From 5775d0dafbc14ae4d0803874ea399d332ef4a9eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Aug 2023 10:58:55 -0700 Subject: [PATCH 01/17] Bump github.com/aws/aws-sdk-go-v2/service/secretsmanager (#4428) Bumps [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) from 1.20.1 to 1.21.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.21.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.20.1...service/s3/v1.21.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8d60c09c329..6ae74912cde 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/iam v1.22.0 github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.20.1 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.21.0 github.com/aws/aws-sdk-go-v2/service/sts v1.21.0 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v4 v4.2.1 diff --git a/go.sum b/go.sum index 7c6feeb4416..f8bd7aa93cc 100644 --- a/go.sum +++ b/go.sum @@ -949,8 +949,8 @@ github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 h1:zDmx9yZjSYDaeakQVN16qfsLxhBe github.com/aws/aws-sdk-go-v2/service/kms v1.24.1/go.mod h1:yrlimpsAJc9fXj3jHC7Ig2Zb4iMAoSJ/VVzChf22dZk= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 h1:mTgFVlfQT8gikc5+/HwD8UL9jnUro5MGv8n/VEYF12I= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1/go.mod h1:6SOWLiobcZZshbmECRTADIRYliPL0etqFSigauQEeT0= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.20.1 h1:AD8gRAXAXDU9+XTm0Q3D+NBsMCX4TlpN/qnNYbbQLO4= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.20.1/go.mod h1:aFRHxQ3V4bs/uVQYpg8Wm6szKWuB2KnraKcIGp5JS/I= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.21.0 h1:z9faFYBvadv9HdY+oFBgxqCnew9TK+jp9ccxktB5fl4= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.21.0/go.mod h1:Z6Oq1mXqvgwmUxvMrV/jMkQhwm06A9XO015dzGnS8TM= github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 h1:nneMBM2p79PGWBQovYO/6Xnc2ryRMw3InnDJq1FHkSY= github.com/aws/aws-sdk-go-v2/service/sso v1.12.12/go.mod h1:HuCOxYsF21eKrerARYO6HapNeh9GBNq7fius2AcwodY= From b340c2059654f455f57b471f63488b28bc89d58c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 17:30:37 -0300 Subject: [PATCH 02/17] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.110.1 to 1.111.0 (#4431) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.110.1 to 1.111.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.110.1...service/ec2/v1.111.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6ae74912cde..8991e0006b8 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.26 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.110.1 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0 github.com/aws/aws-sdk-go-v2/service/iam v1.22.0 github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 diff --git a/go.sum b/go.sum index f8bd7aa93cc..a842dc09429 100644 --- a/go.sum +++ b/go.sum @@ -924,8 +924,8 @@ github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 h1:U5yySdwt2HPo/pnQec04DImLzWOR github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0/go.mod h1:EhC/83j8/hL/UB1WmExo3gkElaja/KlmZM/gl1rTfjM= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 h1:JcTxq2boeyMlFtBIaX4QrVDyzzsAzDnzvZw7b02Rq20= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1/go.mod h1:1AG8XoWz0RmFuivaAKeW5aCdClw71mRme9DxHJiIPLk= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.110.1 h1:OaDeV+sdve2NV+kUheZX5bToHFmfIkflgOlZTKij0Bo= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.110.1/go.mod h1:Ie0Kp61cLk223argiS+t8vO29SpbFIphzlPflIvYcv0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0 h1:zWbe9PwEF8R4F8NixpDt4uIGDKnRdvUQmjMYmef/SRw= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0/go.mod h1:Ie0Kp61cLk223argiS+t8vO29SpbFIphzlPflIvYcv0= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= From 1aeb3097cb7c64d65353037af82d2b560f43a7db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Aug 2023 10:52:34 -0300 Subject: [PATCH 03/17] Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.0 to 1.7.1 (#4432) Bumps [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.7.0...sdk/azcore/v1.7.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8991e0006b8..1187f56fddd 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( cloud.google.com/go/secretmanager v1.11.1 cloud.google.com/go/security v1.15.1 cloud.google.com/go/storage v1.31.0 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 diff --git a/go.sum b/go.sum index a842dc09429..a4fde5c3849 100644 --- a/go.sum +++ b/go.sum @@ -740,8 +740,8 @@ github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 h1:8q4SaHjFsClSvuVne0ID/5Ka8u3fcIHyqkLjcFpNRHQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= From 5aa2122fbcc892979b15be93a20ebbb6f2c41438 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Aug 2023 17:04:00 -0300 Subject: [PATCH 04/17] Bump google.golang.org/api from 0.136.0 to 0.137.0 (#4433) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.136.0 to 0.137.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.136.0...v0.137.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1187f56fddd..849b08a8ced 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( golang.org/x/sync v0.3.0 golang.org/x/sys v0.11.0 golang.org/x/time v0.3.0 - google.golang.org/api v0.136.0 + google.golang.org/api v0.137.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 @@ -204,7 +204,7 @@ require ( github.com/google/gofuzz v1.2.0 // indirect github.com/google/logger v1.1.1 // indirect github.com/google/pprof v0.0.0-20221103000818-d260c55eee4c // indirect - github.com/google/s2a-go v0.1.4 // indirect + github.com/google/s2a-go v0.1.5 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/gorilla/mux v1.8.0 // indirect diff --git a/go.sum b/go.sum index a4fde5c3849..549e57eb635 100644 --- a/go.sum +++ b/go.sum @@ -1395,8 +1395,9 @@ github.com/google/pprof v0.0.0-20221103000818-d260c55eee4c/go.mod h1:dDKJzRmX4S3 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM= github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= -github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg= +github.com/google/s2a-go v0.1.5/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -2658,8 +2659,8 @@ google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvy google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750= google.golang.org/api v0.132.0/go.mod h1:AeTBC6GpJnJSRJjktDcPX0QwtS8pGYZOV6MSuSCusw0= -google.golang.org/api v0.136.0 h1:e/6enzUE1s4tGPa6Q3ZYShKTtvRc+1Jq0rrafhppmOs= -google.golang.org/api v0.136.0/go.mod h1:XtJfF+V2zgUxelOn5Zs3kECtluMxneJG8ZxUTlLNTPA= +google.golang.org/api v0.137.0 h1:QrKX6uNvzJLr0Fd3vWVqcyrcmFoYi036VUAsZbiF4+s= +google.golang.org/api v0.137.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= From ae75a2d9548fe2e0e43d75c37ba354c799658a33 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Thu, 17 Aug 2023 10:49:28 -0300 Subject: [PATCH 05/17] Bump version and CHANGELOG after v1.7.2 release (#4441) Signed-off-by: Marcos Yacob --- CHANGELOG.md | 14 ++++++++++++++ pkg/common/version/version.go | 2 +- test/integration/suites/upgrade/versions.txt | 7 +------ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2cc31379a3..fc57591e310 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Changelog +## [1.7.2] - 2023-08-16 + +### Added + +- `aws_s3` BundlePublisher plugin (#4355) +- SPIRE Server bundle endpoint now includes bundle sequence number (#4389) +- Telemetry in experimental Agent LRU cache (#4335) +- Telemetry in Agent Delegated Identity API (#4399) +- Documentation improvements (#4336, #4407) + +### Fixed + +- Server no longer unnecessarily activates its CA a second time on startup (#4368) + ## [1.7.1] - 2023-07-27 ### Added diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index 2a22f6f8659..71bc5086553 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.7.2" + Base = "1.8.0" ) var ( diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index 4a03a2b234d..1beb788ea01 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -1,8 +1,3 @@ -1.6.0 -1.6.1 -1.6.2 -1.6.3 -1.6.4 -1.6.5 1.7.0 1.7.1 +1.7.2 From c9693346d54b0862f734c12e67df38ef5287a73d Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 17 Aug 2023 07:53:17 -0700 Subject: [PATCH 06/17] Update golangci-lint and Markdown linter (#4440) Also fix new Markdown linter errors Signed-off-by: Ryan Turner Co-authored-by: Marcos Yacob --- CONTRIBUTING.md | 2 +- Makefile | 4 +-- README.md | 2 +- SECURITY.md | 2 +- doc/plugin_agent_workloadattestor_k8s.md | 10 +++--- support/oidc-discovery-provider/README.md | 42 +++++++++++------------ 6 files changed, 31 insertions(+), 31 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index dfdee4be60b..ba1ff91280a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -244,4 +244,4 @@ $ ln -s .githooks/pre-commit .git/hooks/pre-commit ## Reporting security vulnerabilities -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/Makefile b/Makefile index 262253cbac0..46a074c06fe 100644 --- a/Makefile +++ b/Makefile @@ -138,12 +138,12 @@ endif go_path := PATH="$(go_bin_dir):$(PATH)" -golangci_lint_version = v1.53.3 +golangci_lint_version = v1.54.1 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version) golangci_lint_bin = $(golangci_lint_dir)/golangci-lint golangci_lint_cache = $(golangci_lint_dir)/cache -markdown_lint_version = v0.33.0 +markdown_lint_version = v0.35.0 markdown_lint_image = ghcr.io/igorshubovych/markdownlint-cli:$(markdown_lint_version) protoc_version = 3.20.1 diff --git a/README.md b/README.md index 9ed39a2731c..c7022cb79be 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,6 @@ A third party security firm ([Cure53](https://cure53.de/)) completed a security ### Reporting Security Vulnerabilities -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/SECURITY.md b/SECURITY.md index 77fd1c8b059..cf6de358de2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,4 +6,4 @@ The project supports security releases for the current minor release series and ## Reporting a Vulnerability -If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. +If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at . We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index eb6f27a5cec..b0421d5a821 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -118,11 +118,11 @@ Sigstore enabled selectors (available when configured to use sigstore) | Selector | Value | |----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=") | -| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com") | -| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | -| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | -| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | +| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. `k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=`) | +| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. `k8s:000000:image-signature-subject:spirex@example.com`) | +| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. `k8s:000000:image-signature-logid:samplelogID`) | +| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. `k8s:000000:image-signature-integrated-time:12345`) | +| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. `k8s:sigstore-validation:passed`) | > **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of > the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, > respectively. diff --git a/support/oidc-discovery-provider/README.md b/support/oidc-discovery-provider/README.md index 55a4dce47d5..f89ec8a3bf2 100644 --- a/support/oidc-discovery-provider/README.md +++ b/support/oidc-discovery-provider/README.md @@ -31,27 +31,27 @@ The provider has the following command line flags: The configuration file is **required** by the provider. It contains [HCL](https://github.com/hashicorp/hcl) encoded configurables. -| Key | Type | Required? | Description | Default | -|-------------------------|---------|----------------|------------------------------------------------------------------------|----------| -| `acme` | section | required[1] | Provides the ACME configuration. | | -| `serving_cert_file` | section | required[1][4] | Provides the serving certificate configuration. | | -| `allow_insecure_scheme` | string | optional[3] | Serves OIDC configuration response with HTTP url. | `false` | -| `domains` | strings | required | One or more domains the provider is being served from. | | -| `experimental` | section | optional | The experimental options that are subject to change or removal. | | -| `insecure_addr` | string | optional[3] | Exposes the service on http. | | -| `set_key_use` | bool | optional | If true, the `use` parameter on JWKs will be set to `sig`. | `false` | -| `listen_socket_path` | string | required[1][3] | Path on disk to listen with a Unix Domain Socket. Unix platforms only. | | -| `log_format` | string | optional | Format of the logs (either `"TEXT"` or `"JSON"`) | `""` | -| `log_level` | string | required | Log level (one of `"error"`,`"warn"`,`"info"`,`"debug"`) | `"info"` | -| `log_path` | string | optional | Path on disk to write the log. | | -| `log_requests` | bool | optional | If true, all HTTP requests are logged at the debug level | `false` | -| `server_api` | section | required[2] | Provides SPIRE Server API details. | | -| `workload_api` | section | required[2] | Provides Workload API details. | | -| `health_checks` | section | optional | Enable and configure health check endpoints | | - -| experimental | Type | Required? | Description | Default | -|--------------------------|--------|----------------|------------------------------------------------------|---------| -| `listen_named_pipe_name` | string | required[1][3] | Pipe name to listen with a named pipe. Windows only. | | +| Key | Type | Required? | Description | Default | +|-------------------------|---------|--------------------|------------------------------------------------------------------------|----------| +| `acme` | section | required[1] | Provides the ACME configuration. | | +| `serving_cert_file` | section | required\[1\]\[4\] | Provides the serving certificate configuration. | | +| `allow_insecure_scheme` | string | optional\[3\] | Serves OIDC configuration response with HTTP url. | `false` | +| `domains` | strings | required | One or more domains the provider is being served from. | | +| `experimental` | section | optional | The experimental options that are subject to change or removal. | | +| `insecure_addr` | string | optional\[3\] | Exposes the service on http. | | +| `set_key_use` | bool | optional | If true, the `use` parameter on JWKs will be set to `sig`. | `false` | +| `listen_socket_path` | string | required\[1\]\[3\] | Path on disk to listen with a Unix Domain Socket. Unix platforms only. | | +| `log_format` | string | optional | Format of the logs (either `"TEXT"` or `"JSON"`) | `""` | +| `log_level` | string | required | Log level (one of `"error"`,`"warn"`,`"info"`,`"debug"`) | `"info"` | +| `log_path` | string | optional | Path on disk to write the log. | | +| `log_requests` | bool | optional | If true, all HTTP requests are logged at the debug level | `false` | +| `server_api` | section | required\[2\] | Provides SPIRE Server API details. | | +| `workload_api` | section | required\[2\] | Provides Workload API details. | | +| `health_checks` | section | optional | Enable and configure health check endpoints | | + +| experimental | Type | Required? | Description | Default | +|--------------------------|--------|--------------------|------------------------------------------------------|---------| +| `listen_named_pipe_name` | string | required\[1\]\[3\] | Pipe name to listen with a named pipe. Windows only. | | From ee31d34285b140bbc061083af213a0b902df97b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 12:45:16 -0300 Subject: [PATCH 07/17] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.111.0 to 1.112.0 (#4434) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.111.0 to 1.112.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.111.0...service/ec2/v1.112.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 849b08a8ced..c9282f9374e 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.26 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0 github.com/aws/aws-sdk-go-v2/service/iam v1.22.0 github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 diff --git a/go.sum b/go.sum index 549e57eb635..6dcc1e26e98 100644 --- a/go.sum +++ b/go.sum @@ -924,8 +924,8 @@ github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 h1:U5yySdwt2HPo/pnQec04DImLzWOR github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0/go.mod h1:EhC/83j8/hL/UB1WmExo3gkElaja/KlmZM/gl1rTfjM= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 h1:JcTxq2boeyMlFtBIaX4QrVDyzzsAzDnzvZw7b02Rq20= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1/go.mod h1:1AG8XoWz0RmFuivaAKeW5aCdClw71mRme9DxHJiIPLk= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0 h1:zWbe9PwEF8R4F8NixpDt4uIGDKnRdvUQmjMYmef/SRw= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.111.0/go.mod h1:Ie0Kp61cLk223argiS+t8vO29SpbFIphzlPflIvYcv0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0 h1:8I4NQ9BfrQATHzXKtBuu+jBdOVd2mBANqhbMOXfSIdA= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0/go.mod h1:Ie0Kp61cLk223argiS+t8vO29SpbFIphzlPflIvYcv0= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= From becabc3656cc5f0c2eaf105e0a842c41618fd72d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 16:31:30 -0300 Subject: [PATCH 08/17] Bump actions/dependency-review-action from 3.0.7 to 3.0.8 (#4435) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.7 to 3.0.8. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab...f6fff72a3217f580d5afd49a46826795305b63c7) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depsreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index 8afb526daad..ee983918d5b 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -12,4 +12,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: 'Dependency Review' - uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7 + uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7 # v3.0.8 From a25fcc6ff146a5812514441a52c0f985b55d8079 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 17:21:27 -0300 Subject: [PATCH 09/17] Bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 (#4436) Bumps [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) from 1.31.0 to 1.32.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.31.0...pubsub/v1.32.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c9282f9374e..3cef21c2eb6 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( cloud.google.com/go/kms v1.15.0 cloud.google.com/go/secretmanager v1.11.1 cloud.google.com/go/security v1.15.1 - cloud.google.com/go/storage v1.31.0 + cloud.google.com/go/storage v1.32.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 diff --git a/go.sum b/go.sum index 6dcc1e26e98..a9a99161923 100644 --- a/go.sum +++ b/go.sum @@ -646,8 +646,8 @@ cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= -cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdTCI= -cloud.google.com/go/storage v1.31.0/go.mod h1:81ams1PrhW16L4kF7qg+4mTq7SRs5HsbDTM0bWvrwJ0= +cloud.google.com/go/storage v1.32.0 h1:5w6DxEGOnktmJHarxAOUywxVW9lbNWIzlzzUltG/3+o= +cloud.google.com/go/storage v1.32.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= From fbc674e588807efeb905443cde6eaf6da885123a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 18:08:46 -0300 Subject: [PATCH 10/17] Bump github.com/GoogleCloudPlatform/cloudsql-proxy (#4437) Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.33.9 to 1.33.10. - [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases) - [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.33.10/CHANGELOG.md) - [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.33.9...v1.33.10) --- updated-dependencies: - dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3cef21c2eb6..59b726a1948 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 - github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.9 + github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.10 github.com/Microsoft/go-winio v0.6.1 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 diff --git a/go.sum b/go.sum index a9a99161923..b1162523ab0 100644 --- a/go.sum +++ b/go.sum @@ -792,8 +792,8 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.9 h1:YjE60yhoMx231GwDrJgeBWSTbTbazZAuK89H0iuXJlM= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.9/go.mod h1:+FaFzlKsx+X/2dR5Rjr6EN9ZzuYDW950s4MmFILchJM= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.10 h1:h2qYaJSDGyVzjGVj3HansB3mJUnyU9wBc/8/nm/kSLs= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.10/go.mod h1:+FaFzlKsx+X/2dR5Rjr6EN9ZzuYDW950s4MmFILchJM= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= From 97c0fc1918d1b26e4d7be0d0ed6de730db204647 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 09:49:57 -0300 Subject: [PATCH 11/17] Bump k8s.io/client-go from 0.27.4 to 0.28.0 (#4439) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.27.4 to 0.28.0. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.27.4...v0.28.0) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 12 ++++++------ go.sum | 29 +++++++++++++---------------- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index 59b726a1948..fcfc2b50e92 100644 --- a/go.mod +++ b/go.mod @@ -78,9 +78,9 @@ require ( google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/api v0.27.4 - k8s.io/apimachinery v0.27.4 - k8s.io/client-go v0.27.4 + k8s.io/api v0.28.0 + k8s.io/apimachinery v0.28.0 + k8s.io/client-go v0.28.0 k8s.io/kube-aggregator v0.27.4 sigs.k8s.io/controller-runtime v0.15.1 ) @@ -163,7 +163,7 @@ require ( github.com/docker/go-units v0.5.0 // indirect github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect - github.com/evanphx/json-patch v4.12.0+incompatible // indirect + github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.15.0 // indirect github.com/felixge/httpsnoop v1.0.3 // indirect @@ -197,7 +197,7 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.1.6 // indirect github.com/google/flatbuffers v23.5.26+incompatible // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-github/v50 v50.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/go-sev-guest v0.6.1 // indirect @@ -324,7 +324,7 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/release-utils v0.7.4 // indirect diff --git a/go.sum b/go.sum index b1162523ab0..100cfc917a9 100644 --- a/go.sum +++ b/go.sum @@ -1116,8 +1116,8 @@ github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9 github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= -github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= -github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= @@ -1329,8 +1329,8 @@ github.com/google/certificate-transparency-go v1.1.6/go.mod h1:0OJjOsOk+wj6aYQgP github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v23.5.26+incompatible h1:M9dgRyhJemaM4Sw8+66GHBu8ioaQmyPLg1b8VwK5WJg= github.com/google/flatbuffers v23.5.26+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-attestation v0.4.4-0.20230613144338-a9b6eb1eb888 h1:HURgKPRPJSozDuMHpjdV+iyFVLhB6bi1JanhGgSzI1k= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -1636,7 +1636,6 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -1860,7 +1859,7 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= @@ -1955,7 +1954,6 @@ github.com/spiffe/spire-api-sdk v1.2.5-0.20230629125323-08049dbe95e6 h1:viHj64Ur github.com/spiffe/spire-api-sdk v1.2.5-0.20230629125323-08049dbe95e6/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230721151831-bf67dde4721d h1:LCRQGU6vOqKLfRrG+GJQrwMwDILcAddAEIf4/1PaSVc= github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230721151831-bf67dde4721d/go.mod h1:GA6o2PVLwyJdevT6KKt5ZXCY/ziAPna13y/seGk49Ik= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= @@ -2701,7 +2699,6 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -2947,19 +2944,19 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= -k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= +k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= +k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= -k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= -k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= +k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= +k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= +k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM= +k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc= k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= From 53e0abb92ff901c4941e17d6714ea1f1284cf261 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 11:03:10 -0300 Subject: [PATCH 12/17] Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#4442) Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.3.0...sdk/azcore/v1.3.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 5 +++-- go.sum | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index fcfc2b50e92..8b34fd62c84 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( cloud.google.com/go/security v1.15.1 cloud.google.com/go/storage v1.32.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 @@ -102,7 +102,7 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/DataDog/datadog-go v3.2.0+incompatible // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.1 // indirect @@ -192,6 +192,7 @@ require ( github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/glog v1.1.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect diff --git a/go.sum b/go.sum index 100cfc917a9..868696ba5ba 100644 --- a/go.sum +++ b/go.sum @@ -742,8 +742,9 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 h1:/Di3vB4sNeQ+7A8efjUVENvyB945Wruvstucqp7ZArg= @@ -785,8 +786,9 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= @@ -1274,6 +1276,8 @@ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= From e29ddf6ffec29055f2aefad136caf9e2e50fb4fb Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Fri, 18 Aug 2023 09:17:36 -0600 Subject: [PATCH 13/17] Remove node selector cruft cleanup code (#4443) SPIRE v1.6.3 introduced code to clean up node selector cruft in the database. This code can be removed in v1.8.0. Fixes: #3945 Signed-off-by: Andrew Harding --- pkg/server/datastore/sqlstore/sqlstore.go | 19 ------ .../datastore/sqlstore/sqlstore_test.go | 61 ------------------- 2 files changed, 80 deletions(-) diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index ff083774a63..f4032ddd3e1 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -797,30 +797,11 @@ func (ds *Plugin) openDB(cfg *configuration, isReadOnly bool) (*gorm.DB, string, db.Close() return nil, "", false, nil, err } - // TODO: we should keep this logic for a minor release cycle to make sure stale entries are removed eventually. - // Remove in SPIRE 1.8.0 - if err := cleanStaleNodeResolverEntries(db, ds.log); err != nil { - ds.log.WithError(err).Error("Failed to clean stale node resolver entries") - } } return db, version, supportsCTE, dialect, nil } -func cleanStaleNodeResolverEntries(tx *gorm.DB, log logrus.FieldLogger) error { - result := tx.Delete(&NodeSelector{}, fmt.Sprintf("spiffe_id NOT IN (SELECT spiffe_id FROM %s)", AttestedNode{}.TableName())) - - if result.Error != nil { - return sqlError.Wrap(result.Error) - } - - if result.RowsAffected > 0 { - log.Infof("Deleted %d stale node resolver entries", result.RowsAffected) - } - - return nil -} - type gormLogger struct { log logrus.FieldLogger } diff --git a/pkg/server/datastore/sqlstore/sqlstore_test.go