WIP spire.

Signed-off-by: Dan Lorenc <dlorenc@google.com> changed to use spiffe-csi Add pod SPIFFE id annotation for workload registrar Signed-off-by: Brandon Lum <lumjjb@gmail.com> removed spire jwt updated obtaining trust bundle Added SPIFFE entry registration and SVID entrypointer backoff (tektoncd#2) * Added SPIFFE entry registration and SVID entrypointer backoff Signed-off-by: Brandon Lum <lumjjb@gmail.com> * Allow SPIRE configuration through opts Signed-off-by: Brandon Lum <lumjjb@gmail.com> * Add validation of SpireConfig Signed-off-by: Brandon Lum <lumjjb@gmail.com>
lumjjb · Feb 10, 2022 · c3b11fa · c3b11fa
1 parent 5d3f23e
commit c3b11fa
Show file tree

Hide file tree

Showing 251 changed files with 71,814 additions and 11 deletions.
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -60,12 +60,20 @@ func main() {
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
 	flag.StringVar(&opts.Images.WorkingDirInitImage, "workingdirinit-image", "", "The container image containing our working dir init binary.")
 
+	flag.StringVar(&opts.SpireConfig.TrustDomain, "spire-trust-domain", "example.org", "Experimental: The SPIRE Trust domain to use.")
+	flag.StringVar(&opts.SpireConfig.SocketPath, "spire-socket-path", "/spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+	flag.StringVar(&opts.SpireConfig.ServerAddr, "spire-server-addr", "spire-server.spire.svc.cluster.local:8081", "Experimental: The SPIRE server address for workload/node registration.")
+	flag.StringVar(&opts.SpireConfig.NodeAliasPrefix, "spire-node-alias-prefix", "/tekton-node/", "Experimental: The SPIRE node alias prefix to use.")
+
 	// This parses flags.
 	cfg := injection.ParseAndGetRESTConfigOrDie()
 
 	if err := opts.Images.Validate(); err != nil {
 		log.Fatal(err)
 	}
+	if err := opts.SpireConfig.Validate(); err != nil {
+		log.Fatal(err)
+	}
 	if cfg.QPS == 0 {
 		cfg.QPS = 2 * rest.DefaultQPS
 	}

diff --git a/cmd/imagedigestexporter/main.go b/cmd/imagedigestexporter/main.go
@@ -17,9 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
+	"github.com/tektoncd/pipeline/pkg/entrypoint"
 	"github.com/tektoncd/pipeline/pkg/termination"
 	"knative.dev/pkg/logging"
 
@@ -81,6 +84,19 @@ func main() {
 		})
 
 	}
+	ctx := context.Background()
+
+	client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix:///spiffe-workload-api/spire-agent.sock"))
+	if err == nil {
+		signed, err := entrypoint.Sign(output, client)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		output = append(output, signed...)
+	} else {
+		logger.Infof("Spire workload API not initalized due to error: %s", err.Error())
+	}
 
 	if err := termination.WriteMessage(*terminationMessagePath, output); err != nil {
 		logger.Fatalf("Unexpected error writing message %s to %s", *terminationMessagePath, err)

diff --git a/config/controller.yaml b/config/controller.yaml
@@ -88,6 +88,9 @@ spec:
           mountPath: /etc/config-logging
         - name: config-registry-cert
           mountPath: /etc/config-registry-cert
+        - name: spiffe-workload-api
+          mountPath: /spiffe-workload-api
+          readOnly: true
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom:
@@ -154,6 +157,9 @@ spec:
         - name: config-registry-cert
           configMap:
             name: config-registry-cert
+        - name: spiffe-workload-api
+          csi:
+            driver: "csi.spiffe.io"
 ---
 apiVersion: v1
 kind: Service

diff --git a/go.mod b/go.mod
@@ -16,15 +16,42 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/opencontainers/image-spec v1.0.3-0.20211202222133-eacdcc10569b
 	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.7.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.0.0-beta.5
+<<<<<<< HEAD
+	github.com/spiffe/spire v0.12.2 // indirect
+	github.com/spiffe/spire/proto/spire v0.10.1
+	github.com/tektoncd/plumbing v0.0.0-20210420200944-17170d5e7bc9
+	go.opencensus.io v0.23.0
+	go.uber.org/zap v1.16.0
+	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect
+	golang.org/x/mod v0.4.1 // indirect
+	golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84
+	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
+	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
+	golang.org/x/tools v0.1.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.1.0
+	google.golang.org/grpc v1.36.0
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/api v0.19.7
+	k8s.io/apimachinery v0.19.7
+	k8s.io/client-go v0.19.7
+	k8s.io/code-generator v0.19.7
+	k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 // indirect
+=======
 	github.com/tektoncd/plumbing v0.0.0-20211012143332-c7cc43d9bc0c
 	go.opencensus.io v0.23.0
 	go.uber.org/zap v1.19.1
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
+	google.golang.org/grpc v1.43.0
 	k8s.io/api v0.22.5
 	k8s.io/apimachinery v0.22.5
 	k8s.io/client-go v0.22.5
 	k8s.io/code-generator v0.22.5
+>>>>>>> 3970560e5 (Added SPIFFE entry registration and SVID entrypointer backoff (#2))
 	k8s.io/klog v1.0.0
 	k8s.io/kube-openapi v0.0.0-20220114203427-a0453230fd26
 	knative.dev/pkg v0.0.0-20220131144930-f4b57aef0006
@@ -38,6 +65,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.11.0 // indirect
 	github.com/emicklei/go-restful v2.15.0+incompatible // indirect
 	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220120123041-d22850aca581 // indirect
+	github.com/spiffe/spire-api-sdk v1.2.0
 	go.uber.org/multierr v1.7.0 // indirect
 	golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect