From fcbd64e011d50d9dcf03c3524ef5344d3ecc4304 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 10 Oct 2024 12:03:54 -0700 Subject: [PATCH] Support federation bundle endpoint profile http_web certificates (#469) * Support federation bundle endpoint profile http_web certificates Signed-off-by: Kevin Fox * Fix var Signed-off-by: Kevin Fox * Fix key Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/README.md | 3 ++- .../spire-server/templates/_helpers.tpl | 2 +- .../spire-server/templates/configmap.yaml | 23 +++++++++++++------ .../templates/federation-ingress.yaml | 21 +++-------------- .../templates/server-resource.yaml | 14 +++++++++++ charts/spire/charts/spire-server/values.yaml | 8 +++++-- tests/integration/production/run-tests.sh | 2 +- ...se-federation-https-web-ingress-nginx.yaml | 13 +++++------ 8 files changed, 49 insertions(+), 37 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 8c6806076..61c2931f9 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -163,7 +163,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.refreshHint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval` | Interval on which to reload the certificate/key from disk | `1h` | | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 7fb09cda4..388289079 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -298,7 +298,7 @@ The code below determines what connection type should be used. {{- end }} {{- $args = append $args (printf "https://%s/" $host) }} {{- else }} -{{- $args = append $args (printf "http://%s/" $host) }} +{{- $args = append $args (printf "-k -L http://%s/" $host) }} {{- end }} {{ $args | toYaml }} {{- end -}} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 5f2ed55fd..05eb8e30e 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -38,9 +38,6 @@ {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }} {{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }} {{- end }} -{{- if hasKey .Values.federation.bundleEndpoint "profile" }} -{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }} -{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} @@ -69,12 +66,24 @@ server: organization: [{{ include "spire-server.ca-subject-organization" . | quote }}] common_name: {{ include "spire-server.ca-subject-common-name" . | quote }} - {{- with .Values.federation }} - {{- if eq (.enabled | toString) "true" }} + {{- if eq (.Values.federation.enabled | toString) "true" }} federation: bundle_endpoint: - - {{ .bundleEndpoint | toYaml | nindent 8 }} - {{- end }} + address: {{ .Values.federation.bundleEndpoint.address | quote }} + port: {{ .Values.federation.bundleEndpoint.port }} + refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} + profile: + {{- if .Values.federation.tls.spire.enabled }} + - https_spiffe: {} + {{ else }} + - https_web: + serving_cert_file: + file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + cert_file_path: /bundle-endpoint-tls/tls.crt + key_file_path: /bundle-endpoint-tls/tls.key + {{- end }} + {{- end }} {{- end }} {{- with .Values.experimental }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 2eb89794d..d3c497590 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -4,33 +4,18 @@ {{- $path := "/"}} {{- $pathType := "Prefix" }} {{- $tlsSection := true }} -{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}} -{{- $federationIngress := deepCopy .Values.federation.ingress }} -{{- if .Values.federation.tls.certManager.enabled }} -{{- $secret := printf "%s-federation-cert" $svcName }} -{{- $_ := set $federationIngress "tlsSecret" $secret }} -{{- end }} -{{- if .Values.federation.tls.externalSecret.enabled }} -{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }} -{{- end }} {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $annotations := deepCopy .Values.federation.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} -{{- if not .Values.federation.ingress.tlsSecret }} -{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} -{{- end }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} {{- else if eq $ingressControllerType "openshift" }} -{{- if $federationIngress.tlsSecret }} -{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} -{{- else }} -{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} {{- $path = "" }} {{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} -{{- end }} {{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -44,6 +29,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/server-resource.yaml b/charts/spire/charts/spire-server/templates/server-resource.yaml index 97a589474..2a16a5c49 100644 --- a/charts/spire/charts/spire-server/templates/server-resource.yaml +++ b/charts/spire/charts/spire-server/templates/server-resource.yaml @@ -315,6 +315,10 @@ spec: mountPath: /tmp-direct-hashes {{- end }} {{- end }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + mountPath: /bundle-endpoint-tls + {{- end }} {{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }} - name: upstream-ca mountPath: /run/spire/upstream_ca @@ -450,6 +454,16 @@ spec: name: {{ include "spire-server.fullname" . }}-tpm-direct-hash {{- end }} {{- end }} + {{- if .Values.federation.tls.certManager.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ printf "%s-federation-cert" (include "spire-server.fullname" .) }} + {{- end }} + {{- if .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ .Values.federation.tls.externalSecret.secretName }} + {{- end }} {{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }} - name: server-cert secret: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 7fe6bd8ad..fbaebfdea 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -248,8 +248,12 @@ federation: port: 8443 ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" - ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. - refresh_hint: "5m" + ## @param federation.bundleEndpoint.refreshHint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. + refreshHint: "5m" + profile: + httpWeb: + ## @param federation.bundleEndpoint.profile.httpWeb.fileSyncInterval Interval on which to reload the certificate/key from disk + fileSyncInterval: 1h tls: spire: diff --git a/tests/integration/production/run-tests.sh b/tests/integration/production/run-tests.sh index c5cd8bbe4..a61cbacb5 100755 --- a/tests/integration/production/run-tests.sh +++ b/tests/integration/production/run-tests.sh @@ -129,7 +129,7 @@ install_and_test() { --values /tmp/dummydns \ --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \ --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \ - --set spire-server.federation.ingress.tlsSecret=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ + --set spire-server.federation.tls.externalSecret.secretName=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ --wait helm test --namespace "${ns}" spire diff --git a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml index c2c3879fa..4d30a3af2 100644 --- a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml +++ b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml @@ -4,10 +4,9 @@ spire-server: enabled: true federation: enabled: true - ingress: - enabled: true - controllerType: ingress-nginx - - # className: nginx - - tlsSecret: spire-server-federation-tls + tls: + spire: + enabled: false + externalSecret: + enabled: true + secretName: spire-server-federation-tls