b/pkg/server/datastore/sqlstore/sqlstore_test.go index 1ffb72a7b4f..4938dc1acfc 100644 --- a/pkg/server/datastore/sqlstore/sqlstore_test.go +++ b/pkg/server/datastore/sqlstore/sqlstore_test.go @@ -4432,67 +4432,6 @@ func (s *PluginSuite) TestUpdateFederationRelationship() { } } -func (s *PluginSuite) TestCleanStaleNodeResolverEntries() { - deletedNodeSPIFFEID := "thisNodeDoesNotExist" - existentNode := &common.AttestedNode{ - SpiffeId: "foo", - AttestationDataType: "aws-tag", - CertSerialNumber: "badcafe", - CertNotAfter: time.Now().Add(time.Hour).Unix(), - } - - selectors := []*common.Selector{ - {Type: "TYPE1", Value: "VALUE1"}, - {Type: "TYPE2", Value: "VALUE2"}, - {Type: "TYPE3", Value: "VALUE3"}, - {Type: "TYPE4", Value: "VALUE4"}, - } - _, err := s.ds.CreateAttestedNode(ctx, existentNode) - require.NoError(s.T(), err) - err = s.ds.SetNodeSelectors(ctx, existentNode.SpiffeId, selectors) - require.NoError(s.T(), err) - nodeSelectors, err := s.ds.GetNodeSelectors(ctx, existentNode.SpiffeId, datastore.RequireCurrent) - s.Require().NoError(err) - s.Equal(selectors, nodeSelectors) - - err = s.ds.SetNodeSelectors(ctx, deletedNodeSPIFFEID, selectors) - require.NoError(s.T(), err) - staleNodeSelectors, err := s.ds.GetNodeSelectors(ctx, deletedNodeSPIFFEID, datastore.RequireCurrent) - s.Require().NoError(err) - s.Equal(selectors, staleNodeSelectors) - - // Initialize a new datastore to force a cleanup of stale node resolver entries - dbPath := s.ds.db.connectionString - databaseType := s.ds.db.databaseType - err = s.ds.Close() - s.Require().NoError(err) - s.ds.db = nil - err = s.ds.Configure(ctx, fmt.Sprintf(` - database_type = "%s" - log_sql = true - connection_string = "%s" - ro_connection_string = "%s" - `, databaseType, dbPath, TestROConnString)) - s.Require().NoError(err) - - spiretest.AssertLogsContainEntries(s.T(), s.hook.AllEntries(), []spiretest.LogEntry{ - { - Level: logrus.InfoLevel, - Message: "Deleted 4 stale node resolver entries", - }, - }) - - // Check that stale node selectors were deleted since the underlying attested node entry does not exist - staleNodeSelectors, err = s.ds.GetNodeSelectors(ctx, deletedNodeSPIFFEID, datastore.RequireCurrent) - s.Require().NoError(err) - s.Empty(staleNodeSelectors) - - // Check that foo node selectors were not deleted because the attested node entry still exists - nodeSelectors, err = s.ds.GetNodeSelectors(ctx, existentNode.SpiffeId, datastore.RequireCurrent) - s.Require().NoError(err) - s.Equal(selectors, nodeSelectors) -} - func (s *PluginSuite) TestMigration() { for schemaVersion := 0; schemaVersion < latestSchemaVersion; schemaVersion++ { s.T().Run(fmt.Sprintf("migration_from_schema_version_%d", schemaVersion), func(t *testing.T) { From 260465236ff8c933849d4e73daa10aca53faf763 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Fri, 18 Aug 2023 09:36:07 -0700 Subject: [PATCH 14/17] Remove SDS v2 API (#4444) The SDS v2 API has been removed for Envoy for several years. We cannot reasonably support it any longer, and we expect most users should no longer be using it anymore. Signed-off-by: Ryan Turner --- cmd/spire-agent/cli/run/run.go | 5 - cmd/spire-agent/cli/run/run_test.go | 14 - conf/agent/agent_full.conf | 6 - doc/spire_agent.md | 1 - pkg/agent/agent.go | 1 - pkg/agent/config.go | 3 - pkg/agent/endpoints/config.go | 6 - pkg/agent/endpoints/endpoints.go | 18 - pkg/agent/endpoints/endpoints_test.go | 54 -- pkg/agent/endpoints/metrics.go | 4 +- pkg/agent/endpoints/sdsv2/handler.go | 401 ----------- pkg/agent/endpoints/sdsv2/handler_test.go | 670 ------------------ pkg/common/api/middleware/names.go | 3 - test/integration/README.md | 1 - test/integration/suites/envoy-sds-v2/00-setup | 20 - .../suites/envoy-sds-v2/01-start-server | 3 - .../suites/envoy-sds-v2/02-bootstrap-agents | 9 - .../03-start-remaining-containers | 4 - .../envoy-sds-v2/04-create-workload-entries | 17 - .../05-check-workload-connectivity | 38 - .../integration/suites/envoy-sds-v2/README.md | 13 - .../conf/downstream-agent/agent.conf | 30 - .../conf/downstream-envoy/envoy.yaml | 92 --- .../envoy-sds-v2/conf/server/server.conf | 26 - .../suites/envoy-sds-v2/conf/supervisord.conf | 9 - .../conf/upstream-agent/agent.conf | 30 - .../conf/upstream-envoy/envoy.yaml | 81 --- .../suites/envoy-sds-v2/docker-compose.yaml | 40 -- test/integration/suites/envoy-sds-v2/teardown | 6 - 29 files changed, 2 insertions(+), 1603 deletions(-) delete mode 100644 pkg/agent/endpoints/sdsv2/handler.go delete mode 100644 pkg/agent/endpoints/sdsv2/handler_test.go delete mode 100755 test/integration/suites/envoy-sds-v2/00-setup delete mode 100755 test/integration/suites/envoy-sds-v2/01-start-server delete mode 100755 test/integration/suites/envoy-sds-v2/02-bootstrap-agents delete mode 100755 test/integration/suites/envoy-sds-v2/03-start-remaining-containers delete mode 100755 test/integration/suites/envoy-sds-v2/04-create-workload-entries delete mode 100755 test/integration/suites/envoy-sds-v2/05-check-workload-connectivity delete mode 100644 test/integration/suites/envoy-sds-v2/README.md delete mode 100644 test/integration/suites/envoy-sds-v2/conf/downstream-agent/agent.conf delete mode 100644 test/integration/suites/envoy-sds-v2/conf/downstream-envoy/envoy.yaml delete mode 100644 test/integration/suites/envoy-sds-v2/conf/server/server.conf delete mode 100644 test/integration/suites/envoy-sds-v2/conf/supervisord.conf delete mode 100644 test/integration/suites/envoy-sds-v2/conf/upstream-agent/agent.conf delete mode 100644 test/integration/suites/envoy-sds-v2/conf/upstream-envoy/envoy.yaml delete mode 100644 test/integration/suites/envoy-sds-v2/docker-compose.yaml delete mode 100755 test/integration/suites/envoy-sds-v2/teardown diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go index f019e567c87..aaf684184a3 100644 --- a/cmd/spire-agent/cli/run/run.go +++ b/cmd/spire-agent/cli/run/run.go @@ -107,7 +107,6 @@ type sdsConfig struct { DefaultBundleName string `hcl:"default_bundle_name"` DefaultAllBundlesName string `hcl:"default_all_bundles_name"` DisableSPIFFECertValidation bool `hcl:"disable_spiffe_cert_validation"` - EnableDeprecatedv2API bool `hcl:"enable_deprecated_v2_api"` } type experimentalConfig struct { @@ -504,10 +503,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) ac.JoinToken = c.Agent.JoinToken ac.DataDir = c.Agent.DataDir ac.DefaultSVIDName = c.Agent.SDS.DefaultSVIDName - ac.EnableDeprecatedSDSv2API = c.Agent.SDS.EnableDeprecatedv2API - if ac.EnableDeprecatedSDSv2API { - logger.Warn("The Envoy SDS v2 API is now deprecated in SPIRE and is no longer supported by Envoy. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version.") - } ac.DefaultBundleName = c.Agent.SDS.DefaultBundleName ac.DefaultAllBundlesName = c.Agent.SDS.DefaultAllBundlesName if ac.DefaultAllBundlesName == ac.DefaultBundleName { diff --git a/cmd/spire-agent/cli/run/run_test.go b/cmd/spire-agent/cli/run/run_test.go index 0b00b7f5d27..d5c913cfcb1 100644 --- a/cmd/spire-agent/cli/run/run_test.go +++ b/cmd/spire-agent/cli/run/run_test.go @@ -244,18 +244,6 @@ func TestMergeInput(t *testing.T) { require.Equal(t, "foo", c.Agent.SDS.DefaultAllBundlesName) }, }, - { - msg: "enable_deprecated_v2_api should be configurable by file", - fileInput: func(c *Config) { - c.Agent.SDS = sdsConfig{ - EnableDeprecatedv2API: true, - } - }, - cliInput: func(ac *agentConfig) {}, - test: func(t *testing.T, c *Config) { - require.True(t, c.Agent.SDS.EnableDeprecatedv2API) - }, - }, { msg: "disable_spiffe_cert_validation should default value of false", fileInput: func(c *Config) {}, @@ -881,14 +869,12 @@ func TestNewAgentConfig(t *testing.T) { c.Agent.SDS.DefaultBundleName = "DefaultBundleName" c.Agent.SDS.DefaultAllBundlesName = "DefaultAllBundlesName" c.Agent.SDS.DisableSPIFFECertValidation = true - c.Agent.SDS.EnableDeprecatedv2API = true }, test: func(t *testing.T, c *agent.Config) { assert.Equal(t, c.DefaultSVIDName, "DefaultSVIDName") assert.Equal(t, c.DefaultBundleName, "DefaultBundleName") assert.Equal(t, c.DefaultAllBundlesName, "DefaultAllBundlesName") assert.True(t, c.DisableSPIFFECertValidation) - assert.True(t, c.EnableDeprecatedSDSv2API) }, }, { diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index 5b130398df0..c1cfe066358 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -76,12 +76,6 @@ agent { # sds: Optional SDS configuration section. # sds = { - # # enable_deprecated_v2_api: Enable deprecated SDS v2 API. It is recommended that - # # users of the SDS v2 API migrate to the SDS v3 API. - # # The SDS v2 API and this config setting will be removed in a future version. - # # Default: false - # # enable_deprecated_v2_api = false - # # # default_svid_name: The TLS Certificate resource name to use for the default # # X509-SVID with Envoy SDS. Default: default. # # default_svid_name = "default" diff --git a/doc/spire_agent.md b/doc/spire_agent.md index b625e621c15..f5758bf0bdd 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -88,7 +88,6 @@ Only one of these three options may be set at a time. | Configuration | Description | Default | |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `enable_deprecated_v2_api` | Enable deprecated SDS v2 API. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version. | false | | `default_svid_name` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | default | | `default_bundle_name` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | ROOTCA | | `default_all_bundles_name` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | ALL | diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go index 46199b87acb..553ff481af1 100644 --- a/pkg/agent/agent.go +++ b/pkg/agent/agent.go @@ -269,7 +269,6 @@ func (a *Agent) newEndpoints(metrics telemetry.Metrics, mgr manager.Manager, att DefaultBundleName: a.c.DefaultBundleName, DefaultAllBundlesName: a.c.DefaultAllBundlesName, DisableSPIFFECertValidation: a.c.DisableSPIFFECertValidation, - EnableDeprecatedSDSv2API: a.c.EnableDeprecatedSDSv2API, AllowUnauthenticatedVerifiers: a.c.AllowUnauthenticatedVerifiers, AllowedForeignJWTClaims: a.c.AllowedForeignJWTClaims, TrustDomain: a.c.TrustDomain, diff --git a/pkg/agent/config.go b/pkg/agent/config.go index 2e8a21fd296..491a61981c5 100644 --- a/pkg/agent/config.go +++ b/pkg/agent/config.go @@ -36,9 +36,6 @@ type Config struct { // The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS DefaultSVIDName string - // Enable deprecated Envoy SDS v2 API - EnableDeprecatedSDSv2API bool - // If true, the agent will bootstrap insecurely with the server InsecureBootstrap bool diff --git a/pkg/agent/endpoints/config.go b/pkg/agent/endpoints/config.go index 09a49ec9b02..2bbd30ac253 100644 --- a/pkg/agent/endpoints/config.go +++ b/pkg/agent/endpoints/config.go @@ -3,14 +3,12 @@ package endpoints import ( "net" - discovery_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" secret_v3 "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3" "github.com/sirupsen/logrus" workload_pb "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" "github.com/spiffe/go-spiffe/v2/spiffeid" healthv1 "github.com/spiffe/spire/pkg/agent/api/health/v1" attestor "github.com/spiffe/spire/pkg/agent/attestor/workload" - "github.com/spiffe/spire/pkg/agent/endpoints/sdsv2" "github.com/spiffe/spire/pkg/agent/endpoints/sdsv3" "github.com/spiffe/spire/pkg/agent/endpoints/workload" "github.com/spiffe/spire/pkg/agent/manager" @@ -41,9 +39,6 @@ type Config struct { // Disable custom Envoy SDS validator DisableSPIFFECertValidation bool - // Enable deprecated envoy SDS v2 API - EnableDeprecatedSDSv2API bool - AllowUnauthenticatedVerifiers bool AllowedForeignJWTClaims []string @@ -53,7 +48,6 @@ type Config struct { // Hooks used by the unit tests to assert that the configuration provided // to each handler is correct and return fake handlers. newWorkloadAPIServer func(workload.Config) workload_pb.SpiffeWorkloadAPIServer - newSDSv2Server func(sdsv2.Config) discovery_v2.SecretDiscoveryServiceServer newSDSv3Server func(sdsv3.Config) secret_v3.SecretDiscoveryServiceServer newHealthServer func(healthv1.Config) grpc_health_v1.HealthServer } diff --git a/pkg/agent/endpoints/endpoints.go b/pkg/agent/endpoints/endpoints.go index ae61f5e04de..b55ccb9d5e5 100644 --- a/pkg/agent/endpoints/endpoints.go +++ b/pkg/agent/endpoints/endpoints.go @@ -5,12 +5,10 @@ import ( "errors" "net" - discovery_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" secret_v3 "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3" "github.com/sirupsen/logrus" workload_pb "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" healthv1 "github.com/spiffe/spire/pkg/agent/api/health/v1" - "github.com/spiffe/spire/pkg/agent/endpoints/sdsv2" "github.com/spiffe/spire/pkg/agent/endpoints/sdsv3" "github.com/spiffe/spire/pkg/agent/endpoints/workload" "github.com/spiffe/spire/pkg/common/api/middleware" @@ -29,7 +27,6 @@ type Endpoints struct { log logrus.FieldLogger metrics telemetry.Metrics workloadAPIServer workload_pb.SpiffeWorkloadAPIServer - sdsv2Server discovery_v2.SecretDiscoveryServiceServer sdsv3Server secret_v3.SecretDiscoveryServiceServer healthServer grpc_health_v1.HealthServer @@ -47,11 +44,6 @@ func New(c Config) *Endpoints { return workload.New(c) } } - if c.newSDSv2Server == nil { - c.newSDSv2Server = func(c sdsv2.Config) discovery_v2.SecretDiscoveryServiceServer { - return sdsv2.New(c) - } - } if c.newSDSv3Server == nil { c.newSDSv3Server = func(c sdsv3.Config) secret_v3.SecretDiscoveryServiceServer { return sdsv3.New(c) @@ -76,14 +68,6 @@ func New(c Config) *Endpoints { TrustDomain: c.TrustDomain, }) - sdsv2Server := c.newSDSv2Server(sdsv2.Config{ - Attestor: attestor, - Manager: c.Manager, - DefaultSVIDName: