Skip to content

Commit

Permalink
CASMPET-6798: Update Spire OPA Policy for SBPS Marshal Agent (#105)
Browse files Browse the repository at this point in the history
- enable/ update OPA policy for SBPS Marshal Agent
  - update unit test in OPA for SBPS Marshal Agent
  • Loading branch information
ravikanth-nalla-hpe authored Mar 21, 2024
1 parent 99e098f commit a67e980
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 2 deletions.
4 changes: 2 additions & 2 deletions kubernetes/cray-opa/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2022-2023 Hewlett Packard Enterprise Development LP
# (C) Copyright 2022-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand All @@ -23,7 +23,7 @@
#
apiVersion: v2
name: cray-opa
version: 1.33.3
version: 1.33.4
description: Cray Open Policy Agent
keywords:
- opa
Expand Down
5 changes: 5 additions & 0 deletions kubernetes/cray-opa/templates/policies/spire.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@ data:
{"method": "POST", "path": `^/apis/hbtd/hmi/v1/heartbeat/.*$`},
{{- end }}
{"method": "GET", "path": `^/apis/hbtd/hmi/v1/params$`},
],
"sbps-marshal": [
{"method": "GET", "path": `^/apis/ims/v3/images$`},
]
}

Expand Down Expand Up @@ -203,6 +206,7 @@ data:
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/heartbeat": spire_methods["heartbeat"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/orca": spire_methods["dvs"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/sbps-marshal": spire_methods["sbps-marshal"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/cfs-state-reporter": spire_methods["cfs"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/heartbeat": spire_methods["heartbeat"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
Expand Down Expand Up @@ -272,6 +276,7 @@ data:
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/heartbeat": spire_methods["heartbeat"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/orca": spire_methods["dvs"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/sbps-marshal": spire_methods["sbps-marshal"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/cfs-state-reporter": spire_methods["cfs"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/heartbeat": spire_methods["heartbeat"],
"spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
Expand Down
11 changes: 11 additions & 0 deletions kubernetes/cray-opa/tests/opa/run_tests/run_tests.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,16 @@ func main() {
}
fmt.Println(spireSub, ":", spireNcnTPMProvisioner)

spireSub = spireSubNCNPrefix + "sbps-marshal"
args = createTokenArgs{
issuer: spireIssuer, aud: systemComputeAud, sub: spireSub,
}
spireNcnSBPSMarshal, err := tc.create(args)
if err != nil {
log.Fatal(err)
}
fmt.Println(spireSub, ":", spireNcnSBPSMarshal)

spireSub = spireSubComputePrefix + "cfs-state-reporter"
args = createTokenArgs{
issuer: spireIssuer, aud: systemComputeAud, sub: spireSub,
Expand Down Expand Up @@ -625,6 +635,7 @@ func main() {
"heartbeat": spireNcnHeartbeat,
"orca": spireNcnOrca,
"tpm_provisioner": spireNcnTPMProvisioner,
"sbps_marshal": spireNcnSBPSMarshal,
},
"compute": map[string]interface{}{
"cfs_state_reporter": spireComputeCfsStateReporter,
Expand Down
5 changes: 5 additions & 0 deletions kubernetes/cray-opa/tests/opa/spire_test.rego.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ sls_networks_path = "/apis/sls/v1/networks"
hmnfd_subscribe_path = "/apis/hmnfd/hmi/v1/subscribe"
hmnfd_subscriptions_path = "/apis/hmnfd/hmi/v1/subscriptions"
pals_mock_path = "/apis/pals/v1/mock"
sbps_marshal_ims_path = "/apis/ims/v3/images"

# Tests for denying access to pals mock path for ckdump sub

Expand Down Expand Up @@ -347,3 +348,7 @@ test_tpm_provisioner_cray_spire {

allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/tpm-provisioner/whitelist/remove", "headers": {"authorization": "Bearer {{ .spire.compute.cray_tpm_provisioner }}" }}}}}
}

test_spire_sbps_marshal {
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sbps_marshal_ims_path, "headers": {"authorization": "Bearer {{ .spire.ncn.sbps_marshal }}"}}}}}
}

0 comments on commit a67e980

Please sign in to comment.