Update plugin_agent_workloadattestor_docker.md

[raissonsouto]

Affected functionality
None.

Description of change
Improving documentation of the Docker workload attestor.

[amartinezfayo]

Thank you @raissonsouto for this.
There may be a confusion here. The docker:image_id selector should generate a selector that is a digest. It's a computed (truncated) SHA256 hash of the image configuration object. It shouldn't be the REPOSITORY:TAG.
Have you seen this selector to be something different than a digest?

[raissonsouto]

This documentation is based in my experience with SPIRE.

I was using a Envoy proxy within docker and using a SPIRE agent in the host machine with the docker workload attestator and when I tried to use the selector docker:image_id using the hash of the Envoy image, it fails to get the SVID. However, I discover that using the image_name:version worked.

If you want to try yourself, these are the files used:

server.conf

server {
    bind_address = "127.0.0.1"
    bind_port = "8081"
    trust_domain = "example.org"
    data_dir = "./data/server"
    log_level = "DEBUG"
    ca_ttl = "240h"
    default_x509_svid_ttl = "120h"
    ca_key_type = "rsa-4096"

    ca_subject {
        country = ["BR"]
        organization = ["SmartCampus"]
    }
}

plugins {
    DataStore "sql" {
        plugin_data {
            database_type = "sqlite3"
            connection_string = "./data/server/datastore.sqlite3"
        }
    }

    NodeAttestor "join_token" {
        plugin_data {
        }
    }

    KeyManager "memory" {
        plugin_data = {}
    }
}

agent.conf

agent {
    data_dir = "./data/agent"
    log_level = "DEBUG"
    server_address = "127.0.0.1"
    server_port = "8081"
    trust_domain = "example.org"
    insecure_bootstrap = true
    workload_x509_svid_key_type = "rsa-2048"
}

plugins {
    NodeAttestor "join_token" {
        plugin_data {}
    }
    
    KeyManager "disk" {
        plugin_data {
            directory = "./data/agent"
        }
    }
    
    WorkloadAttestor "docker" {
        plugin_data {}
    }
}

compose.yaml:

version: '3'

services:

  envoy:
    container_name: envoy
    image: envoyproxy/envoy:contrib-v1.29.1
    volumes:
      - ./envoy.yaml:/etc/envoy/envoy.yaml
      - /tmp/spire-agent/public:/tmp/spire-agent/public
    ports:
      - "10000:10000"
    command: ["envoy", "-c", "/etc/envoy/envoy.yaml", "-l", "debug"]

  nginx:
    container_name: nginx
    image: nginx:latest
    ports:
      - "8080:80"

envoy.yaml

node:
  id: default
  cluster: server
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: AUTO
          stat_prefix: ingress_http
          common_http_protocol_options:
            idle_timeout: 1s
          access_log:
          - name: envoy.access_loggers.file
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
              path: "/dev/stdout"
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: service
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          require_client_certificate: true
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: spiffe://example.org/envoy
              sds_config:
                resource_api_version: V3
                api_config_source:
                  api_type: GRPC
                  transport_api_version: V3 
                  grpc_services:
                    envoy_grpc:
                      cluster_name: spire_agent
            validation_context_sds_secret_config: 
              name: "spiffe://example.org"
              sds_config:
                resource_api_version: V3
                api_config_source:
                  api_type: GRPC
                  transport_api_version: V3
                  grpc_services:
                    envoy_grpc:
                      cluster_name: spire_agent

  clusters:
  - name: service
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    load_assignment:
      cluster_name: service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 8080
  - name: spire_agent
    connect_timeout: 0.25s
    http2_protocol_options: {}
    load_assignment:
      cluster_name: spire_agent
      endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                pipe:
                  path: /tmp/spire-agent/public/api.sock

Steps

1. Deploy SPIRE server in the host machine
2. Generate the join token for spiffe://example.org/agent
3. Deploy SPIRE agent in the host machine
4. Create a entry for Envoy:

sipre-server entry create -parentID spiffe://example.org/agent -spiffeID spiffe://example.org/envoy -selector docker:image_id:644f45f6626c

