Skip to content

Commit

Permalink
Support federation bundle endpoint profile http_web certificates (#469)
Browse files Browse the repository at this point in the history 
* Support federation bundle endpoint profile http_web certificates

Signed-off-by: Kevin Fox <[email protected]>

* Fix var

Signed-off-by: Kevin Fox <[email protected]>

* Fix key

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

---------

Signed-off-by: Kevin Fox <[email protected]>
  • Loading branch information
@kfox1111
kfox1111 authored Oct 10, 2024
1 parent cecf51c commit fcbd64e
Show file tree
Hide file tree
Showing 8 changed files with 49 additions and 37 deletions.
3 changes: 2 additions & 1 deletion charts/spire/charts/spire-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `federation.enabled` | Flag to enable federation | `false` |
| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` |
| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` |
| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` |
| `federation.bundleEndpoint.refreshHint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` |
| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval` | Interval on which to reload the certificate/key from disk | `1h` |
| `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` |
| `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` |
| `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` |
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-server/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ The code below determines what connection type should be used.
{{- end }}
{{- $args = append $args (printf "https://%s/" $host) }}
{{- else }}
{{- $args = append $args (printf "http://%s/" $host) }}
{{- $args = append $args (printf "-k -L http://%s/" $host) }}
{{- end }}
{{ $args | toYaml }}
{{- end -}}
Expand Down
23 changes: 16 additions & 7 deletions charts/spire/charts/spire-server/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@
{{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }}
{{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }}
{{- end }}
{{- if hasKey .Values.federation.bundleEndpoint "profile" }}
{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }}
{{- end }}
{{- define "spire-server.yaml-config" -}}
{{- $upstreamAuthorityUsed := 0 }}
{{- $keyManagerUsed := 0 }}
Expand Down Expand Up @@ -69,12 +66,24 @@ server:
organization: [{{ include "spire-server.ca-subject-organization" . | quote }}]
common_name: {{ include "spire-server.ca-subject-common-name" . | quote }}

{{- with .Values.federation }}
{{- if eq (.enabled | toString) "true" }}
{{- if eq (.Values.federation.enabled | toString) "true" }}
federation:
bundle_endpoint:
- {{ .bundleEndpoint | toYaml | nindent 8 }}
{{- end }}
address: {{ .Values.federation.bundleEndpoint.address | quote }}
port: {{ .Values.federation.bundleEndpoint.port }}
refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }}
profile:
{{- if .Values.federation.tls.spire.enabled }}
- https_spiffe: {}
{{ else }}
- https_web:
serving_cert_file:
file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }}
{{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }}
cert_file_path: /bundle-endpoint-tls/tls.crt
key_file_path: /bundle-endpoint-tls/tls.key
{{- end }}
{{- end }}
{{- end }}

{{- with .Values.experimental }}
Expand Down
21 changes: 3 additions & 18 deletions charts/spire/charts/spire-server/templates/federation-ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,18 @@
{{- $path := "/"}}
{{- $pathType := "Prefix" }}
{{- $tlsSection := true }}
{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}}
{{- $federationIngress := deepCopy .Values.federation.ingress }}
{{- if .Values.federation.tls.certManager.enabled }}
{{- $secret := printf "%s-federation-cert" $svcName }}
{{- $_ := set $federationIngress "tlsSecret" $secret }}
{{- end }}
{{- if .Values.federation.tls.externalSecret.enabled }}
{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }}
{{- end }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }}
{{- $annotations := deepCopy .Values.federation.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- if not .Values.federation.ingress.tlsSecret }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- end }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- if $federationIngress.tlsSecret }}
{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }}
{{- else }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $path = "" }}
{{- $pathType = "ImplementationSpecific" }}
{{- $tlsSection = false }}
{{- end }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
Expand All @@ -44,6 +29,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{- end }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/spire/charts/spire-server/templates/server-resource.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,10 @@ spec:
mountPath: /tmp-direct-hashes
{{- end }}
{{- end }}
{{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }}
- name: bundle-endpoint-tls
mountPath: /bundle-endpoint-tls
{{- end }}
{{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }}
- name: upstream-ca
mountPath: /run/spire/upstream_ca
Expand Down Expand Up @@ -450,6 +454,16 @@ spec:
name: {{ include "spire-server.fullname" . }}-tpm-direct-hash
{{- end }}
{{- end }}
{{- if .Values.federation.tls.certManager.enabled }}
- name: bundle-endpoint-tls
secret:
secretName: {{ printf "%s-federation-cert" (include "spire-server.fullname" .) }}
{{- end }}
{{- if .Values.federation.tls.externalSecret.enabled }}
- name: bundle-endpoint-tls
secret:
secretName: {{ .Values.federation.tls.externalSecret.secretName }}
{{- end }}
{{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }}
- name: server-cert
secret:
Expand Down
8 changes: 6 additions & 2 deletions charts/spire/charts/spire-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,8 +248,12 @@ federation:
port: 8443
## @param federation.bundleEndpoint.address Address for trust bundle federation
address: "0.0.0.0"
## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.
refresh_hint: "5m"
## @param federation.bundleEndpoint.refreshHint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.
refreshHint: "5m"
profile:
httpWeb:
## @param federation.bundleEndpoint.profile.httpWeb.fileSyncInterval Interval on which to reload the certificate/key from disk
fileSyncInterval: 1h

tls:
spire:
Expand Down
2 changes: 1 addition & 1 deletion tests/integration/production/run-tests.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ install_and_test() {
--values /tmp/dummydns \
--set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
--set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
--set spire-server.federation.ingress.tlsSecret=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \
--set spire-server.federation.tls.externalSecret.secretName=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \
--wait

helm test --namespace "${ns}" spire
Expand Down
13 changes: 6 additions & 7 deletions tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,9 @@ spire-server:
enabled: true
federation:
enabled: true
ingress:
enabled: true
controllerType: ingress-nginx

# className: nginx

tlsSecret: spire-server-federation-tls
tls:
spire:
enabled: false
externalSecret:
enabled: true
secretName: spire-server-federation-tls

0 comments on commit fcbd64e

Please sign in to comment.