From f038ee5bbe9824dcb3d50e859c7a331c5974647c Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 06:31:56 -0700 Subject: [PATCH 1/7] Support federation bundle endpoint profile http_web certificates Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/README.md | 3 ++- .../spire-server/templates/configmap.yaml | 23 +++++++++++++------ .../templates/federation-ingress.yaml | 21 +++-------------- .../templates/server-resource.yaml | 14 +++++++++++ charts/spire/charts/spire-server/values.yaml | 8 +++++-- 5 files changed, 41 insertions(+), 28 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index ac029b56b..2a45d374f 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -147,7 +147,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.refreshHint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval` | Interval on which to reload the certificate/key from disk | `1h` | | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index c43f35867..d71b7b40a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -38,9 +38,6 @@ {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }} {{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }} {{- end }} -{{- if hasKey .Values.federation.bundleEndpoint "profile" }} -{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }} -{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} @@ -69,12 +66,24 @@ server: organization: [{{ include "spire-server.ca-subject-organization" . | quote }}] common_name: {{ include "spire-server.ca-subject-common-name" . | quote }} - {{- with .Values.federation }} - {{- if eq (.enabled | toString) "true" }} + {{- if eq (.Values.federation.enabled | toString) "true" }} federation: bundle_endpoint: - - {{ .bundleEndpoint | toYaml | nindent 8 }} - {{- end }} + address: {{ .Values.federation.bundleEndpoint.address | quote }} + port: {{ .Values.federation.bundleEndpoint.port }} + refreshHint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} + profile: + {{- if .Values.federation.tls.spire.enabled }} + - https_spiffe: + - {} + {{ else }} + - https_web: + - file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + cert_file_path: /bundle-endpoint-tls/tls.crt + key_file_path: /bundle-endpoint-tls/tls.key + {{- end }} + {{- end }} {{- end }} {{- with .Values.experimental }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 2eb89794d..e4317c9a9 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -4,33 +4,18 @@ {{- $path := "/"}} {{- $pathType := "Prefix" }} {{- $tlsSection := true }} -{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}} -{{- $federationIngress := deepCopy .Values.federation.ingress }} -{{- if .Values.federation.tls.certManager.enabled }} -{{- $secret := printf "%s-federation-cert" $svcName }} -{{- $_ := set $federationIngress "tlsSecret" $secret }} -{{- end }} -{{- if .Values.federation.tls.externalSecret.enabled }} -{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }} -{{- end }} {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $annotations := deepCopy .Values.federation.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} -{{- if not .Values.federation.ingress.tlsSecret }} -{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} -{{- end }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} {{- else if eq $ingressControllerType "openshift" }} -{{- if $federationIngress.tlsSecret }} -{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} -{{- else }} -{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} {{- $path = "" }} {{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} -{{- end }} {{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -44,6 +29,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.bundleEndpoint.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/server-resource.yaml b/charts/spire/charts/spire-server/templates/server-resource.yaml index 1a52494ac..51e52f337 100644 --- a/charts/spire/charts/spire-server/templates/server-resource.yaml +++ b/charts/spire/charts/spire-server/templates/server-resource.yaml @@ -262,6 +262,10 @@ spec: mountPath: /tmp-direct-hashes {{- end }} {{- end }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + mountPath: /bundle-endpoint-tls + {{- end }} {{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }} - name: upstream-ca mountPath: /run/spire/upstream_ca @@ -397,6 +401,16 @@ spec: name: {{ include "spire-server.fullname" . }}-tpm-direct-hash {{- end }} {{- end }} + {{- if .Values.federation.tls.certManager.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ printf "%s-federation-cert" (include "spire-server.fullname" .) }} + {{- end }} + {{- if .