5. See SPIRE agent logs failing to send the SVID

DEBU[0114] Received StreamSecrets request                method=StreamSecrets nonce= pid=14066 resource_names="[spiffe://example.org/envoy]" service=S
DS.v3 subsystem_name=endpoints version_info=                                                                                                          
ERRO[0114] Error building stream secrets response        error="rpc error: code = InvalidArgument desc = workload is not authorized for the requested 
identities [\"spiffe://example.org/envoy\"]" method=StreamSecrets pid=14066 service=SDS.v3 subsystem_name=endpoints 

6. Now, make the new entry:

spire-sserver entry create -parentID spiffe://example.org/agent -spiffeID spiffe://example.org/envoy -selector docker:image_id:envoyproxy/envoy:contrib-v1.29.1

7. Finally, check the SPIRE agent logs:

DEBU[0185] Received StreamSecrets request                method=StreamSecrets nonce=31ec6044 pid=14066 resource_names="[spiffe://example.org]" service
=SDS.v3 subsystem_name=endpoints version_info=14                                                                                                      
DEBU[0185] SVID updated                                  entry=02654974-eca8-4223-baef-cdee7eb49d85 spiffe_id="spiffe://example.org/envoy" subsystem_n
ame=cache_manager                                                                                                                                     
DEBU[0185] Sending StreamSecrets response                count=1 method=StreamSecrets nonce=584cfac6 pid=14066 service=SDS.v3 subsystem_name=endpoints
 version_info=15      

[amartinezfayo]

Thank you @raissonsouto. Could you share SPIRE Agent logs when the attestation happens? Particularly, the DEBUG log message PID attested to have selectors, that should expose the discovered selectors.

[raissonsouto]

