.example/Dockerfile +++ b/docker-compose/federation/docker/spire-server-broker.example/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-server:1.5.1 +FROM ghcr.io/spiffe/spire-server:1.11.2 # Override spire configurations COPY conf/server.conf /opt/spire/conf/server/server.conf diff --git a/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile b/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile index c6c4250e..bbaf606b 100644 --- a/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile +++ b/docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-server:1.5.1 +FROM ghcr.io/spiffe/spire-server:1.11.2 # Override spire configurations COPY conf/server.conf /opt/spire/conf/server/server.conf diff --git a/docker-compose/metrics/docker-compose.yaml b/docker-compose/metrics/docker-compose.yaml index 785e952b..df6417f2 100644 --- a/docker-compose/metrics/docker-compose.yaml +++ b/docker-compose/metrics/docker-compose.yaml @@ -17,13 +17,13 @@ services: ports: - "9090:9090" spire-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: spire-server volumes: - ./spire/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["spire-server"] hostname: spire-agent volumes: diff --git a/docker-compose/metrics/spire/agent/bootstrap.crt b/docker-compose/metrics/spire/agent/bootstrap.crt index c946ddab..7c8af777 100644 --- a/docker-compose/metrics/spire/agent/bootstrap.crt +++ b/docker-compose/metrics/spire/agent/bootstrap.crt @@ -1,11 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBjjCCATSgAwIBAgIBADAKBggqhkjOPQQDAjAeMQswCQYDVQQGEwJVUzEPMA0G -A1UEChMGU1BJRkZFMB4XDTIwMDkwOTEyMDAzMloXDTIwMDkxMDEyMDA0MlowHjEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTBZMBMGByqGSM49AgEGCCqGSM49 -AwEHA0IABHMKPycervFjrBUtnp777XTMEFnrkyNwEPyJeW82ZWGK/a0MkJuXyVjR -E+1278Uw2+ibEhqu4t01K4H3e3pnHjijYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQl2JvBH6ei193VzV6qx+LE/DCqtDAfBgNV -HREEGDAWhhRzcGlmZmU6Ly9leGFtcGxlLm9yZzAKBggqhkjOPQQDAgNIADBFAiEA -nJ3tKeedWyqBBNtzcI/jTFAOsEfNVkLeCcnuDifPzzMCIF6ghe9ToYUA1rXutGjc -hPo/+b7/LYeSHNcCGA1/VqRD +MIICADCCAaegAwIBAgIQWb1fwpq1CRgRMWgIPjUkZDAKBggqhkjOPQQDAjBQMQsw +CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAwLgYDVQQFEycxMTkyODQ1Nzc5 +NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQwHhcNMjUwMjI3MjE0ODUyWhcN +MjUwMjI4MjE0OTAyWjBQMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAw +LgYDVQQFEycxMTkyODQ1Nzc5NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/KNCfkxzU3697S+m7zv5KjiD24BXW +shqDlv/87hPBXg3rcYMI0bKl5JYQEzfG1no9nm+zESsJBRG/G9tOR7rvo2MwYTAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6P1ZcANp +jpC1nQ+73YfelEbZYoEwHwYDVR0RBBgwFoYUc3BpZmZlOi8vZXhhbXBsZS5vcmcw +CgYIKoZIzj0EAwIDRwAwRAIgcWulpz7Sju1wQ6O821WwXajecMSR0k1Mog8iAyDL +oZsCIFT7nYK+/F3BBeOndbsrSPGd2jrlDknQrPFHsZB9sJoY -----END CERTIFICATE----- diff --git a/docker-compose/nested-spire/README.md b/docker-compose/nested-spire/README.md index 270bdbf5..86b67851 100644 --- a/docker-compose/nested-spire/README.md +++ b/docker-compose/nested-spire/README.md @@ -48,7 +48,7 @@ We define all the services for the tutorial in the [docker-compose.yaml](docker- services: # Root root-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: root-server volumes: - ./root/server:/opt/spire/conf/server @@ -56,7 +56,7 @@ We define all the services for the tutorial in the [docker-compose.yaml](docker- root-agent: # Share the host pid namespace so this agent can attest the nested servers pid: "host" - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["root-server"] hostname: root-agent volumes: @@ -91,7 +91,7 @@ The Docker Compose definition for the `nestedA-server` service in the [docker-co nestedA-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedA-server labels: # label to attest nestedA-server against root-agent diff --git a/docker-compose/nested-spire/docker-compose.yaml b/docker-compose/nested-spire/docker-compose.yaml index d7e91da4..f8b79581 100644 --- a/docker-compose/nested-spire/docker-compose.yaml +++ b/docker-compose/nested-spire/docker-compose.yaml @@ -1,7 +1,7 @@ services: # Root root-server: - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: root-server volumes: - ./root/server:/opt/spire/conf/server @@ -9,7 +9,7 @@ services: root-agent: # Share the host pid namespace so this agent can attest the nested servers pid: "host" - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 depends_on: ["root-server"] hostname: root-agent volumes: @@ -22,7 +22,7 @@ services: nestedA-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedA-server labels: # label to attest server against root-agent @@ -34,7 +34,7 @@ services: - ./nestedA/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] nestedA-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 hostname: nestedA-agent depends_on: ["nestedA-server"] volumes: @@ -44,7 +44,7 @@ services: nestedB-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: ghcr.io/spiffe/spire-server:1.5.1 + image: ghcr.io/spiffe/spire-server:1.11.2 hostname: nestedB-server depends_on: ["root-server","root-agent"] labels: @@ -56,7 +56,7 @@ services: - ./nestedB/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] nestedB-agent: - image: ghcr.io/spiffe/spire-agent:1.5.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 hostname: nestedB-agent depends_on: ["nestedB-server"] volumes: From d7c173101a615f4ae99477c2f3287aa00fa2447d Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 27 Feb 2025 22:10:11 +0000 Subject: [PATCH 09/13] trim whitespace from jwt-svid Signed-off-by: Sorin Dumitru --- docker-compose/nested-spire/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/nested-spire/test.sh b/docker-compose/nested-spire/test.sh index e41ae1c9..c713eb2f 100755 --- a/docker-compose/nested-spire/test.sh +++ b/docker-compose/nested-spire/test.sh @@ -38,7 +38,7 @@ bash "${DIR}"/scripts/create-workload-registration-entries.sh log "checking nested JWT-SVID..." # Fetch JWT-SVID and extract token token=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \ - /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail "JWT-SVID check failed" + /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p' | tr -d '\t') || fail "JWT-SVID check failed" # Validate token validation_result=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \ From 5e9fd095f9e95e0f57221b1da3917335311a7ed5 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 28 Feb 2025 06:16:18 +0000 Subject: [PATCH 10/13] Update workflow base image and go version Signed-off-by: Sorin Dumitru --- .github/workflows/pr_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml index eb29b438..6db39275 100644 --- a/.github/workflows/pr_build.yml +++ b/.github/workflows/pr_build.yml @@ -6,12 +6,12 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19.4 + GO_VERSION: 1.24.0 CHANGE_MINIKUBE_NONE_USER: true TERM: xterm jobs: test-all: - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 timeout-minutes: 30 steps: - name: Checkout From 56a8f0c71ce2f3678a83c53342a3e492d39a0665 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 28 Feb 2025 06:34:08 +0000 Subject: [PATCH 11/13] Remove cgroup matching, it's no longer needed Signed-off-by: Sorin Dumitru --- docker-compose/nested-spire/root/agent/agent.conf | 2 -- docker-compose/nested-spire/scripts/set-env.sh | 10 ---------- 2 files changed, 12 deletions(-) diff --git a/docker-compose/nested-spire/root/agent/agent.conf b/docker-compose/nested-spire/root/agent/agent.conf index 6384eea4..011d9d51 100644 --- a/docker-compose/nested-spire/root/agent/agent.conf +++ b/docker-compose/nested-spire/root/agent/agent.conf @@ -22,8 +22,6 @@ plugins { } WorkloadAttestor "docker" { plugin_data { - # GitHub worklow activate groups for testing - #container_id_cgroup_matchers = [CGROUP_MATCHERS] } } } diff --git a/docker-compose/nested-spire/scripts/set-env.sh b/docker-compose/nested-spire/scripts/set-env.sh index 23f7fbaa..54bd5304 100755 --- a/docker-compose/nested-spire/scripts/set-env.sh +++ b/docker-compose/nested-spire/scripts/set-env.sh @@ -47,16 +47,6 @@ check-entry-is-propagated() { exit 1 } - -# Configure the environment-dependent CGROUP matchers for the docker workload -# attestors. -CGROUP_MATCHERS="" -if [ -n "${GITHUB_WORKFLOW}" ]; then - CGROUP_MATCHERS='"/actions_job/"' -fi -sed -i.bak "s#\#container_id_cgroup_matchers#container_id_cgroup_matchers#" "${PARENT_DIR}"/root/agent/agent.conf -sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" "${PARENT_DIR}"/root/agent/agent.conf - # create a shared folder for root agent socket to be accessed by nestedA and nestedB servers mkdir -p "${PARENT_DIR}"/sharedRootSocket From f91e881312670ca7ff7ec4a2ddd6b0336ba62d6b Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 28 Feb 2025 07:45:32 +0000 Subject: [PATCH 12/13] Wait for the servers to be ready Signed-off-by: Sorin Dumitru --- .../nested-spire/scripts/set-env.sh | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docker-compose/nested-spire/scripts/set-env.sh b/docker-compose/nested-spire/scripts/set-env.sh index 54bd5304..22409ff0 100755 --- a/docker-compose/nested-spire/scripts/set-env.sh +++ b/docker-compose/nested-spire/scripts/set-env.sh @@ -47,6 +47,22 @@ check-entry-is-propagated() { exit 1 } +check-server-is-ready() { + # Check at most 30 times that the agent has successfully synced down the workload entry. + # Wait one second between checks. + log "Checking server is ready..." + for ((i=1;i<=30;i++)); do + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "Starting Server APIs"; then + log "${green}Server is ready.${nn}" + return 0 + fi + sleep 1 + done + + log "${red}timed out waiting for the entry to be progagated to the agent${norm}" + exit 1 +} + # create a shared folder for root agent socket to be accessed by nestedA and nestedB servers mkdir -p "${PARENT_DIR}"/sharedRootSocket @@ -93,6 +109,8 @@ setup "${PARENT_DIR}"/nestedA/server "${PARENT_DIR}"/nestedA/agent log "Starting nestedA-server.." docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server +check-server-is-ready nestedA-server + log "bootstrapping nestedA agent..." docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt @@ -107,6 +125,8 @@ setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent log "Starting nestedB-server.." docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server +check-server-is-ready nestedA-server + log "bootstrapping nestedB agent..." docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt From 0cac69a218e29f15fdade67981a526d92524f4d3 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sun, 9 Mar 2025 10:12:17 +0000 Subject: [PATCH 13/13] Wait for the right server Signed-off-by: Sorin Dumitru --- docker-compose/nested-spire/scripts/set-env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/nested-spire/scripts/set-env.sh b/docker-compose/nested-spire/scripts/set-env.sh index 22409ff0..1448a13a 100755 --- a/docker-compose/nested-spire/scripts/set-env.sh +++ b/docker-compose/nested-spire/scripts/set-env.sh @@ -125,7 +125,7 @@ setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent log "Starting nestedB-server.." docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server -check-server-is-ready nestedA-server +check-server-is-ready nestedB-server log "bootstrapping nestedB agent..." docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt