Switch the quickstart tutorial to use k8s_psat

.github/workflows/pr_build.yml

@@ -6,12 +6,12 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.19.4
+  GO_VERSION: 1.24.0
   CHANGE_MINIKUBE_NONE_USER: true
   TERM: xterm
 jobs:
   test-all:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps: 
       - name: Checkout

docker-compose/federation/README.md

@@ -16,8 +16,8 @@ In this tutorial you will learn how to:
 
 The baseline components for SPIFFE federation are:
 
-* Two SPIRE Server instances running version 1.5.1.
-* Two SPIRE Agents running version 1.5.1. One connected to one SPIRE Server, and the second connected to the other SPIRE Server.
+* Two SPIRE Server instances running version 1.11.2.
+* Two SPIRE Agents running version 1.11.2. One connected to one SPIRE Server, and the second connected to the other SPIRE Server.
 * Two workloads that need to communicate each other via mTLS, and use the Workload API to get SVIDs and trust bundles.
 
 # Scenario

docker-compose/federation/docker/spire-server-broker.example/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-server:1.5.1
+FROM ghcr.io/spiffe/spire-server:1.11.2
 
 # Override spire configurations
 COPY conf/server.conf /opt/spire/conf/server/server.conf

docker-compose/federation/docker/spire-server-stockmarket.example/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-server:1.5.1
+FROM ghcr.io/spiffe/spire-server:1.11.2
 
 # Override spire configurations
 COPY conf/server.conf /opt/spire/conf/server/server.conf

docker-compose/metrics/docker-compose.yaml

@@ -17,13 +17,13 @@ services:
     ports:
       - "9090:9090"
   spire-server:
-    image: ghcr.io/spiffe/spire-server:1.5.1
+    image: ghcr.io/spiffe/spire-server:1.11.2
     hostname: spire-server
     volumes:
         - ./spire/server:/opt/spire/conf/server
     command: ["-config", "/opt/spire/conf/server/server.conf"]
   spire-agent:
-    image: ghcr.io/spiffe/spire-agent:1.5.1
+    image: ghcr.io/spiffe/spire-agent:1.11.2
     depends_on: ["spire-server"]
     hostname: spire-agent
     volumes:

docker-compose/metrics/spire/agent/bootstrap.crt

@@ -1,11 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIBjjCCATSgAwIBAgIBADAKBggqhkjOPQQDAjAeMQswCQYDVQQGEwJVUzEPMA0G
-A1UEChMGU1BJRkZFMB4XDTIwMDkwOTEyMDAzMloXDTIwMDkxMDEyMDA0MlowHjEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTBZMBMGByqGSM49AgEGCCqGSM49
-AwEHA0IABHMKPycervFjrBUtnp777XTMEFnrkyNwEPyJeW82ZWGK/a0MkJuXyVjR
-E+1278Uw2+ibEhqu4t01K4H3e3pnHjijYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQl2JvBH6ei193VzV6qx+LE/DCqtDAfBgNV
-HREEGDAWhhRzcGlmZmU6Ly9leGFtcGxlLm9yZzAKBggqhkjOPQQDAgNIADBFAiEA
-nJ3tKeedWyqBBNtzcI/jTFAOsEfNVkLeCcnuDifPzzMCIF6ghe9ToYUA1rXutGjc
-hPo/+b7/LYeSHNcCGA1/VqRD
+MIICADCCAaegAwIBAgIQWb1fwpq1CRgRMWgIPjUkZDAKBggqhkjOPQQDAjBQMQsw
+CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAwLgYDVQQFEycxMTkyODQ1Nzc5
+NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQwHhcNMjUwMjI3MjE0ODUyWhcN
+MjUwMjI4MjE0OTAyWjBQMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMTAw
+LgYDVQQFEycxMTkyODQ1Nzc5NzgxNzYwMTk4MTcyOTkzMzgxMjQ3NjIzNTg4ODQw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/KNCfkxzU3697S+m7zv5KjiD24BXW
+shqDlv/87hPBXg3rcYMI0bKl5JYQEzfG1no9nm+zESsJBRG/G9tOR7rvo2MwYTAO
+BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6P1ZcANp
+jpC1nQ+73YfelEbZYoEwHwYDVR0RBBgwFoYUc3BpZmZlOi8vZXhhbXBsZS5vcmcw
+CgYIKoZIzj0EAwIDRwAwRAIgcWulpz7Sju1wQ6O821WwXajecMSR0k1Mog8iAyDL
+oZsCIFT7nYK+/F3BBeOndbsrSPGd2jrlDknQrPFHsZB9sJoY
 -----END CERTIFICATE-----

docker-compose/nested-spire/README.md

@@ -48,15 +48,15 @@ We define all the services for the tutorial in the [docker-compose.yaml](docker-
    services:
      # Root
      root-server:
-       image: ghcr.io/spiffe/spire-server:1.5.1
+       image: ghcr.io/spiffe/spire-server:1.11.2
        hostname: root-server
        volumes:
          - ./root/server:/opt/spire/conf/server
        command: ["-config", "/opt/spire/conf/server/server.conf"]
      root-agent:
        # Share the host pid namespace so this agent can attest the nested servers
        pid: "host"
-       image: ghcr.io/spiffe/spire-agent:1.5.1
+       image: ghcr.io/spiffe/spire-agent:1.11.2
        depends_on: ["root-server"]
        hostname: root-agent
        volumes:
@@ -91,7 +91,7 @@ The Docker Compose definition for the `nestedA-server` service in the [docker-co
    nestedA-server:
      # Share the host pid namespace so this server can be attested by the root agent
      pid: "host"
-     image: ghcr.io/spiffe/spire-server:1.5.1
+     image: ghcr.io/spiffe/spire-server:1.11.2
      hostname: nestedA-server
      labels:
        # label to attest nestedA-server against root-agent

docker-compose/nested-spire/docker-compose.yaml

@@ -1,15 +1,15 @@
 services:
   # Root
   root-server:
-    image: ghcr.io/spiffe/spire-server:1.5.1
+    image: ghcr.io/spiffe/spire-server:1.11.2
     hostname: root-server
     volumes:
       - ./root/server:/opt/spire/conf/server
     command: ["-config", "/opt/spire/conf/server/server.conf"]
   root-agent:
     # Share the host pid namespace so this agent can attest the nested servers
     pid: "host"
-    image: ghcr.io/spiffe/spire-agent:1.5.1
+    image: ghcr.io/spiffe/spire-agent:1.11.2
     depends_on: ["root-server"]
     hostname: root-agent
     volumes:
@@ -22,7 +22,7 @@ services:
   nestedA-server:
     # Share the host pid namespace so this server can be attested by the root agent
     pid: "host"
-    image: ghcr.io/spiffe/spire-server:1.5.1
+    image: ghcr.io/spiffe/spire-server:1.11.2
     hostname: nestedA-server
     labels:
       # label to attest server against root-agent
@@ -34,7 +34,7 @@ services:
       - ./nestedA/server:/opt/spire/conf/server
     command: ["-config", "/opt/spire/conf/server/server.conf"]
   nestedA-agent:
-    image: ghcr.io/spiffe/spire-agent:1.5.1
+    image: ghcr.io/spiffe/spire-agent:1.11.2
     hostname: nestedA-agent
     depends_on: ["nestedA-server"]
     volumes:
@@ -44,7 +44,7 @@ services:
   nestedB-server:
     # Share the host pid namespace so this server can be attested by the root agent
     pid: "host"
-    image: ghcr.io/spiffe/spire-server:1.5.1
+    image: ghcr.io/spiffe/spire-server:1.11.2
     hostname: nestedB-server
     depends_on: ["root-server","root-agent"]
     labels:
@@ -56,7 +56,7 @@ services:
       - ./nestedB/server:/opt/spire/conf/server
     command: ["-config", "/opt/spire/conf/server/server.conf"]
   nestedB-agent:
-    image: ghcr.io/spiffe/spire-agent:1.5.1
+    image: ghcr.io/spiffe/spire-agent:1.11.2
     hostname: nestedB-agent
     depends_on: ["nestedB-server"]
     volumes:

docker-compose/nested-spire/root/agent/agent.conf

@@ -22,8 +22,6 @@ plugins {
     }
     WorkloadAttestor "docker" {
         plugin_data {
-	    # GitHub worklow activate groups for testing
-	    #container_id_cgroup_matchers = [CGROUP_MATCHERS]
         }
     }
 }

docker-compose/nested-spire/scripts/set-env.sh

@@ -47,15 +47,21 @@ check-entry-is-propagated() {
   exit 1
 }
 
+check-server-is-ready() {
+  # Check at most 30 times that the agent has successfully synced down the workload entry.
+  # Wait one second between checks.
+  log "Checking server is ready..."
+  for ((i=1;i<=30;i++)); do
+      if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "Starting Server APIs"; then
+          log "${green}Server is ready.${nn}"
+          return 0
+      fi
+      sleep 1
+  done
 
-# Configure the environment-dependent CGROUP matchers for the docker workload
-# attestors.
-CGROUP_MATCHERS=""
-if [ -n "${GITHUB_WORKFLOW}" ]; then
-    CGROUP_MATCHERS='"/actions_job/<id>"'
-fi
-sed -i.bak "s#\#container_id_cgroup_matchers#container_id_cgroup_matchers#" "${PARENT_DIR}"/root/agent/agent.conf
-sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" "${PARENT_DIR}"/root/agent/agent.conf
+  log "${red}timed out waiting for the entry to be progagated to the agent${norm}"
+  exit 1
+}
 
 # create a shared folder for root agent socket to be accessed by nestedA and nestedB servers
 mkdir -p "${PARENT_DIR}"/sharedRootSocket
@@ -103,6 +109,8 @@ setup "${PARENT_DIR}"/nestedA/server "${PARENT_DIR}"/nestedA/agent
 log "Starting nestedA-server.."
 docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server
 
+check-server-is-ready nestedA-server
+
 log "bootstrapping nestedA agent..."
 docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt
 
@@ -117,6 +125,8 @@ setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent
 log "Starting nestedB-server.."
 docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server
 
+check-server-is-ready nestedB-server
+
 log "bootstrapping nestedB agent..."
 docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt
 

docker-compose/nested-spire/test.sh

@@ -38,7 +38,7 @@ bash "${DIR}"/scripts/create-workload-registration-entries.sh
 log "checking nested JWT-SVID..."
 # Fetch JWT-SVID and extract token
 token=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \
-    /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail "JWT-SVID check failed"
+    /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p' | tr -d '\t') || fail "JWT-SVID check failed"
 
 # Validate token
 validation_result=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \

k8s/envoy-jwt-opa/scripts/set-env.sh

@@ -39,7 +39,7 @@ wait_for_envoy() {
     LOGLINE="all dependencies initialized. starting workers"
     LOGLINE2="membership update for TLS cluster backend added 1 removed 1"
     for ((i=0;i<30;i++)); do
-        if ! kubectl logs --tail=100 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then
+        if ! kubectl logs --tail=1000 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then
             sleep 5
             echo "Waiting until backend envoy instance is ready..."
             continue

k8s/envoy-jwt/scripts/set-env.sh

@@ -49,7 +49,7 @@ wait_for_envoy() {
     LOGLINE="all dependencies initialized. starting workers"
     LOGLINE2="DNS hosts have changed for backend-envoy"
     for ((i=0;i<30;i++)); do
-        if ! kubectl logs --tail=300 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then
+        if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE}" ; then
             sleep 5
             echo "Waiting until Envoy is ready..."
             continue

k8s/envoy-opa/scripts/set-env.sh

@@ -44,7 +44,7 @@ wait_for_envoy() {
             echo "Waiting until backend envoy instance is ready..."
             continue
         fi
-        if ! kubectl logs --tail=30 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then
+        if ! kubectl logs --tail=1000 --selector=app=frontend -c envoy | grep -qe "${LOGLINE2}" ; then
             sleep 5
             echo "Waiting until frontend envoy instance is in sync with the backend envoy..."
             continue

k8s/quickstart/agent-configmap.yaml

@@ -16,7 +16,7 @@ data:
     }
 
     plugins {
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           # NOTE: Change this to your cluster name
           cluster = "demo-cluster"

k8s/quickstart/agent-daemonset.yaml

@@ -28,7 +28,7 @@ spec:
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.5.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME
@@ -44,6 +44,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -69,3 +71,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

k8s/quickstart/create-node-registration-entry.sh

@@ -11,6 +11,6 @@ kubectl exec -n spire spire-server-0 -- \
     /opt/spire/bin/spire-server entry create \
     -node  \
     -spiffeID spiffe://example.org/ns/spire/sa/spire-agent \
-    -selector k8s_sat:cluster:demo-cluster \
-    -selector k8s_sat:agent_ns:spire \
-    -selector k8s_sat:agent_sa:spire-agent
+    -selector k8s_psat:cluster:demo-cluster \
+    -selector k8s_psat:agent_ns:spire \
+    -selector k8s_psat:agent_sa:spire-agent

k8s/quickstart/server-cluster-role.yaml

@@ -24,12 +24,15 @@ roleRef:
   kind: Role
   name: spire-server-configmap-role
 ---
-# ClusterRole to allow spire-server node attestor to query Token Review API
+# ClusterRole to allow spire-server node attestor to read pods and nodes, and query Token Review API
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-trust-role
 rules:
+- apiGroups: [""]
+  resources: ["pods", "nodes"]
+  verbs: ["get"]
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["create"]
@@ -46,4 +49,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: spire-server-trust-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

k8s/quickstart/server-configmap.yaml

@@ -30,12 +30,11 @@ data:
         }
       }
 
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
             # NOTE: Change this to your cluster name
             "demo-cluster" = {
-              use_token_review_api_validation = true
               service_account_allow_list = ["spire:spire-agent"]
             }
           }

k8s/quickstart/server-statefulset.yaml

@@ -20,7 +20,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.5.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args:
             - -config
             - /run/spire/config/server.conf

k8s/quickstart/test.sh

@@ -24,7 +24,7 @@ start_minikube() {
 	if [ -z "${GITHUB_WORKFLOW}" ]; then
 		echo "${bold}Starting minikube... ${norm}"
 		${MINIKUBECMD} start
-		eval $(${MINIKUBECMD} docker-env)
+		eval $(${MINIKUBECMD} docker-env --shell=bash)
 	fi
 }
 
@@ -115,7 +115,7 @@ check_for_node_attestation() {
 		sleep ${CHECKINTERVAL}
 		echo -n "${bold}Checking for node attestation... ${norm}"
 		kubectl -n spire logs ${SPIRE_SERVER_POD_NAME} > ${SERVERLOGS} || true
-		if  grep -sxq -e ".*Agent attestation request completed.*k8s_sat.*" ${SERVERLOGS}; then
+		if  grep -sxq -e ".*Agent attestation request completed.*k8s_psat.*" ${SERVERLOGS}; then
 			echo "${green}ok${norm}."
 			return
 		fi