Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Deny production runs of example.org trust domains #229

Merged
merged 22 commits into from
Sep 25, 2023
Merged

Deny production runs of example.org trust domains #229

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
459a382
Rebase
kfox1111 Sep 11, 2023
1f85ba4
Incorperate feedback
kfox1111 Sep 11, 2023
cb8ca58
Fix docs
kfox1111 Sep 11, 2023
4121ffa
Add missing file
kfox1111 Sep 11, 2023
4c1a5a4
Fix docs
kfox1111 Sep 11, 2023
07444ec
Add missing file
kfox1111 Sep 11, 2023
14bb832
More overrides
kfox1111 Sep 11, 2023
f31378e
More overrides
kfox1111 Sep 11, 2023
e0f5d70
More overrides
kfox1111 Sep 11, 2023
8863d2d
Add some more checks
kfox1111 Sep 11, 2023
57e39af
Fix bad paste
kfox1111 Sep 12, 2023
b4a11e1
Update readme
kfox1111 Sep 12, 2023
7298bbf
Fix oidc host
kfox1111 Sep 12, 2023
894aa50
Merge branch 'main' into production-settings-check
kfox1111 Sep 18, 2023
8d0e290
Fix merge conflict
kfox1111 Sep 18, 2023
960d587
Update charts/spire/values.yaml
kfox1111 Sep 20, 2023
a799059
Fix docs
kfox1111 Sep 20, 2023
54fdde1
Apply suggestions from code review
kfox1111 Sep 20, 2023
0a804b7
Fix readme
kfox1111 Sep 20, 2023
b7e75c5
Update test
kfox1111 Sep 20, 2023
c14879c
Fix nested test
kfox1111 Sep 20, 2023
ea7b49b
Update examples/production/values.yaml
kfox1111 Sep 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/tests/dependencies/testcert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ metadata:
name: oidc
spec:
dnsNames:
- oidc-discovery.example.org
- spire-server-federation.example.org
- oidc-discovery.production.other
- spire-server-federation.production.other
secretName: tls-cert
issuerRef:
name: demo-ca
Expand Down
23 changes: 12 additions & 11 deletions charts/spire/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,17 +89,18 @@ Now you can interact with the Spire agent socket from your own application. The

### Global parameters

| Name | Description | Value |
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens | `oidc-discovery.example.org` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
| Name | Description | Value |
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens | `oidc-discovery.example.org` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.productionChecks` | Set to false to disable production requirements to enable you to kick the tires with spire without needing a lot of configuration. | `false` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |

### Spire server parameters

Expand Down
2 changes: 2 additions & 0 deletions charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{- include "spire-lib.production-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
{{- include "spire-lib.production-check" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
{{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
{{- define "spiffe-oidc-discovery-provider.yaml-config" -}}
{{- $oidcSocket := .oidcSocket }}
Expand Down
2 changes: 2 additions & 0 deletions charts/spire/charts/spire-agent/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{- include "spire-lib.production-check" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
{{- include "spire-lib.production-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
{{- define "spire-agent.yaml-config" -}}
agent:
data_dir: "/run/spire"
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `federation.ingress.annotations` | Annotations for the ingress object | `{}` |
| `federation.ingress.hosts` | Host paths for ingress object | `[]` |
| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress | `[]` |
| `ca_subject.country` | Country for Spire server CA | `NL` |
| `ca_subject.country` | Country for Spire server CA | `ARPA` |
| `ca_subject.organization` | Organization for Spire server CA | `Example` |
| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` |
| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` |
Expand Down
6 changes: 6 additions & 0 deletions charts/spire/charts/spire-server/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
{{- include "spire-lib.production-check" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
{{- include "spire-lib.production-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
{{- include "spire-lib.production-check" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
{{- include "spire-lib.production-check" (list . "ca_subject.county must be set" (eq .Values.ca_subject.country "ARPA"))}}
{{- include "spire-lib.production-check" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}}
{{- include "spire-lib.production-check" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}}
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
{{- range $type, $tvals := .Values.customPlugins }}
{{- if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
{{- fail (printf "Unknown plugin type specified: %s" $type) }}
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-server/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ federation:

ca_subject:
## @param ca_subject.country Country for Spire server CA
country: NL
country: ARPA
faisal-memon marked this conversation as resolved.
Show resolved Hide resolved
## @param ca_subject.organization Organization for Spire server CA
organization: Example
## @param ca_subject.common_name Common Name for Spire server CA
Expand Down
15 changes: 15 additions & 0 deletions charts/spire/templates/_spire-lib.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,3 +107,18 @@ rules:
{{- end }}
{{- include "spire-lib.image" $root }}
{{- end }}