c.DefaultSVIDName, - DefaultBundleName: c.DefaultBundleName, - Enabled: c.EnableDeprecatedSDSv2API, - }) - sdsv3Server := c.newSDSv3Server(sdsv3.Config{ Attestor: attestor, Manager: c.Manager, @@ -102,7 +86,6 @@ func New(c Config) *Endpoints { log: c.Log, metrics: c.Metrics, workloadAPIServer: workloadAPIServer, - sdsv2Server: sdsv2Server, sdsv3Server: sdsv3Server, healthServer: healthServer, } @@ -120,7 +103,6 @@ func (e *Endpoints) ListenAndServe(ctx context.Context) error { ) workload_pb.RegisterSpiffeWorkloadAPIServer(server, e.workloadAPIServer) - discovery_v2.RegisterSecretDiscoveryServiceServer(server, e.sdsv2Server) secret_v3.RegisterSecretDiscoveryServiceServer(server, e.sdsv3Server) grpc_health_v1.RegisterHealthServer(server, e.healthServer) diff --git a/pkg/agent/endpoints/endpoints_test.go b/pkg/agent/endpoints/endpoints_test.go index aa4e4b139cb..cf7b7c45c8f 100644 --- a/pkg/agent/endpoints/endpoints_test.go +++ b/pkg/agent/endpoints/endpoints_test.go @@ -8,8 +8,6 @@ import ( "time" "github.com/armon/go-metrics" - api_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" - discovery_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" secret_v3 "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3" "github.com/sirupsen/logrus" @@ -17,7 +15,6 @@ import ( workload_pb "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" healthv1 "github.com/spiffe/spire/pkg/agent/api/health/v1" "github.com/spiffe/spire/pkg/agent/api/rpccontext" - "github.com/spiffe/spire/pkg/agent/endpoints/sdsv2" "github.com/spiffe/spire/pkg/agent/endpoints/sdsv3" "github.com/spiffe/spire/pkg/agent/endpoints/workload" "github.com/spiffe/spire/pkg/agent/manager" @@ -98,33 +95,6 @@ func TestEndpoints(t *testing.T) { }}, }, }, - { - name: "sds v2 api has peertracker attestor plumbed", - do: func(t *testing.T, conn *grpc.ClientConn) { - sdsClient := discovery_v2.NewSecretDiscoveryServiceClient(conn) - _, err := sdsClient.FetchSecrets(ctx, &api_v2.DiscoveryRequest{}) - require.NoError(t, err) - }, - expectedLogs: []spiretest.LogEntry{ - logEntryWithPID(logrus.InfoLevel, "Success", - "method", "FetchSecrets", - "service", "SDS.v2", - ), - }, - expectedMetrics: []fakemetrics.MetricItem{ - // Global connection counter and then the increment/decrement of the connection gauge - {Type: fakemetrics.IncrCounterType, Key: []string{"sds_api", "connection"}, Val: 1}, - {Type: fakemetrics.SetGaugeType, Key: []string{"sds_api", "connections"}, Val: 1}, - {Type: fakemetrics.SetGaugeType, Key: []string{"sds_api", "connections"}, Val: 0}, - // Call counter - {Type: fakemetrics.IncrCounterWithLabelsType, Key: []string{"rpc", "sds", "v2", "fetch_secrets"}, Val: 1, Labels: []metrics.Label{ - {Name: "status", Value: "OK"}, - }}, - {Type: fakemetrics.MeasureSinceWithLabelsType, Key: []string{"rpc", "sds", "v2", "fetch_secrets", "elapsed_time"}, Val: 0, Labels: []metrics.Label{ - {Name: "status", Value: "OK"}, - }}, - }, - }, { name: "sds v3 api has peertracker attestor plumbed", do: func(t *testing.T, conn *grpc.ClientConn) { @@ -173,7 +143,6 @@ func TestEndpoints(t *testing.T) { DefaultAllBundlesName: "DefaultAllBundlesName", DisableSPIFFECertValidation: true, AllowedForeignJWTClaims: tt.allowedClaims, - EnableDeprecatedSDSv2API: true, // Assert the provided config and return a fake Workload API server newWorkloadAPIServer: func(c workload.Config) workload_pb.SpiffeWorkloadAPIServer { @@ -188,17 +157,6 @@ func TestEndpoints(t *testing.T) { return FakeWorkloadAPIServer{Attestor: attestor} }, - // Assert the provided config and return a fake SDS server - newSDSv2Server: func(c sdsv2.Config) discovery_v2.SecretDiscoveryServiceServer { - attestor, ok := c.Attestor.(PeerTrackerAttestor) - require.True(t, ok, "attestor was not a PeerTrackerAttestor wrapper") - assert.Equal(t, FakeManager{}, c.Manager) - assert.Equal(t, "DefaultSVIDName", c.DefaultSVIDName) - assert.Equal(t, "DefaultBundleName", c.DefaultBundleName) - assert.True(t, c.Enabled) - return FakeSDSv2Server{Attestor: attestor} - }, - // Assert the provided config and return a fake SDS server newSDSv3Server: func(c sdsv3.Config) secret_v3.SecretDiscoveryServiceServer { attestor, ok := c.Attestor.(PeerTrackerAttestor) @@ -276,18 +234,6 @@ func (s FakeWorkloadAPIServer) FetchJWTSVID(ctx context.Context, _ *workload_pb. return &workload_pb.JWTSVIDResponse{}, nil } -type FakeSDSv2Server struct { - Attestor PeerTrackerAttestor - *discovery_v2.UnimplementedSecretDiscoveryServiceServer -} - -func (s FakeSDSv2Server) FetchSecrets(ctx context.Context, _ *api_v2.DiscoveryRequest) (*api_v2.DiscoveryResponse, error) { - if err := attest(ctx, s.Attestor); err != nil { - return nil, err - } - return &api_v2.DiscoveryResponse{}, nil -} - type FakeSDSv3Server struct { Attestor PeerTrackerAttestor *secret_v3.UnimplementedSecretDiscoveryServiceServer diff --git a/pkg/agent/endpoints/metrics.go b/pkg/agent/endpoints/metrics.go index 812fe2c6494..5c7d75ea101 100644 --- a/pkg/agent/endpoints/metrics.go +++ b/pkg/agent/endpoints/metrics.go @@ -31,7 +31,7 @@ func (m *connectionMetrics) Preprocess(ctx context.Context, _ string, _ interfac case middleware.WorkloadAPIServiceName: workloadAPITelemetry.IncrConnectionCounter(m.metrics) workloadAPITelemetry.SetConnectionTotalGauge(m.metrics, atomic.AddInt32(&m.workloadAPIConns, 1)) - case middleware.EnvoySDSv2ServiceName, middleware.EnvoySDSv3ServiceName: + case middleware.EnvoySDSv3ServiceName: sdsAPITelemetry.IncrSDSAPIConnectionCounter(m.metrics) sdsAPITelemetry.SetSDSAPIConnectionTotalGauge(m.metrics, atomic.AddInt32(&m.sdsAPIConns, 1)) case middleware.DelegatedIdentityServiceName: @@ -51,7 +51,7 @@ func (m *connectionMetrics) Postprocess(ctx context.Context, _ string, _ bool, _ switch names.RawService { case middleware.WorkloadAPIServiceName: workloadAPITelemetry.SetConnectionTotalGauge(m.metrics, atomic.AddInt32(&m.workloadAPIConns, -1)) - case middleware.EnvoySDSv2ServiceName, middleware.EnvoySDSv3ServiceName: + case middleware.EnvoySDSv3ServiceName: sdsAPITelemetry.SetSDSAPIConnectionTotalGauge(m.metrics, atomic.AddInt32(&m.sdsAPIConns, -1)) case middleware.DelegatedIdentityServiceName: adminapi.SetDelegatedIdentityAPIConnectionGauge(m.metrics, atomic.AddInt32(&m.delegatedIdentityAPIConns, -1)) diff --git a/pkg/agent/endpoints/sdsv2/handler.go b/pkg/agent/endpoints/sdsv2/handler.go deleted file mode 100644 index 969c46a9e10..00000000000 --- a/pkg/agent/endpoints/sdsv2/handler.go +++ /dev/null @@ -1,401 +0,0 @@ -package sdsv2 - -import ( - "context" - "crypto/rand" - "encoding/hex" - "errors" - "io" - "sort" - "strconv" - - api_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" - auth_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" - core_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - discovery_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" - "github.com/sirupsen/logrus" - "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" - "github.com/spiffe/spire/pkg/agent/api/rpccontext" - "github.com/spiffe/spire/pkg/agent/manager/cache" - "github.com/spiffe/spire/pkg/common/pemutil" - "github.com/spiffe/spire/pkg/common/telemetry" - "github.com/spiffe/spire/proto/spire/common" - "github.com/zeebo/errs" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - "google.golang.org/protobuf/types/known/anypb" -) - -const ( - deprecatedAPIErrorMsg = "the Envoy SDS v2 API is now deprecated in SPIRE and is no longer supported by Envoy. Please refer to: https://www.envoyproxy.io/docs/envoy/latest/api/api_supported_versions. The SDS v2 API can be enabled using the config setting 'enable_deprecated_v2_api': https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#sds-configuration. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version." -) - -type Attestor interface { - Attest(ctx context.Context) ([]*common.Selector, error) -} - -type Manager interface { - SubscribeToCacheChanges(ctx context.Context, key cache.Selectors) (cache.Subscriber, error) - FetchWorkloadUpdate(selectors []*common.Selector) *cache.WorkloadUpdate -} - -type Config struct { - Attestor Attestor - Manager Manager - DefaultBundleName string - DefaultSVIDName string - Enabled bool -} - -type Handler struct { - c Config - - hooks struct { - // test hook used to synchronize receipt of a stream request - received chan struct{} - } -} - -func New(config Config) *Handler { - return &Handler{c: config} -} - -func (h *Handler) StreamSecrets(stream discovery_v2.SecretDiscoveryService_StreamSecretsServer) error { - if !h.c.Enabled { - return status.Error(codes.Unavailable, deprecatedAPIErrorMsg) - } - - log := rpccontext.Logger(stream.Context()) - - selectors, err := h.c.Attestor.Attest(stream.Context()) - if err != nil { - log.WithError(err).Error("Failed to attest the workload") - return err - } - - sub, err := h.c.Manager.SubscribeToCacheChanges(stream.Context(), selectors) - if err != nil { - log.WithError(err).Error("Subscribe to cache changes failed") - return err - } - defer sub.Finish() - - updch := sub.Updates() - reqch := make(chan *api_v2.DiscoveryRequest, 1) - errch := make(chan error, 1) - - go func() { - for { - req, err := stream.Recv() - if err != nil { - if status.Code(err) == codes.Canceled || errors.Is(err, io.EOF) { - err = nil - } - errch <- err - return - } - reqch <- req - } - }() - - var versionCounter int64 - var versionInfo = strconv.FormatInt(versionCounter, 10) - var lastNonce string - var upd *cache.WorkloadUpdate - var lastReq *api_v2.DiscoveryRequest - for { - select { - case newReq := <-reqch: - log.WithFields(logrus.Fields{ - telemetry.ResourceNames: newReq.ResourceNames, - telemetry.VersionInfo: newReq.VersionInfo, - telemetry.Nonce: newReq.ResponseNonce, - }).Debug("Received StreamSecrets request") - h.triggerReceivedHook() - - // If there's error detail, always log it - if newReq.ErrorDetail != nil { - log.WithFields(logrus.Fields{ - telemetry.ResourceNames: newReq.ResourceNames, - telemetry.Error: newReq.ErrorDetail.Message, - }).Error("Envoy reported errors applying secrets") - } - - // If we've previously sent a nonce, this must be a reply - if lastNonce != "" { - // The nonce should match the last sent nonce, otherwise - // it's stale and the request should be ignored. - if lastNonce != newReq.ResponseNonce { - log.WithFields(logrus.Fields{ - telemetry.Nonce: newReq.ResponseNonce, - telemetry.Expect: lastNonce, - }).Warn("Received unexpected nonce; ignoring request") - continue - } - - if newReq.VersionInfo == "" || newReq.VersionInfo != versionInfo { - // The caller has failed to apply the last update. - // A NACK might also contain an update to the resource hint, so we need to continue processing. - log.WithFields(logrus.Fields{ - telemetry.VersionInfo: newReq.VersionInfo, - telemetry.Expect: versionInfo, - }).Error("Client rejected expected version and rolled back") - } - } - - // We need to send updates if the requested resource list has changed - // either explicitly, or implicitly because this is the first request. - var sendUpdates = lastReq == nil || subListChanged(lastReq.ResourceNames, newReq.ResourceNames) - - // save request so that all future workload updates lead to SDS updates for the last request - lastReq = newReq - - if !sendUpdates { - continue - } - - if upd == nil { - // Workload update has not been received yet, defer sending updates until then - continue - } - - case upd = <-updch: - versionCounter++ - versionInfo = strconv.FormatInt(versionCounter, 10) - if lastReq == nil { - // Nothing has been requested yet. - continue - } - case err := <-errch: - log.WithError(err).Error("Received error from stream secrets server") - return err - } - - resp, err := h.buildResponse(versionInfo, lastReq, upd) - if err != nil { - log.WithError(err).Error("Error building stream secrets response") - return err - } - - log.WithFields(logrus.Fields{ - telemetry.VersionInfo: resp.VersionInfo, - telemetry.Nonce: resp.Nonce, - telemetry.Count: len(resp.Resources), - }).Debug("Sending StreamSecrets response") - if err := stream.Send(resp); err != nil { - log.WithError(err).Error("Error sending secrets over stream") - return err - } - - // remember the last nonce - lastNonce = resp.Nonce - } -} - -func subListChanged(oldSubs []string, newSubs []string) (b bool) { - if len(oldSubs) != len(newSubs) { - return true - } - var subMap = make(map[string]bool) - for _, sub := range oldSubs { - subMap[sub] = true - } - for _, sub := range newSubs { - if !subMap[sub] { - return true - } - } - return false -} - -func (h *Handler) DeltaSecrets(discovery_v2.SecretDiscoveryService_DeltaSecretsServer) error { - if !h.c.Enabled { - return status.Error(codes.Unavailable, deprecatedAPIErrorMsg) - } - return status.Error(codes.Unimplemented, "Method is not implemented") -} - -func (h *Handler) FetchSecrets(ctx context.Context, req *api_v2.DiscoveryRequest) (*api_v2.DiscoveryResponse, error) { - if !h.c.Enabled { - return nil, status.Error(codes.Unavailable, deprecatedAPIErrorMsg) - } - - log := rpccontext.Logger(ctx).WithFields(logrus.Fields{ - telemetry.ResourceNames: req.ResourceNames, - }) - - selectors, err := h.c.Attestor.Attest(ctx) - if err != nil { - log.WithError(err).Error("Failed to attest the workload") - return nil, err - } - - upd := h.c.Manager.FetchWorkloadUpdate(selectors) - - resp, err := h.buildResponse("", req, upd) - if err != nil { - log.WithError(err).Error("Error building fetch secrets response") - return nil, err - } - - log.WithFields(logrus.Fields{ - telemetry.Count: len(resp.Resources), - }).Debug("Sending FetchSecrets response") - - return resp, nil -} - -func (h *Handler) buildResponse(versionInfo string, req *api_v2.DiscoveryRequest, upd *cache.WorkloadUpdate) (resp *api_v2.DiscoveryResponse, err error) { - resp = &api_v2.DiscoveryResponse{ - TypeUrl: req.TypeUrl, - VersionInfo: versionInfo, - } - - // provide a nonce for streaming requests - if versionInfo != "" { - if resp.Nonce, err = nextNonce(); err != nil { - return nil, err - } - } - - // build a convenient set of names for lookups - names := make(map[string]bool) - for _, name := range req.ResourceNames { - if name != "" { - names[name] = true - } - } - returnAllEntries := len(names) == 0 - - // TODO: verify the type url - if upd.Bundle != nil { - switch { - case returnAllEntries || names[upd.Bundle.TrustDomain().IDString()]: - validationContext, err := buildValidationContext(upd.Bundle, "") - if err != nil { - return nil, err - } - delete(names, upd.Bundle.TrustDomain().IDString()) - resp.Resources = append(resp.Resources, validationContext) - case names[h.c.DefaultBundleName]: - validationContext, err := buildValidationContext(upd.Bundle, h.c.DefaultBundleName) - if err != nil { - return nil, err - } - delete(names, h.c.DefaultBundleName) - resp.Resources = append(resp.Resources, validationContext) - } - } - - for _, federatedBundle := range upd.FederatedBundles { - if returnAllEntries || names[federatedBundle.TrustDomain().IDString()] { - validationContext, err := buildValidationContext(federatedBundle, "") - if err != nil { - return nil, err - } - delete(names, federatedBundle.TrustDomain().IDString()) - resp.Resources = append(resp.Resources, validationContext) - } - } - - for i, identity := range upd.Identities { - switch { - case returnAllEntries || names[identity.Entry.SpiffeId]: - tlsCertificate, err := buildTLSCertificate(identity, "") - if err != nil { - return nil, err - } - delete(names, identity.Entry.SpiffeId) - resp.Resources = append(resp.Resources, tlsCertificate) - case i == 0 && names[h.c.DefaultSVIDName]: - tlsCertificate, err := buildTLSCertificate(identity, h.c.DefaultSVIDName) - if err != nil { - return nil, err - } - delete(names, h.c.DefaultSVIDName) - resp.Resources = append(resp.Resources, tlsCertificate) - } - } - - if len(names) > 0 { - return nil, errs.New("workload is not authorized for the requested identities %q", sortedNames(names)) - } - - return resp, nil -} - -func (h *Handler) triggerReceivedHook() { - if h.hooks.received != nil { - h.hooks.received <- struct{}{} - } -} - -func buildTLSCertificate(identity cache.Identity, defaultSVIDName string) (*anypb.Any, error) { - name := identity.Entry.SpiffeId - if defaultSVIDName != "" { - name = defaultSVIDName - } - - keyPEM, err := pemutil.EncodePKCS8PrivateKey(identity.PrivateKey) - if err != nil { - return nil, err - } - - certsPEM := pemutil.EncodeCertificates(identity.SVID) - - return anypb.New(&auth_v2.Secret{ - Name: name, - Type: &auth_v2.Secret_TlsCertificate{ - TlsCertificate: &auth_v2.TlsCertificate{ - CertificateChain: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: certsPEM, - }, - }, - PrivateKey: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: keyPEM, - }, - }, - }, - }, - }) -} - -func buildValidationContext(bundle *spiffebundle.Bundle, defaultBundleName string) (*anypb.Any, error) { - name := bundle.TrustDomain().IDString() - if defaultBundleName != "" { - name = defaultBundleName - } - caBytes := pemutil.EncodeCertificates(bundle.X509Authorities()) - return anypb.New(&auth_v2.Secret{ - Name: name, - Type: &auth_v2.Secret_ValidationContext{ - ValidationContext: &auth_v2.CertificateValidationContext{ - TrustedCa: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: caBytes, - }, - }, - }, - }, - }) -} - -func nextNonce() (string, error) { - b := make([]byte, 4) - _, err := rand.Read(b) - if err != nil { - return "", errs.Wrap(err) - } - return hex.EncodeToString(b), nil -} - -func sortedNames(names map[string]bool) []string { - out := make([]string, 0, len(names)) - for name := range names { - out = append(out, name) - } - sort.Strings(out) - return out -} diff --git a/pkg/agent/endpoints/sdsv2/handler_test.go b/pkg/agent/endpoints/sdsv2/handler_test.go deleted file mode 100644 index 5774ee435b6..00000000000 --- a/pkg/agent/endpoints/sdsv2/handler_test.go +++ /dev/null @@ -1,670 +0,0 @@ -package sdsv2 - -import ( - "context" - "crypto/x509" - "errors" - "net" - "sync" - "testing" - "time" - - api_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" - auth_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" - core_v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - sds_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" - "github.com/sirupsen/logrus/hooks/test" - "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" - "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/spiffe/spire/pkg/agent/manager/cache" - "github.com/spiffe/spire/pkg/common/api/middleware" - "github.com/spiffe/spire/pkg/common/peertracker" - "github.com/spiffe/spire/pkg/common/pemutil" - "github.com/spiffe/spire/proto/spire/common" - "github.com/spiffe/spire/test/spiretest" - "github.com/stretchr/testify/require" - "google.golang.org/genproto/googleapis/rpc/status" - "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/credentials/insecure" -) - -var ( - tdBundle = spiffebundle.FromX509Authorities(spiffeid.RequireTrustDomainFromString("domain.test"), []*x509.Certificate{{ - Raw: []byte("BUNDLE"), - }}) - tdValidationContext = &auth_v2.Secret{ - Name: "spiffe://domain.test", - Type: &auth_v2.Secret_ValidationContext{ - ValidationContext: &auth_v2.CertificateValidationContext{ - TrustedCa: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nQlVORExF\n-----END CERTIFICATE-----\n"), - }, - }, - }, - }, - } - - tdValidationContext2 = &auth_v2.Secret{ - Name: "ROOTCA", - Type: &auth_v2.Secret_ValidationContext{ - ValidationContext: &auth_v2.CertificateValidationContext{ - TrustedCa: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nQlVORExF\n-----END CERTIFICATE-----\n"), - }, - }, - }, - }, - } - - fedBundle = spiffebundle.FromX509Authorities(spiffeid.RequireTrustDomainFromString("otherdomain.test"), []*x509.Certificate{{ - Raw: []byte("FEDBUNDLE"), - }}) - fedValidationContext = &auth_v2.Secret{ - Name: "spiffe://otherdomain.test", - Type: &auth_v2.Secret_ValidationContext{ - ValidationContext: &auth_v2.CertificateValidationContext{ - TrustedCa: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nRkVEQlVORExF\n-----END CERTIFICATE-----\n"), - }, - }, - }, - }, - } - - workloadKeyPEM = []byte(`-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgN2PdPEglb3JjF1Fg -cqyEiRJHqtqzSUBnIeWCixn4hH2hRANCAARW+TsDRr0b0wJqg2kY5JvjX7UfAV3m -MC2hK9d8Z5ENZc9lFW48vObdcHcHdHvAaA8z2GM02pDkTt5pgUvRHlsf ------END PRIVATE KEY----- -`) - workloadKey, _ = pemutil.ParseECPrivateKey(workloadKeyPEM) - - workloadCert1 = &x509.Certificate{Raw: []byte("WORKLOAD1")} - workloadTLSCertificate1 = &auth_v2.Secret{ - Name: "spiffe://domain.test/workload", - Type: &auth_v2.Secret_TlsCertificate{ - TlsCertificate: &auth_v2.TlsCertificate{ - CertificateChain: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nV09SS0xPQUQx\n-----END CERTIFICATE-----\n"), - }, - }, - PrivateKey: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: workloadKeyPEM, - }, - }, - }, - }, - } - - workloadCert2 = &x509.Certificate{Raw: []byte("WORKLOAD2")} - workloadTLSCertificate2 = &auth_v2.Secret{ - Name: "spiffe://domain.test/workload", - Type: &auth_v2.Secret_TlsCertificate{ - TlsCertificate: &auth_v2.TlsCertificate{ - CertificateChain: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nV09SS0xPQUQy\n-----END CERTIFICATE-----\n"), - }, - }, - PrivateKey: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: workloadKeyPEM, - }, - }, - }, - }, - } - - workloadTLSCertificate3 = &auth_v2.Secret{ - Name: "default", - Type: &auth_v2.Secret_TlsCertificate{ - TlsCertificate: &auth_v2.TlsCertificate{ - CertificateChain: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: []byte("-----BEGIN CERTIFICATE-----\nV09SS0xPQUQx\n-----END CERTIFICATE-----\n"), - }, - }, - PrivateKey: &core_v2.DataSource{ - Specifier: &core_v2.DataSource_InlineBytes{ - InlineBytes: workloadKeyPEM, - }, - }, - }, - }, - } - - workloadSelectors = cache.Selectors{{Type: "TYPE", Value: "VALUE"}} -) - -func TestHandler(t *testing.T) { - spiretest.Run(t, new(HandlerSuite)) -} - -type HandlerSuite struct { - spiretest.Suite - manager *FakeManager - server *grpc.Server - handler sds_v2.SecretDiscoveryServiceClient - received chan struct{} -} - -func (s *HandlerSuite) SetupTest() { - s.manager = NewFakeManager(s.T()) - handler := New(Config{ - Attestor: FakeAttestor(workloadSelectors), - Manager: s.manager, - DefaultSVIDName: "default", - DefaultBundleName: "ROOTCA", - Enabled: true, - }) - - s.received = make(chan struct{}) - handler.hooks.received = s.received - - listener, err := net.Listen("tcp", "localhost:0") - s.Require().NoError(err) - - conn, err := grpc.Dial(listener.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials())) - s.Require().NoError(err) - s.handler = sds_v2.NewSecretDiscoveryServiceClient(conn) - - log, _ := test.NewNullLogger() - unaryInterceptor, streamInterceptor := middleware.Interceptors(middleware.WithLogger(log)) - server := grpc.NewServer(grpc.Creds(FakeCreds{}), - grpc.UnaryInterceptor(unaryInterceptor), - grpc.StreamInterceptor(streamInterceptor), - ) - sds_v2.RegisterSecretDiscoveryServiceServer(server, handler) - go func() { _ = server.Serve(listener) }() - s.server = server - - s.setWorkloadUpdate(workloadCert1) -} - -func (s *HandlerSuite) TearDownTest() { - s.server.Stop() -} - -func (s *HandlerSuite) TestStreamSecretsStreamAllSecrets() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{}) - - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, tdValidationContext, fedValidationContext, workloadTLSCertificate1) -} - -func (s *HandlerSuite) TestAPIIsNotEnabled() { - ctx := context.Background() - handler := New(Config{ - Attestor: FakeAttestor(workloadSelectors), - Manager: s.manager, - DefaultSVIDName: "default", - DefaultBundleName: "ROOTCA", - // API is not enabled - Enabled: false, - }) - resp, err := handler.FetchSecrets(ctx, &api_v2.DiscoveryRequest{}) - s.Require().Nil(resp) - s.RequireGRPCStatus(err, codes.Unavailable, deprecatedAPIErrorMsg) - - err = handler.StreamSecrets(nil) - s.RequireGRPCStatus(err, codes.Unavailable, deprecatedAPIErrorMsg) - - err = handler.DeltaSecrets(nil) - s.RequireGRPCStatus(err, codes.Unavailable, deprecatedAPIErrorMsg) -} - -func (s *HandlerSuite) TestStreamSecretsStreamTrustDomainBundleOnly() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, tdValidationContext) -} - -func (s *HandlerSuite) TestStreamSecretsStreamDefaultTrustDomainBundleOnly() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"ROOTCA"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, tdValidationContext2) -} - -func (s *HandlerSuite) TestStreamSecretsStreamFederatedTrustDomainBundleOnly() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://otherdomain.test"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, fedValidationContext) -} - -func (s *HandlerSuite) TestStreamSecretsStreamTLSCertificateOnly() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate1) -} - -func (s *HandlerSuite) TestStreamSecretsStreamDefaultTLSCertificateOnly() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"default"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate3) -} - -func (s *HandlerSuite) TestStreamSecretsUnknownResource() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/WHATEVER"}, - }) - _, err = stream.Recv() - s.Require().Error(err) -} - -func (s *HandlerSuite) TestStreamSecretsStreaming() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.Require().NotEmpty(resp.VersionInfo) - s.Require().NotEmpty(resp.Nonce) - s.requireSecrets(resp, workloadTLSCertificate1) - - s.setWorkloadUpdate(workloadCert2) - - resp, err = stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate2) -} - -func (s *HandlerSuite) TestStreamSecretsApplicationDoesNotSpin() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - // Subscribe to some updates - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate1) - - // Reject the update - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResponseNonce: resp.Nonce, - VersionInfo: "OHNO", - ErrorDetail: &status.Status{Message: "OHNO!"}, - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - - s.setWorkloadUpdate(workloadCert2) - - resp, err = stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate2) -} - -func (s *HandlerSuite) TestStreamSecretsRequestReceivedBeforeWorkloadUpdate() { - s.setWorkloadUpdate(nil) - - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - - s.setWorkloadUpdate(workloadCert2) - - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate2) -} - -func (s *HandlerSuite) TestStreamSecretsSubChanged() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate1) - - // Ack the response - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResponseNonce: resp.Nonce, - VersionInfo: resp.VersionInfo, - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - - // Send another request for different resources. - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResponseNonce: resp.Nonce, - VersionInfo: resp.VersionInfo, - ResourceNames: []string{"spiffe://domain.test"}, - }) - - resp, err = stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, tdValidationContext) -} - -func (s *HandlerSuite) TestStreamSecretsBadNonce() { - stream, err := s.handler.StreamSecrets(context.Background()) - s.Require().NoError(err) - defer func() { - s.Require().NoError(stream.CloseSend()) - }() - - // The first request should be good - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate1) - - // Now update the workload SVID - s.setWorkloadUpdate(workloadCert2) - - // The third request should be ignored because the nonce isn't set to - // the value returned in the response. - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResponseNonce: "FOO", - VersionInfo: resp.VersionInfo, - ResourceNames: []string{"spiffe://domain.test"}, - }) - - // The fourth request should be good since the nonce matches that sent with - // the last response. - s.sendAndWait(stream, &api_v2.DiscoveryRequest{ - ResponseNonce: resp.Nonce, - VersionInfo: resp.VersionInfo, - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - resp, err = stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp, workloadTLSCertificate2) -} - -func (s *HandlerSuite) TestFetchSecrets() { - // Fetch all secrets - resp, err := s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{TypeUrl: "TYPEURL"}) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.Require().Equal("TYPEURL", resp.TypeUrl) - s.requireSecrets(resp, tdValidationContext, fedValidationContext, workloadTLSCertificate1) - - // Fetch trust domain validation context only - resp, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test"}, - }) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.requireSecrets(resp, tdValidationContext) - - // Fetch federated validation context only - resp, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://otherdomain.test"}, - }) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.requireSecrets(resp, fedValidationContext) - - // Fetch tls certificate only - resp, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/workload"}, - }) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.requireSecrets(resp, workloadTLSCertificate1) - - // Fetch non-existent resource - _, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ - ResourceNames: []string{"spiffe://domain.test/other"}, - }) - s.Require().Error(err) -} - -func (s *HandlerSuite) setWorkloadUpdate(workloadCert *x509.Certificate) { - var workloadUpdate *cache.WorkloadUpdate - if workloadCert != nil { - workloadUpdate = &cache.WorkloadUpdate{ - Identities: []cache.Identity{ - { - Entry: &common.RegistrationEntry{ - SpiffeId: "spiffe://domain.test/workload", - }, - SVID: []*x509.Certificate{workloadCert}, - PrivateKey: workloadKey, - }, - }, - Bundle: tdBundle, - FederatedBundles: map[spiffeid.TrustDomain]*spiffebundle.Bundle{ - spiffeid.RequireTrustDomainFromString("otherdomain.test"): fedBundle, - }, - } - } - s.manager.SetWorkloadUpdate(workloadUpdate) -} - -func (s *HandlerSuite) sendAndWait(stream sds_v2.SecretDiscoveryService_StreamSecretsClient, req *api_v2.DiscoveryRequest) { - s.Require().NoError(stream.Send(req)) - timer := time.NewTimer(time.Second) - defer timer.Stop() - select { - case <-s.received: - case <-timer.C: - s.Fail("timed out waiting for request to be received") - } -} - -func (s *HandlerSuite) requireSecrets(resp *api_v2.DiscoveryResponse, expectedSecrets ...*auth_v2.Secret) { - var actualSecrets []*auth_v2.Secret - for _, resource := range resp.Resources { - secret := new(auth_v2.Secret) - s.Require().NoError(resource.UnmarshalTo(secret)) //nolint: scopelint // pointer to resource isn't held - actualSecrets = append(actualSecrets, secret) - } - - s.RequireProtoListEqual(expectedSecrets, actualSecrets) -} - -type FakeAttestor []*common.Selector - -func (a FakeAttestor) Attest(context.Context) ([]*common.Selector, error) { - return ([]*common.Selector)(a), nil -} - -type FakeManager struct { - t *testing.T - - mu sync.Mutex - upd *cache.WorkloadUpdate - next int - subs map[int]chan *cache.WorkloadUpdate -} - -func NewFakeManager(t *testing.T) *FakeManager { - return &FakeManager{ - t: t, - subs: make(map[int]chan *cache.WorkloadUpdate), - } -} - -func (m *FakeManager) SubscribeToCacheChanges(_ context.Context, selectors cache.Selectors) (cache.Subscriber, error) { - require.Equal(m.t, workloadSelectors, selectors) - - updch := make(chan *cache.WorkloadUpdate, 1) - if m.upd != nil { - updch <- m.upd - } - - m.mu.Lock() - defer m.mu.Unlock() - key := m.next - m.next++ - m.subs[key] = updch - return NewFakeSubscriber(updch, func() { - delete(m.subs, key) - close(updch) - }), nil -} - -func (m *FakeManager) FetchWorkloadUpdate(_ []*common.Selector) *cache.WorkloadUpdate { - m.mu.Lock() - defer m.mu.Unlock() - return m.upd -} - -func (m *FakeManager) SetWorkloadUpdate(upd *cache.WorkloadUpdate) { - m.mu.Lock() - defer m.mu.Unlock() - - m.upd = upd - for _, sub := range m.subs { - select { - case sub <- upd: - default: - <-sub - sub <- upd - } - } -} - -type FakeSubscriber struct { - updch <-chan *cache.WorkloadUpdate - done func() -} - -func NewFakeSubscriber(updch <-chan *cache.WorkloadUpdate, done func()) *FakeSubscriber { - return &FakeSubscriber{ - updch: updch, - done: done, - } -} - -func (s *FakeSubscriber) Updates() <-chan *cache.WorkloadUpdate { - return s.updch -} - -func (s *FakeSubscriber) Finish() { - s.done() -} - -type FakeCreds struct{} - -func (c FakeCreds) ClientHandshake(context.Context, string, net.Conn) (net.Conn, credentials.AuthInfo, error) { - return nil, nil, errors.New("unexpected") -} - -func (c FakeCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) { - return conn, peertracker.AuthInfo{Watcher: FakeWatcher{}}, nil -} - -func (c FakeCreds) Info() credentials.ProtocolInfo { - return credentials.ProtocolInfo{ - SecurityProtocol: "fixed", - SecurityVersion: "0.1", - ServerName: "sds-handler-test", - } -} - -func (c FakeCreds) Clone() credentials.TransportCredentials { - return &c -} - -func (c FakeCreds) OverrideServerName(_ string) error { - return nil -} - -type FakeWatcher struct{} - -func (w FakeWatcher) Close() {} - -func (w FakeWatcher) IsAlive() error { return nil } - -func (w FakeWatcher) PID() int32 { return 123 } diff --git a/pkg/common/api/middleware/names.go b/pkg/common/api/middleware/names.go index 7cc50b75e82..4975dcca11b 100644 --- a/pkg/common/api/middleware/names.go +++ b/pkg/common/api/middleware/names.go @@ -15,8 +15,6 @@ const ( WorkloadAPIServiceName = "SpiffeWorkloadAPI" WorkloadAPIServiceShortName = "WorkloadAPI" - EnvoySDSv2ServiceName = "envoy.service.discovery.v2.SecretDiscoveryService" - EnvoySDSv2ServiceShortName = "SDS.v2" EnvoySDSv3ServiceName = "envoy.service.secret.v3.SecretDiscoveryService" EnvoySDSv3ServiceShortName = "SDS.v3" HealthServiceName = "grpc.health.v1.Health" @@ -31,7 +29,6 @@ var ( serviceReplacer = strings.NewReplacer( serverAPIPrefix, "", WorkloadAPIServiceName, WorkloadAPIServiceShortName, - EnvoySDSv2ServiceName, EnvoySDSv2ServiceShortName, EnvoySDSv3ServiceName, EnvoySDSv3ServiceShortName, HealthServiceName, HealthServiceShortName, DelegatedIdentityServiceName, DelegatedIdentityServiceShortName, diff --git a/test/integration/README.md b/test/integration/README.md index ece37be57d7..1d15dbc46be 100644 --- a/test/integration/README.md +++ b/test/integration/README.md @@ -78,7 +78,6 @@ The following environment variables are available to the teardown script: * [Datastore (Postgres)](suites/datastore-postgres/README.md) * [Debug Endpoints](suites/debug-endpoints/README.md) * [Downstream Endpoint](suites/downstream-endpoints/README.md) -* [Envoy SDS (v2)](suites/envoy-sds-v2/README.md) * [Envoy SDS (v3)](suites/envoy-sds-v3/README.md) * [Ghostunnel + Federation](suites/ghostunnel-federation/README.md) * [Join Token](suites/join-token/README.md) diff --git a/test/integration/suites/envoy-sds-v2/00-setup b/test/integration/suites/envoy-sds-v2/00-setup deleted file mode 100755 index 39a809ec133..00000000000 --- a/test/integration/suites/envoy-sds-v2/00-setup +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/upstream-agent conf/downstream-agent - -LAST_ENVOY_RELEASE_WITH_V2=v1.16.0 - -cat > Dockerfile < conf/downstream-agent/bootstrap.crt - -log-debug "bootstrapping upstream agent..." -docker-compose exec -T spire-server \ - /opt/spire/bin/spire-server bundle show > conf/upstream-agent/bootstrap.crt diff --git a/test/integration/suites/envoy-sds-v2/03-start-remaining-containers b/test/integration/suites/envoy-sds-v2/03-start-remaining-containers deleted file mode 100755 index 4ddcd16ac54..00000000000 --- a/test/integration/suites/envoy-sds-v2/03-start-remaining-containers +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -# bring up the rest -docker-up diff --git a/test/integration/suites/envoy-sds-v2/04-create-workload-entries b/test/integration/suites/envoy-sds-v2/04-create-workload-entries deleted file mode 100755 index 9320baaa239..00000000000 --- a/test/integration/suites/envoy-sds-v2/04-create-workload-entries +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -log-debug "creating registration entry for upstream workload..." -docker-compose exec -T spire-server \ - /opt/spire/bin/spire-server entry create \ - -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/upstream-agent/agent.crt.pem)" \ - -spiffeID "spiffe://domain.test/upstream-workload" \ - -selector "unix:uid:0" \ - -ttl 0 - -log-debug "creating registration entry for downstream workload..." -docker-compose exec -T spire-server \ - /opt/spire/bin/spire-server entry create \ - -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/downstream-agent/agent.crt.pem)" \ - -spiffeID "spiffe://domain.test/downstream-workload" \ - -selector "unix:uid:0" \ - -ttl 0 diff --git a/test/integration/suites/envoy-sds-v2/05-check-workload-connectivity b/test/integration/suites/envoy-sds-v2/05-check-workload-connectivity deleted file mode 100755 index b41dd8a6463..00000000000 --- a/test/integration/suites/envoy-sds-v2/05-check-workload-connectivity +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -MAXCHECKSPERPORT=15 -CHECKINTERVAL=1 - -TRY() { docker-compose exec -T downstream-socat-mtls /bin/sh -c 'echo HELLO_MTLS | socat -u STDIN TCP:localhost:8001'; } -VERIFY() { docker-compose exec -T upstream-socat cat /tmp/howdy | grep -q HELLO_MTLS; } - -for ((i=1;i<=MAXCHECKSPERPORT;i++)); do - log-debug "Checking MTLS proxy ($i of $MAXCHECKSPERPORT max)..." - if TRY && VERIFY ; then - MTLS_OK=1 - log-info "MTLS proxy OK" - break - fi - sleep "${CHECKINTERVAL}" -done - -TRY() { docker-compose exec -T downstream-socat-tls /bin/sh -c 'echo HELLO_TLS | socat -u STDIN TCP:localhost:8002'; } -VERIFY() { docker-compose exec -T upstream-socat cat /tmp/howdy | grep -q HELLO_TLS; } - -for ((i=1;i<=MAXCHECKSPERPORT;i++)); do - log-debug "Checking TLS proxy ($i of $MAXCHECKSPERPORT max)..." - if TRY && VERIFY ; then - TLS_OK=1 - log-info "TLS proxy OK" - break - fi - sleep "${CHECKINTERVAL}" -done - -if [ -z "${MTLS_OK}" ]; then - fail-now "MTLS Proxying failed" -fi - -if [ -z "${TLS_OK}" ]; then - fail-now "TLS Proxying failed" -fi diff --git a/test/integration/suites/envoy-sds-v2/README.md b/test/integration/suites/envoy-sds-v2/README.md deleted file mode 100644 index 5218bc6ed23..00000000000 --- a/test/integration/suites/envoy-sds-v2/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# Envoy SDS v2 Suite - -## Description - -Exercises [Envoy](https://www.envoyproxy.io/) -[SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) -compatibility within SPIRE by wiring up two workloads that achieve connectivity -using Envoy backed with identities and trust information retrieved from the -SPIRE agent SDS implementation. - -A customer container image is used that runs both Envoy and the SPIRE agent. Socat containers are used as the workload. - -The test ensures both TLS and mTLS connectivity between the workload. diff --git a/test/integration/suites/envoy-sds-v2/conf/downstream-agent/agent.conf b/test/integration/suites/envoy-sds-v2/conf/downstream-agent/agent.conf deleted file mode 100644 index 319e1761046..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/downstream-agent/agent.conf +++ /dev/null @@ -1,30 +0,0 @@ -agent { - data_dir = "/opt/spire/data/agent" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path ="/opt/shared/agent.sock" - trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" - trust_domain = "domain.test" - sds = { - enable_deprecated_v2_api = true - } -} - -plugins { - NodeAttestor "x509pop" { - plugin_data { - private_key_path = "/opt/spire/conf/agent/agent.key.pem" - certificate_path = "/opt/spire/conf/agent/agent.crt.pem" - } - } - KeyManager "disk" { - plugin_data { - directory = "/opt/spire/data/agent" - } - } - WorkloadAttestor "unix" { - plugin_data { - } - } -} diff --git a/test/integration/suites/envoy-sds-v2/conf/downstream-envoy/envoy.yaml b/test/integration/suites/envoy-sds-v2/conf/downstream-envoy/envoy.yaml deleted file mode 100644 index 0eb51ef656c..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/downstream-envoy/envoy.yaml +++ /dev/null @@ -1,92 +0,0 @@ -node: - id: "downstream-envoy" - cluster: "test" -static_resources: - listeners: - - name: downstream_to_upstream_mtls_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8001 - filter_chains: - - filters: - - name: envoy.tcp_proxy - config: - cluster: downstream_to_upstream_mtls - stat_prefix: downstream_to_upstream_mtls - - name: downstream_to_upstream_tls_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8002 - filter_chains: - - filters: - - name: envoy.tcp_proxy - config: - cluster: downstream_to_upstream_tls - stat_prefix: downstream_to_upstream_tls - clusters: - - name: spire_agent - connect_timeout: 0.25s - http2_protocol_options: {} - hosts: - - pipe: - path: /opt/shared/agent.sock - - name: downstream_to_upstream_mtls - connect_timeout: 0.25s - type: strict_dns - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - address: upstream-proxy - port_value: 8001 - tls_context: - common_tls_context: - tls_certificate_sds_secret_configs: - - name: "spiffe://domain.test/downstream-workload" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - combined_validation_context: - default_validation_context: - verify_subject_alt_name: - - "spiffe://domain.test/upstream-workload" - validation_context_sds_secret_config: - name: "spiffe://domain.test" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - tls_params: - ecdh_curves: - - X25519:P-256:P-521:P-384 - - name: downstream_to_upstream_tls - connect_timeout: 0.25s - type: strict_dns - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - address: upstream-proxy - port_value: 8002 - tls_context: - common_tls_context: - combined_validation_context: - default_validation_context: - verify_subject_alt_name: - - "spiffe://domain.test/upstream-workload" - validation_context_sds_secret_config: - name: "spiffe://domain.test" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - tls_params: - ecdh_curves: - - X25519:P-256:P-521:P-384 diff --git a/test/integration/suites/envoy-sds-v2/conf/server/server.conf b/test/integration/suites/envoy-sds-v2/conf/server/server.conf deleted file mode 100644 index 071642c35bf..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/server/server.conf +++ /dev/null @@ -1,26 +0,0 @@ -server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "domain.test" - data_dir = "/opt/spire/data/server" - log_level = "DEBUG" - ca_ttl = "1h" - default_x509_svid_ttl = "1m" -} - -plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/opt/spire/data/server/datastore.sqlite3" - } - } - NodeAttestor "x509pop" { - plugin_data { - ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" - } - } - KeyManager "memory" { - plugin_data = {} - } -} diff --git a/test/integration/suites/envoy-sds-v2/conf/supervisord.conf b/test/integration/suites/envoy-sds-v2/conf/supervisord.conf deleted file mode 100644 index 516b0536860..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/supervisord.conf +++ /dev/null @@ -1,9 +0,0 @@ -[supervisord] -nodaemon=true -loglevel=debug - -[program:spire-agent] -command = /opt/spire/bin/spire-agent run -config /opt/spire/conf/agent/agent.conf - -[program:envoy] -command = /usr/local/bin/envoy -l debug -c /opt/envoy/conf/envoy.yaml diff --git a/test/integration/suites/envoy-sds-v2/conf/upstream-agent/agent.conf b/test/integration/suites/envoy-sds-v2/conf/upstream-agent/agent.conf deleted file mode 100644 index 319e1761046..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/upstream-agent/agent.conf +++ /dev/null @@ -1,30 +0,0 @@ -agent { - data_dir = "/opt/spire/data/agent" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path ="/opt/shared/agent.sock" - trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" - trust_domain = "domain.test" - sds = { - enable_deprecated_v2_api = true - } -} - -plugins { - NodeAttestor "x509pop" { - plugin_data { - private_key_path = "/opt/spire/conf/agent/agent.key.pem" - certificate_path = "/opt/spire/conf/agent/agent.crt.pem" - } - } - KeyManager "disk" { - plugin_data { - directory = "/opt/spire/data/agent" - } - } - WorkloadAttestor "unix" { - plugin_data { - } - } -} diff --git a/test/integration/suites/envoy-sds-v2/conf/upstream-envoy/envoy.yaml b/test/integration/suites/envoy-sds-v2/conf/upstream-envoy/envoy.yaml deleted file mode 100644 index d3d2a73f2ca..00000000000 --- a/test/integration/suites/envoy-sds-v2/conf/upstream-envoy/envoy.yaml +++ /dev/null @@ -1,81 +0,0 @@ -node: - id: "upstream-envoy" - cluster: "test" -static_resources: - listeners: - - name: listener-sds-mtls - address: - socket_address: - address: 0.0.0.0 - port_value: 8001 - filter_chains: - - filters: - - name: envoy.tcp_proxy - config: - cluster: upstream_socat - stat_prefix: upstream_socat_mtls - tls_context: - common_tls_context: - tls_certificate_sds_secret_configs: - - name: "spiffe://domain.test/upstream-workload" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - combined_validation_context: - default_validation_context: - verify_subject_alt_name: - - "spiffe://domain.test/downstream-workload" - validation_context_sds_secret_config: - name: "spiffe://domain.test" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - tls_params: - ecdh_curves: - - X25519:P-256:P-521:P-384 - - name: listener-sds-tls - address: - socket_address: - address: 0.0.0.0 - port_value: 8002 - filter_chains: - - filters: - - name: envoy.tcp_proxy - config: - cluster: upstream_socat - stat_prefix: upstream_socat_tls - tls_context: - common_tls_context: - tls_certificate_sds_secret_configs: - - name: "spiffe://domain.test/upstream-workload" - sds_config: - api_config_source: - api_type: GRPC - grpc_services: - envoy_grpc: - cluster_name: spire_agent - tls_params: - ecdh_curves: - - X25519:P-256:P-521:P-384 - - clusters: - - name: spire_agent - connect_timeout: 0.25s - http2_protocol_options: {} - hosts: - - pipe: - path: /opt/shared/agent.sock - - name: upstream_socat - connect_timeout: 0.25s - type: strict_dns - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - address: upstream-socat - port_value: 8000 diff --git a/test/integration/suites/envoy-sds-v2/docker-compose.yaml b/test/integration/suites/envoy-sds-v2/docker-compose.yaml deleted file mode 100644 index 3adb5163b8f..00000000000 --- a/test/integration/suites/envoy-sds-v2/docker-compose.yaml +++ /dev/null @@ -1,40 +0,0 @@ -version: '3' -services: - spire-server: - image: spire-server:latest-local - hostname: spire-server - volumes: - - ./conf/server:/opt/spire/conf/server - command: ["-config", "/opt/spire/conf/server/server.conf"] - upstream-proxy: - image: envoy-agent-mashup - hostname: upstream-proxy - depends_on: ["spire-server", "upstream-socat"] - volumes: - - ./conf/upstream-envoy:/opt/envoy/conf - - ./conf/upstream-agent:/opt/spire/conf/agent - downstream-proxy: - image: envoy-agent-mashup - hostname: downstream-proxy - depends_on: ["spire-server", "upstream-proxy"] - volumes: - - ./conf/downstream-agent:/opt/spire/conf/agent - - ./conf/downstream-envoy:/opt/envoy/conf - upstream-socat: - image: alpine/socat:latest - hostname: upstream-socat - command: ["-d", "-d", "TCP-LISTEN:8000,fork", "OPEN:\"/tmp/howdy\",creat,append"] - downstream-socat-mtls: - image: alpine/socat:latest - hostname: downstream-socat-mtls - restart: on-failure - depends_on: ["downstream-proxy"] - tty: true - command: ["-d", "-d", "TCP-LISTEN:8001,fork", "TCP:downstream-proxy:8001"] - downstream-socat-tls: - image: alpine/socat:latest - hostname: downstream-socat-tls - restart: on-failure - depends_on: ["downstream-proxy"] - tty: true - command: ["-d", "-d", "TCP-LISTEN:8002,fork", "TCP:downstream-proxy:8002"] diff --git a/test/integration/suites/envoy-sds-v2/teardown b/test/integration/suites/envoy-sds-v2/teardown deleted file mode 100755 index 9953dcd3f97..00000000000 --- a/test/integration/suites/envoy-sds-v2/teardown +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -if [ -z "$SUCCESS" ]; then - docker-compose logs -fi -docker-down From 5289f90e0858c82bcb5b6f9f5f44bcab84181649 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 15:06:27 -0300 Subject: [PATCH 15/17] Bump google.golang.org/api from 0.137.0 to 0.138.0 (#4446) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.137.0 to 0.138.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.137.0...v0.138.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8b34fd62c84..5a0e2b08cae 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( golang.org/x/sync v0.3.0 golang.org/x/sys v0.11.0 golang.org/x/time v0.3.0 - google.golang.org/api v0.137.0 + google.golang.org/api v0.138.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 diff --git a/go.sum b/go.sum index 868696ba5ba..2fff0eea9ba 100644 --- a/go.sum +++ b/go.sum @@ -2661,8 +2661,8 @@ google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvy google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750= google.golang.org/api v0.132.0/go.mod h1:AeTBC6GpJnJSRJjktDcPX0QwtS8pGYZOV6MSuSCusw0= -google.golang.org/api v0.137.0 h1:QrKX6uNvzJLr0Fd3vWVqcyrcmFoYi036VUAsZbiF4+s= -google.golang.org/api v0.137.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= +google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0= +google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= From 42dbc1d52f8fb1c4f966526152f93aadbcb94dd5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 19:11:07 -0300 Subject: [PATCH 16/17] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.112.0 to 1.113.0 (#4448) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.112.0 to 1.113.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.112.0...service/ec2/v1.113.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 17 ++++++++++------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 5a0e2b08cae..ffad1441022 100644 --- a/go.mod +++ b/go.mod @@ -17,12 +17,12 @@ require ( github.com/Microsoft/go-winio v0.6.1 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 - github.com/aws/aws-sdk-go-v2 v1.20.1 + github.com/aws/aws-sdk-go-v2 v1.20.2 github.com/aws/aws-sdk-go-v2/config v1.18.27 github.com/aws/aws-sdk-go-v2/credentials v1.13.26 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.113.0 github.com/aws/aws-sdk-go-v2/service/iam v1.22.0 github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 @@ -125,15 +125,15 @@ require ( github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.39 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.33 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.12 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.33 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect diff --git a/go.sum b/go.sum index 2fff0eea9ba..eb6e9edca0f 100644 --- a/go.sum +++ b/go.sum @@ -896,8 +896,9 @@ github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2Kx github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.20.0/go.mod h1:uWOr0m0jDsiWw8nnXiqZ+YG6LdvAlGYDLLf2NmHZoy4= -github.com/aws/aws-sdk-go-v2 v1.20.1 h1:rZBf5DWr7YGrnlTK4kgDQGn1ltqOg5orCYb/UhOFZkg= github.com/aws/aws-sdk-go-v2 v1.20.1/go.mod h1:NU06lETsFm8fUC6ZjhgDpVBcGZTFQ6XM+LZWZxMI4ac= +github.com/aws/aws-sdk-go-v2 v1.20.2 h1:0Aok9u/HVTk7RtY6M1KDcthbaMKGhhS0eLPxIdSIzRI= +github.com/aws/aws-sdk-go-v2 v1.20.2/go.mod h1:NU06lETsFm8fUC6ZjhgDpVBcGZTFQ6XM+LZWZxMI4ac= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11 h1:/MS8AzqYNAhhRNalOmxUvYs8VEbNGifTnzhPFdcRQkQ= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11/go.mod h1:va22++AdXht4ccO3kH2SHkHHYvZ2G9Utz+CXKmm2CaU= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= @@ -912,13 +913,15 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4/go.mod h1:E1hLXN/BL2e6YizK github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.37/go.mod h1:Pdn4j43v49Kk6+82spO3Tu5gSeQXRsxo56ePPQAvFiA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 h1:c8ed/T9T2K5I+h/JzmF5tpI46+OODQ74dzmdo+QnaMg= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38/go.mod h1:qggunOChCMu9ZF/UkAfhTz25+U2rLVb3ya0Ua6TTfCA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.39 h1:OBokd2jreL7ItwqRRcN5QiSt24/i2r742aRsd2qMyeg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.39/go.mod h1:OLmjwglQh90dCcFJDGD+T44G0ToLH+696kRwRhS1KOU= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.31/go.mod h1:fTJDMe8LOFYtqiFFFeHA+SVMAwqLhoq0kcInYoLa9Js= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 h1:hNeAAymUY5gu11WrrmFb3CVIp9Dar9hbo44yzzcQpzA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32/go.mod h1:0ZXSqrty4FtQ7p8TEuRde/SZm9X05KT18LAUlR40Ln0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.33 h1:gcRN6PXAo8w3HYFp2wFyr+WYEP4n/a25/IOhzJl36Yw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.33/go.mod h1:S/zgOphghZAIvrbtvsVycoOncfqh1Hc4uGDIHqDLwTU= github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 h1:LWA+3kDM8ly001vJ1X1waCuLJdtTl48gwkPKWy9sosI= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35/go.mod h1:0Eg1YjxE0Bhn56lx+SHJwCzhW+2JGtizsrx+lCqrfm0= @@ -926,8 +929,8 @@ github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 h1:U5yySdwt2HPo/pnQec04DImLzWOR github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0/go.mod h1:EhC/83j8/hL/UB1WmExo3gkElaja/KlmZM/gl1rTfjM= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1 h1:JcTxq2boeyMlFtBIaX4QrVDyzzsAzDnzvZw7b02Rq20= github.com/aws/aws-sdk-go-v2/service/acmpca v1.22.1/go.mod h1:1AG8XoWz0RmFuivaAKeW5aCdClw71mRme9DxHJiIPLk= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0 h1:8I4NQ9BfrQATHzXKtBuu+jBdOVd2mBANqhbMOXfSIdA= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.112.0/go.mod h1:Ie0Kp61cLk223argiS+t8vO29SpbFIphzlPflIvYcv0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.113.0 h1:r6pW/VOm8ea4GDEmwDwN2IkgYmu8JjcYzYvHJRs5sEw= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.113.0/go.mod h1:UAWT8Tspir6mGp9WKvKWALaMkPgX1gnkSYZb5oo18XI= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= @@ -943,8 +946,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32/go.mod h1:QmMEM7e github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28/go.mod h1:jj7znCIg05jXlaGBlFMGP8+7UN3VtCkRBG2spnmRQkU= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.31/go.mod h1:3+lloe3sZuBQw1aBc5MyndvodzQlyqCZ7x1QPDHaWP4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 h1:dGAseBFEYxth10V23b5e2mAS+tX7oVbfYHD6dnDdAsg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32/go.mod h1:4jwAWKEkCR0anWk5+1RbfSg1R5Gzld7NLiuaq5bTR/Y= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.33 h1:cr70Hw6Lq9cqRst1y4YOHLiaVWaWtBPiqdloinNkfis= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.33/go.mod h1:kcNtzCcEoflp+6e2CDTmm2h3xQGZOBZqYA/8DhYx/S8= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0 h1:Wgjft9X4W5pMeuqgPCHIQtbZ87wsgom7S5F8obreg+c= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0/go.mod h1:FWNzS4+zcWAP05IF7TDYTY1ysZAzIvogxWaDT9p8fsA= github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 