raisson@laptop:~/code/envoy-mtls$ spire-server token generate -spiffeID spiffe://example.org/agent                                                    Token: 029b45c5-1f0a-4321-91b5-8023330a0cd4                                                                                                           
raisson@laptop:~/code/envoy-mtls$ spire-agent run -config spire-agent.conf -joinToken 029b45c5-1f0a-4321-91b5-8023330a0cd4                            WARN[0000] Current umask 0002 is too permissive; setting umask 0027                                                                                   
INFO[0000] Starting agent with data directory: "./data/agent
INFO[0000] Plugin loaded                                 external=false plugin_name=join_token plugin_type=NodeAttestor subsystem_name=catalog        INFO[0000] Plugin loaded                                 external=false plugin_name=disk plugin_type=KeyManager subsystem_name=catalog                INFO[0000] Plugin loaded                                 external=false plugin_name=docker plugin_type=WorkloadAttestor subsystem_name=catalog        INFO[0000] Bundle is not found                           subsystem_name=attestor                                                                      DEBU[0000] No pre-existing agent SVID found. Will perform node attestation  subsystem_name=attestor                                                   WARN[0000] Keys recovered, but no SVID found. Generating new keypair  subsystem_name=attestor                                                         INFO[0000] SVID is not found. Starting node attestation  subsystem_name=attestor                                                                      WARN[0000] Insecure bootstrap enabled; skipping server certificate verification  subsystem_name=attestor                                              
INFO[0000] Node attestation was successful               rettestable=false spiffe_id="spiffe://example.org/spire/agent/join_token/029b45c5-1f0a-4321-91b5-8023330a0cd4" subsystem_name=attestor                                                                                                             
DEBU[0000] Entry created                                 entry=7c118d57-1d65-4abf-beee-f0321985a3e8 selectors_added=1 spiffe_id="spiffe://example.org/agent" subsystem_name=cache_manager                                                                                                                   
DEBU[0000] Renewing stale entries                        cache_type=workload count=1 limit=500 subsystem_name=manager                                 INFO[0000] Creating X509-SVID                            entry_id=7c118d57-1d65-4abf-beee-f0321985a3e8 spiffe_id="spiffe://example.org/agent" subsyste
m_name=manager                                                                                                                                        DEBU[0000] SVID updated                                  entry=7c118d57-1d65-4abf-beee-f0321985a3e8 spiffe_id="spiffe://example.org/agent" subsystem_n
ame=cache_manager                                                                                                                                     DEBU[0000] Bundle added                                  subsystem_name=svid_store_cache trust_domain_id=example.org                                  INFO[0000] Starting Workload and SDS APIs                address=/tmp/spire-agent/public/api.sock network=unix subsystem_name=endpoints               DEBU[0000] Initializing health checkers                  subsystem_name=health                                                                        DEBU[0001] PID attested to have selectors                pid=168583 selectors="[type:\"docker\" value:\"label:com.docker.compose.container-number:1\" type:\"docker\" value:\"label:com.docker.compose.oneoff:False\" type:\"docker\" value:\"label:com.docker.compose.project:envoy-mtls\" type:\"docker\" value:\"label:com.docker.compose.project.working_dir:/home/raisson/code/envoy-mtls\" type:\"docker\" value:\"label:org.opencontainers.image.version:22.04\" type:\"docker\" value:\"label:com.docker.compose.config-hash:519b4dc15b2660de8949fa04003cae2c81f0582c5edd19b082c25e46051c9b1a\" type:\"docker\" value:\"label:com.docker.compose.project.config_files:/home/raisson/code/envoy-mtls/compose.yaml\" type:\"docker\" value:\"label:com.docker.compose.service:envoy\" type:\"docker\" value:\"label:com.docker.compose.version:2.24.2\" type:\"docker\" value:\"label:org.opencontainers.image.ref.name:ubuntu
\" type:\"docker\" value:\"label:com.docker.compose.depends_on:\" type:\"docker\" value:\"label:com.docker.compose.replace:f6965c56a81816b8c4461b37f39c560b0af7d24c281852920c99dcc95db4d3da\" type:\"docker\" value:\"label:com.docker.compose.image:sha256:644f45f6626c1b946b7ae8d51f94a7bc5178d3131483b004
5854a548bb8512b8\" type:\"docker\" value:\"env:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\" type:\"docker\" value:\"env:DEBIAN_FRONTEND=noninteractive\" type:\"docker\" value:\"image_id:envoyproxy/envoy:contrib-v1.29.1\"]" subsystem_name=workload_attestor                      
DEBU[0001] Received StreamSecrets request                method=StreamSecrets nonce= pid=168583 resource_names="[spiffe://example.org/envoy]" service=SDS.v3 subsystem_name=endpoints version_info=   

[raissonsouto]

Another useful information, I'm using SPIRE 1.9.1

[amartinezfayo]

Thank you @raissonsouto for bringing this up. I was able to reproduce the same kind of output for the image_id selector, indicating the image name. I filed #5114 to address having a selector name that is misleading.

I think that we should probably update the "Workload Selectors" table as well, with a value for image_id more like an image name instead of a digest, and also the description.
There are a couple of changes that we should also make to make the linter happy.
Thank you very much for this contribution!

[amartinezfayo]

This line should be removed.

[amartinezfayo]

There should be a new line before this text starts.

[raissonsouto]

Hello @amartinezfayo,

I apologize for the delay in implementing the required fixes, I've been immersed in my bachelor's thesis (which is about access control of Kafka using SPIRE!!).

[amartinezfayo]

@raissonsouto No worries!
DCO is missing, could you please fix that so we can merge this?

[amartinezfayo]

Hey @raissonsouto, we still need to have DCO fixed in order to be able to merge this. Could you address that?
Thank you!

[amartinezfayo]

Hi @raissonsouto, quick reminder that we need to have DCO fixed to be able to merge this contribution.

[amartinezfayo]

@raissonsouto Since we still have the DCO missing in this PR, I've opened #5220 taking this contribution so we can get it merged. I'm closing this PR in favor of #5220. Thanks again!