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ .Values.federation.tls.externalSecret.secretName }} + {{- end }} {{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }} - name: server-cert secret: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 889ac5863..53b4f36c1 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -210,8 +210,12 @@ federation: port: 8443 ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" - ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. - refresh_hint: "5m" + ## @param federation.bundleEndpoint.refreshHint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. + refreshHint: "5m" + profile: + httpWeb: + ## @param federation.bundleEndpoint.profile.httpWeb.fileSyncInterval Interval on which to reload the certificate/key from disk + fileSyncInterval: 1h tls: spire: From 00412c40b765743acc9e192d3b12bdfdd7121b16 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 06:43:30 -0700 Subject: [PATCH 2/7] Fix var Signed-off-by: Kevin Fox --- .../spire/charts/spire-server/templates/federation-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index e4317c9a9..d3c497590 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -29,6 +29,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.bundleEndpoint.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} From 09ff994d5bbb82996dce3307f0b8336e908f43d6 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 07:03:01 -0700 Subject: [PATCH 3/7] Fix key Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index d71b7b40a..a021011fd 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -71,7 +71,7 @@ server: bundle_endpoint: address: {{ .Values.federation.bundleEndpoint.address | quote }} port: {{ .Values.federation.bundleEndpoint.port }} - refreshHint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} + refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} profile: {{- if .Values.federation.tls.spire.enabled }} - https_spiffe: From b549ad5750cd3844aee0da14fa9bd50f4358c1fc Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 08:21:58 -0700 Subject: [PATCH 4/7] Fix test Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 5674c5c29..ac532c683 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -274,7 +274,7 @@ The code below determines what connection type should be used. {{- end }} {{- $args = append $args (printf "https://%s/" $host) }} {{- else }} -{{- $args = append $args (printf "http://%s/" $host) }} +{{- $args = append $args (printf "-k -L http://%s/" $host) }} {{- end }} {{ $args | toYaml }} {{- end -}} From 2e479a04d1cb50c3b2cb5454ef5344270ece3500 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 09:20:54 -0700 Subject: [PATCH 5/7] Fix test Signed-off-by: Kevin Fox --- ...ues-expose-federation-https-web-ingress-nginx.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml index c2c3879fa..801a0c6bd 100644 --- a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml +++ b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml @@ -4,10 +4,9 @@ spire-server: enabled: true federation: enabled: true - ingress: + tls: + spire: + enabled: false + externalSecret: enabled: true - controllerType: ingress-nginx - - # className: nginx - - tlsSecret: spire-server-federation-tls + secretName: spire-server-federation-tls From 7edaf913df1265bebf2978b83e4c6c964dc79227 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 09:37:57 -0700 Subject: [PATCH 6/7] Fix test Signed-off-by: Kevin Fox --- .../values-expose-federation-https-web-ingress-nginx.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml index 801a0c6bd..4d30a3af2 100644 --- a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml +++ b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml @@ -7,6 +7,6 @@ spire-server: tls: spire: enabled: false - externalSecret: - enabled: true - secretName: spire-server-federation-tls + externalSecret: + enabled: true + secretName: spire-server-federation-tls From eb2b08f4e36d98f9a2994db5b7abc04cb7651b43 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 25 Sep 2024 10:26:32 -0700 Subject: [PATCH 7/7] Fix test Signed-off-by: Kevin Fox --- .../charts/spire-server/templates/configmap.yaml | 14 +++++++------- tests/integration/production/run-tests.sh | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index a021011fd..4c7a622f9 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -74,15 +74,15 @@ server: refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} profile: {{- if .Values.federation.tls.spire.enabled }} - - https_spiffe: - - {} + - https_spiffe: {} {{ else }} - https_web: - - file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }} - {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} - cert_file_path: /bundle-endpoint-tls/tls.crt - key_file_path: /bundle-endpoint-tls/tls.key - {{- end }} + serving_cert_file: + file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + cert_file_path: /bundle-endpoint-tls/tls.crt + key_file_path: /bundle-endpoint-tls/tls.key + {{- end }} {{- end }} {{- end }} diff --git a/tests/integration/production/run-tests.sh b/tests/integration/production/run-tests.sh index c5cd8bbe4..a61cbacb5 100755 --- a/tests/integration/production/run-tests.sh +++ b/tests/integration/production/run-tests.sh @@ -129,7 +129,7 @@ install_and_test() { --values /tmp/dummydns \ --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \ --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \ - --set spire-server.federation.ingress.tlsSecret=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ + --set spire-server.federation.tls.externalSecret.secretName=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ --wait helm test --namespace "${ns}" spire