h1:zDmx9yZjSYDaeakQVN16qfsLxhBeAxgclioB0+rOCDM= From 940c1ea717b93aa73dfdcf55908a817f3faeb29d Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Sat, 19 Aug 2023 14:59:20 +0100 Subject: [PATCH 17/17] Add the ability to configure the refresh hint of the local bundle (#4400) * spire-server: add support for configuring a static bundle refresh_hint This allows us to move to a place where we are closer to the recommendation of the SPIFFE spec which says that client of the trust bundle endpoint should default to a low refresh interval to be able to retrieve updated trust bundles in a timely manner. Signed-off-by: Sorin Dumitru --- cmd/spire-server/cli/run/run.go | 26 ++++++++++ cmd/spire-server/cli/run/run_test.go | 19 +++++++ conf/server/server_full.conf | 4 ++ doc/spire_server.md | 12 +++-- pkg/server/bundle/client/manager.go | 8 +++ pkg/server/bundle/client/manager_test.go | 7 +++ pkg/server/endpoints/bundle/config.go | 7 ++- pkg/server/endpoints/bundle/server.go | 16 ++++-- pkg/server/endpoints/bundle/server_test.go | 58 ++++++++++++++++------ pkg/server/endpoints/config.go | 3 +- pkg/server/server.go | 1 + 11 files changed, 135 insertions(+), 26 deletions(-) diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go index 0b3544d2452..8aba1a537c3 100644 --- a/cmd/spire-server/cli/run/run.go +++ b/cmd/spire-server/cli/run/run.go @@ -27,6 +27,7 @@ import ( "github.com/mitchellh/cli" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/spire/pkg/common/bundleutil" "github.com/spiffe/spire/pkg/common/catalog" common_cli "github.com/spiffe/spire/pkg/common/cli" "github.com/spiffe/spire/pkg/common/fflag" @@ -124,6 +125,7 @@ type bundleEndpointConfig struct { Address string `hcl:"address"` Port int `hcl:"port"` ACME *bundleEndpointACMEConfig `hcl:"acme"` + RefreshHint string `hcl:"refresh_hint"` UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"` } @@ -414,6 +416,30 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool }, } + if c.Server.Federation.BundleEndpoint.RefreshHint != "" { + refreshHint, err := time.ParseDuration(c.Server.Federation.BundleEndpoint.RefreshHint) + if err != nil { + return nil, fmt.Errorf("could not parse refresh_hint %q: %w", c.Server.Federation.BundleEndpoint.RefreshHint, err) + } + + if refreshHint >= 24*time.Hour { + sc.Log.Warn("Bundle endpoint refresh hint set to a high value. To cover " + + "the case of unscheduled trust bundle updates, it's recommended to " + + "have a smaller value, e.g. 5m") + } + + if refreshHint < bundleutil.MinimumRefreshHint { + sc.Log.Warn("Bundle endpoint refresh hint set too low. SPIRE will not " + + "refresh more often than 1 minute") + } + + sc.Federation.BundleEndpoint.RefreshHint = &refreshHint + } else { + sc.Log.Warn("Bundle endpoint refresh_hint is not set. This configuration " + + "will default to 5 minutes in a future release; please check if you " + + "need to specify it") + } + if acme := c.Server.Federation.BundleEndpoint.ACME; acme != nil { sc.Federation.BundleEndpoint.ACME = &bundle.ACMEConfig{ DirectoryURL: acme.DirectoryURL, diff --git a/cmd/spire-server/cli/run/run_test.go b/cmd/spire-server/cli/run/run_test.go index 054e3fd99ad..515860107a9 100644 --- a/cmd/spire-server/cli/run/run_test.go +++ b/cmd/spire-server/cli/run/run_test.go @@ -621,6 +621,24 @@ func TestNewServerConfig(t *testing.T) { }, { msg: "bundle endpoint is parsed and configured correctly", + input: func(c *Config) { + c.Server.Federation = &federationConfig{ + BundleEndpoint: &bundleEndpointConfig{ + Address: "192.168.1.1", + Port: 1337, + RefreshHint: "10m", + }, + } + }, + test: func(t *testing.T, c *server.Config) { + require.Equal(t, "192.168.1.1", c.Federation.BundleEndpoint.Address.IP.String()) + require.Equal(t, 1337, c.Federation.BundleEndpoint.Address.Port) + require.NotNil(t, c.Federation.BundleEndpoint.RefreshHint) + require.Equal(t, 10*time.Minute, *c.Federation.BundleEndpoint.RefreshHint) + }, + }, + { + msg: "bundle endpoint does not have a default refresh hint", input: func(c *Config) { c.Server.Federation = &federationConfig{ BundleEndpoint: &bundleEndpointConfig{ @@ -632,6 +650,7 @@ func TestNewServerConfig(t *testing.T) { test: func(t *testing.T, c *server.Config) { require.Equal(t, "192.168.1.1", c.Federation.BundleEndpoint.Address.IP.String()) require.Equal(t, 1337, c.Federation.BundleEndpoint.Address.Port) + require.Nil(t, c.Federation.BundleEndpoint.RefreshHint) }, }, { diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf index 9b1a287957b..19842a880c8 100644 --- a/conf/server/server_full.conf +++ b/conf/server/server_full.conf @@ -68,6 +68,10 @@ server { # Default: false. # tos_accepted = false } + + # refresh_hint: The refresh hint advertised in the bundles fetched from this endpoint + # In a future release this will default to 5 minutes. + refresh_hint = "5m" } # federates_with "": configures the address of a bundle endpoint used to diff --git a/doc/spire_server.md b/doc/spire_server.md index ce02ee51da4..4c10394cd10 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -163,6 +163,7 @@ server { domain_name = "example.org" email = "mail@example.org" } + refresh_hint = "10m" } federates_with "domain1.test" { bundle_endpoint_url = "https://1.2.3.4:8443" @@ -185,11 +186,12 @@ The `federation.federates_with` section is also optional and is used to configur This optional section contains the configurables used by SPIRE Server to expose a bundle endpoint. -| Configuration | Description | -|---------------|--------------------------------------------------------------------------------| -| address | IP address where this server will listen for HTTP requests | -| port | TCP port number where this server will listen for HTTP requests | -| acme | Automated Certificate Management Environment configuration section (see below) | +| Configuration | Description | +|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| address | IP address where this server will listen for HTTP requests | +| port | TCP port number where this server will listen for HTTP requests | +| acme | Automated Certificate Management Environment configuration section (see below) | +| refresh_hint | Allow manually specifying a [refresh hint](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#412-refresh-hint). When not set, it is determined based on the lifetime of the keys in the bundle. Small values allow to retrieve trust bundle updates in a timely manner | ### Configuration options for `federation.bundle_endpoint.acme` diff --git a/pkg/server/bundle/client/manager.go b/pkg/server/bundle/client/manager.go index 9fda8dda322..c530aa88745 100644 --- a/pkg/server/bundle/client/manager.go +++ b/pkg/server/bundle/client/manager.go @@ -26,6 +26,11 @@ const ( // configs from the source and reconciles it against the current bundle // updaters. configRefreshInterval = time.Second * 10 + + // defaultRefreshInterval is how often the manager reloads the trust bundle + // for a trust domain if that trust domain does not specify a refresh hint in + // its current trust bundle. + defaultRefreshInterval = time.Minute * 5 ) type TrustDomainConfig struct { @@ -337,6 +342,9 @@ func (m *Manager) notifyBundleRefreshed(ctx context.Context, nextRefresh time.Du } func calculateNextUpdate(b *spiffebundle.Bundle) time.Duration { + if _, ok := b.RefreshHint(); !ok { + return defaultRefreshInterval + } return bundleutil.CalculateRefreshHint(b) / attemptsPerRefreshHint } diff --git a/pkg/server/bundle/client/manager_test.go b/pkg/server/bundle/client/manager_test.go index 092f7a21851..b2a4855bfcf 100644 --- a/pkg/server/bundle/client/manager_test.go +++ b/pkg/server/bundle/client/manager_test.go @@ -27,6 +27,7 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) { localBundle.SetRefreshHint(time.Hour) endpointBundle := spiffebundle.FromX509Authorities(trustDomain, []*x509.Certificate{createCACertificate(t, "endpoint")}) endpointBundle.SetRefreshHint(time.Hour * 2) + noRefreshBundle := spiffebundle.FromX509Authorities(trustDomain, []*x509.Certificate{createCACertificate(t, "endpoint")}) source := NewTrustDomainConfigSet(TrustDomainConfigMap{ trustDomain: TrustDomainConfig{ @@ -56,6 +57,12 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) { endpointBundle: endpointBundle, nextRefresh: calculateNextUpdate(endpointBundle), }, + { + name: "endpoint bundle does not specify refresh_hint", + localBundle: localBundle, + endpointBundle: noRefreshBundle, + nextRefresh: time.Minute * 5, + }, } for _, testCase := range testCases { diff --git a/pkg/server/endpoints/bundle/config.go b/pkg/server/endpoints/bundle/config.go index cc38a667fb1..54f7e95a63f 100644 --- a/pkg/server/endpoints/bundle/config.go +++ b/pkg/server/endpoints/bundle/config.go @@ -1,6 +1,9 @@ package bundle -import "net" +import ( + "net" + "time" +) type EndpointConfig struct { // Address is the address on which to serve the federation bundle endpoint. @@ -9,4 +12,6 @@ type EndpointConfig struct { // ACME is the ACME configuration for the bundle endpoint. // If unset, the bundle endpoint will use SPIFFE auth. ACME *ACMEConfig + + RefreshHint *time.Duration } diff --git a/pkg/server/endpoints/bundle/server.go b/pkg/server/endpoints/bundle/server.go index a8f8768a835..17779d40488 100644 --- a/pkg/server/endpoints/bundle/server.go +++ b/pkg/server/endpoints/bundle/server.go @@ -29,10 +29,11 @@ type ServerAuth interface { } type ServerConfig struct { - Log logrus.FieldLogger - Address string - Getter Getter - ServerAuth ServerAuth + Log logrus.FieldLogger + Address string + Getter Getter + ServerAuth ServerAuth + RefreshHint *time.Duration // test hooks listen func(network, address string) (net.Listener, error) @@ -100,7 +101,12 @@ func (s *Server) serveHTTP(w http.ResponseWriter, req *http.Request) { return } - refreshHint := bundleutil.CalculateRefreshHint(b) + var refreshHint time.Duration + if s.c.RefreshHint != nil { + refreshHint = *s.c.RefreshHint + } else { + refreshHint = bundleutil.CalculateRefreshHint(b) + } // TODO: bundle sequence number? opts := []bundleutil.MarshalOption{ diff --git a/pkg/server/endpoints/bundle/server_test.go b/pkg/server/endpoints/bundle/server_test.go index b9b37f52d77..69b49e7cd18 100644 --- a/pkg/server/endpoints/bundle/server_test.go +++ b/pkg/server/endpoints/bundle/server_test.go @@ -56,15 +56,18 @@ func TestServer(t *testing.T) { }, } + fiveMinutes := time.Minute * 5 + testCases := []struct { - name string - method string - path string - status int - body string - bundle *spiffebundle.Bundle - serverCert *x509.Certificate - reqErr string + name string + method string + path string + status int + body string + bundle *spiffebundle.Bundle + serverCert *x509.Certificate + reqErr string + refreshHint *time.Duration }{ { name: "success", @@ -87,6 +90,28 @@ func TestServer(t *testing.T) { bundle: bundle, serverCert: serverCert, }, + { + name: "manually configured refresh hint", + method: "GET", + path: "/", + status: http.StatusOK, + body: fmt.Sprintf(`{ + "keys": [ + { + "crv":"P-256", + "kty":"EC", + "use":"x509-svid", + "x":"kkEn5E2Hd_rvCRDCVMNj3deN0ADij9uJVmN-El0CJz0", + "y":"qNrnjhtzrtTR0bRgI2jPIC1nEgcWNX63YcZOEzyo1iA", + "x5c": [%q] + } + ], + "spiffe_refresh_hint": 300 + }`, base64.StdEncoding.EncodeToString(serverCert.Raw)), + bundle: bundle, + serverCert: serverCert, + refreshHint: &fiveMinutes, + }, { name: "invalid method", method: "POST", @@ -123,6 +148,7 @@ func TestServer(t *testing.T) { addr, done := newTestServer(t, testGetter(testCase.bundle), testSPIFFEAuth(testCase.serverCert, serverKey), + testCase.refreshHint, ) defer done() @@ -184,6 +210,7 @@ func TestACMEAuth(t *testing.T) { Email: "admin@domain.test", ToSAccepted: false, }), + nil, ) defer done() @@ -216,6 +243,7 @@ func TestACMEAuth(t *testing.T) { Email: "admin@domain.test", ToSAccepted: true, }), + nil, ) defer done() @@ -264,6 +292,7 @@ func TestACMEAuth(t *testing.T) { Email: "admin@domain.test", ToSAccepted: true, }), + nil, ) defer done() @@ -275,7 +304,7 @@ func TestACMEAuth(t *testing.T) { }) } -func newTestServer(t *testing.T, getter Getter, serverAuth ServerAuth) (net.Addr, func()) { +func newTestServer(t *testing.T, getter Getter, serverAuth ServerAuth, refreshHint *time.Duration) (net.Addr, func()) { ctx, cancel := context.WithCancel(context.Background()) addrCh := make(chan net.Addr, 1) @@ -290,11 +319,12 @@ func newTestServer(t *testing.T, getter Getter, serverAuth ServerAuth) (net.Addr log, _ := test.NewNullLogger() server := NewServer(ServerConfig{ - Log: log, - Address: "localhost:0", - Getter: getter, - ServerAuth: serverAuth, - listen: listen, + Log: log, + Address: "localhost:0", + Getter: getter, + ServerAuth: serverAuth, + listen: listen, + RefreshHint: refreshHint, }) errCh := make(chan error, 1) diff --git a/pkg/server/endpoints/config.go b/pkg/server/endpoints/config.go index d96449ee486..07c2786c257 100644 --- a/pkg/server/endpoints/config.go +++ b/pkg/server/endpoints/config.go @@ -113,7 +113,8 @@ func (c *Config) maybeMakeBundleEndpointServer() Server { } return bundleutil.SPIFFEBundleFromProto(commonBundle) }), - ServerAuth: serverAuth, + RefreshHint: c.BundleEndpoint.RefreshHint, + ServerAuth: serverAuth, }) } diff --git a/pkg/server/server.go b/pkg/server/server.go index 3e489d41762..7dbf4e622e8 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -399,6 +399,7 @@ func (s *Server) newEndpointsServer(ctx context.Context, catalog catalog.Catalog } if s.config.Federation.BundleEndpoint != nil { config.BundleEndpoint.Address = s.config.Federation.BundleEndpoint.Address + config.BundleEndpoint.RefreshHint = s.config.Federation.BundleEndpoint.RefreshHint config.BundleEndpoint.ACME = s.config.Federation.BundleEndpoint.ACME } return endpoints.New(ctx, config)