{{/*
Take in an array of, '.', a failure string to display, and boolean to to display it,
if production checking is enabled and the boolean is true
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
*/}}
{{- define "spire-lib.production-check" }}
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
{{ $root := index . 0 }}
{{ $message := index . 1 }}
{{ $condition := index . 2 }}
{{- if (dig "spire" "productionChecks" false $root.Values.global) }}
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
{{- if $condition }}
{{- fail $message }}
{{- end }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/spire/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ global:
## @param global.spire.image.registry Override all Spire image registries at once
registry: ""

## @param global.spire.productionChecks Set to false to disable production requirements to enable you to kick the tires with spire without needing a lot of configuration.
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
productionChecks: false
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@faisal-memon ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

strict mode works for me.


installAndUpgradeHooks:
## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion examples/external-mysql/run-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO
--wait

helm upgrade --install --namespace "spire-server" \
--values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
--values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
--set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
helm test --namespace "spire-server" spire

Expand Down
2 changes: 1 addition & 1 deletion examples/external-postgresql/run-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ helm upgrade --install postgresql postgresql --version "$VERSION_POSTGRESQL" --r
--wait

helm upgrade --install --namespace "spire-server" \
--values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
--values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
--set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
helm test --namespace "spire-server" spire

Expand Down
45 changes: 45 additions & 0 deletions examples/production/example-your-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
global:
spire:
clusterName: production
trustDomain: production.other
jwtIssuer: oidc-discovery.production.other

spire-server:
ca_subject:
country: US
organization: Production
common_name: production.other

ingress:
hosts:
- host: spire-server.production.other
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- spire-server.production.other
federation:
ingress:
hosts:
- host: spire-server-federation.production.other
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- spire-server-federation.production.other
secretName: tls-cert

spiffe-oidc-discovery-provider:
ingress:
hosts:
- host: oidc-discovery.production.other
paths:
- path: /
pathType: Prefix
tls:
- secretName: tls-cert
hosts:
- oidc-discovery.production.other

22 changes: 11 additions & 11 deletions examples/production/run-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,32 +48,26 @@ kubectl apply -f "${DEPS}/testcert.yaml" -n spire-server
--wait

ip=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ .spec.clusterIP }}')
echo "$ip" oidc-discovery.example.org
echo "$ip" oidc-discovery.production.other

cat > /tmp/dummydns <<EOF
spiffe-oidc-discovery-provider:
tests:
hostAliases:
- ip: "$ip"
hostnames:
- "oidc-discovery.example.org"
- "oidc-discovery.production.other"
spire-agent:
hostAliases:
- ip: "$ip"
hostnames:
- "spire-server.example.org"
- "spire-server.production.other"
spire-server:
tests:
hostAliases:
- ip: "$ip"
hostnames:
- "spire-server-federation.example.org"
federation:
ingress:
tls:
- hosts:
- spire-server-federation.example.org
secretName: tls-cert
- "spire-server-federation.production.other"
EOF

"${helm_install[@]}" spire charts/spire \
Expand All @@ -84,11 +78,17 @@ EOF
--values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \
--values /tmp/dummydns \
--set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
--set spire-agent.server.address=spire-server.example.org,spire-agent.server.port=443 \
--set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
--values "${SCRIPTPATH}/example-your-values.yaml" \
--wait

helm test --namespace "${ns}" spire

if helm get manifest -n spire-server spire | grep -i example; then
echo Global settings did not work. Please fix.
exit 1
fi

print_helm_releases
print_spire_workload_status "${ns}"

Expand Down
2 changes: 2 additions & 0 deletions examples/production/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ global:
telemetry:
prometheus:
enabled: true
spire:
productionChecks: false
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved

spire-server:
nodeAttestor:
Expand Down