From a9fe0a6526c238a58e60dc5fc39dd84e88caddf6 Mon Sep 17 00:00:00 2001 From: Evan Gilman Date: Sun, 17 Nov 2019 12:58:42 -0800 Subject: [PATCH 1/2] Add bundle endpoint client Signed-off-by: Evan Gilman --- bundle_client.go | 165 +++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 3 + go.sum | 25 +++++++ main.go | 25 +++++++ 4 files changed, 218 insertions(+) create mode 100644 bundle_client.go diff --git a/bundle_client.go b/bundle_client.go new file mode 100644 index 0000000..46cc001 --- /dev/null +++ b/bundle_client.go @@ -0,0 +1,165 @@ +package main + +import ( + "context" + "crypto/x509" + "fmt" + "time" + + "github.com/sirupsen/logrus" + "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/pkg/server/bundle/client" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" +) + +type BundleEndpointClientConfig struct { + TrustDomain string + EndpointAddress string + EndpointSpiffeID string + + Namespace string + ConfigMapName string + ConfigMapKey string + + Log logrus.FieldLogger +} + +type BundleEndpointClient struct { + cfg *BundleEndpointClientConfig + kubeClient *kubernetes.Clientset +} + +func StartBundleEndpointClient(ctx context.Context, cfg *BundleEndpointClientConfig) error { + kubeClient, err := newKubeClient() + if err != nil { + return err + } + + b := &BundleEndpointClient{ + cfg: cfg, + kubeClient: kubeClient, + } + + go b.start(ctx) + + return nil +} + +func (b *BundleEndpointClient) start(ctx context.Context) { + pollInterval := 5 * time.Minute + retryInterval := 5 * time.Second + + var failing bool + ticker := time.NewTicker(pollInterval) + for { + select { + case <-ticker.C: + ok := b.trySync(ctx) + + // Manipulate ticker frequency based on state changes + // between success and failure + if !ok && !failing { + failing = true + ticker = time.NewTicker(retryInterval) + } else if ok && failing { + failing = false + ticker = time.NewTicker(pollInterval) + } + case <-ctx.Done(): + return + } + } +} + +func (b *BundleEndpointClient) trySync(ctx context.Context) bool { + roots, err := b.getEndpointRoots(ctx) + if err != nil { + b.cfg.Log.Errorf("Could not retrieve root CAs to validate bundle endpoint for %v: %v", b.cfg.TrustDomain, err) + return false + } + + currentRoots, err := b.callBundleEndpoint(ctx, roots) + if err != nil { + b.cfg.Log.Errorf("Could not retrieve current root CAs from bundle endpoint for %v: %v", b.cfg.TrustDomain, err) + return false + } + + err = b.updateRoots(ctx, roots, currentRoots) + if err != nil { + b.cfg.Log.Errorf("Could not persist root CA update for %v: %v", b.cfg.TrustDomain, err) + return false + } + + return true +} + +func (b *BundleEndpointClient) getEndpointRoots(ctx context.Context) ([]*x509.Certificate, error) { + configMap, err := b.getConfigMap(ctx, b.cfg.Namespace, b.cfg.ConfigMapName) + if err != nil { + return nil, err + } + + roots, err := pemutil.ParseCertificates([]byte(configMap.Data[b.cfg.ConfigMapKey])) + if err != nil { + return nil, err + } + + if len(roots) == 0 { + return nil, fmt.Errorf("no certs found") + } + + return roots, nil +} + +func (b *BundleEndpointClient) callBundleEndpoint(ctx context.Context, roots []*x509.Certificate) ([]*x509.Certificate, error) { + clientConfig := client.ClientConfig{ + TrustDomain: b.cfg.TrustDomain, + EndpointAddress: b.cfg.EndpointAddress, + EndpointSpiffeID: b.cfg.EndpointSpiffeID, + RootCAs: roots, + } + client := client.NewClient(clientConfig) + + bundle, err := client.FetchBundle(ctx) + if err != nil { + return nil, err + } + + return bundle.RootCAs(), nil +} + +func (b *BundleEndpointClient) updateRoots(ctx context.Context, roots, currentRoots []*x509.Certificate) error { + // TODO: Check if we need to actually update anything + + configMap, err := b.getConfigMap(ctx, b.cfg.Namespace, b.cfg.ConfigMapName) + if err != nil { + return err + } + + pemBytes := pemutil.EncodeCertificates(currentRoots) + configMap.Data[b.cfg.ConfigMapKey] = string(pemBytes) + + return b.updateConfigMap(ctx, b.cfg.Namespace, configMap) +} + +func (b *BundleEndpointClient) getConfigMap(ctx context.Context, ns, name string) (*corev1.ConfigMap, error) { + return b.kubeClient.CoreV1().ConfigMaps(ns).Get(name, metav1.GetOptions{}) +} + +func (b *BundleEndpointClient) updateConfigMap(ctx context.Context, ns string, configMap *corev1.ConfigMap) error { + _, err := b.kubeClient.CoreV1().ConfigMaps(ns).Update(configMap) + return err +} + +func newKubeClient() (*kubernetes.Clientset, error) { + c, err := rest.InClusterConfig() + if err != nil { + return nil, err + } + + return kubernetes.NewForConfig(c) +} diff --git a/go.mod b/go.mod index 78ef74a..15c289a 100644 --- a/go.mod +++ b/go.mod @@ -8,4 +8,7 @@ require ( github.com/spiffe/spire v0.0.0-20191112225448-d341e7fdf021 github.com/zeebo/errs v1.2.2 golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 + k8s.io/api v0.0.0-20190222213804-5cb15d344471 + k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628 + k8s.io/client-go v10.0.0+incompatible ) diff --git a/go.sum b/go.sum index 6905010..bcff933 100644 --- a/go.sum +++ b/go.sum @@ -31,6 +31,7 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+DxYx+6BMjkBbe5ONFIF1MXffk= +github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878 h1:EFSB7Zo9Eg91v7MJPVsifUysc/wPdN+NOnVe6bWbdBM= @@ -83,6 +84,7 @@ github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFG github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -94,17 +96,22 @@ github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c h1:964Od4U6p2jUkFxvCydnIczKteheJEzHRToSGK3Bnlw= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 h1:Iju5GlWwrvL6UBg4zJJt3btmonfrMlCDdsejg4CZE7c= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -115,6 +122,7 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj github.com/hashicorp/go-immutable-radix v1.0.0 h1:AKDB1HM5PWEA7i4nhcpwOrO2byshxBjXVn/J/3+z5/0= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-plugin v1.0.1 h1:4OtAfUGbnKC6yS48p0CtMX2oFYtzFZVv6rok3cRWgnE= github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -123,6 +131,7 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= @@ -131,6 +140,7 @@ github.com/jinzhu/gorm v1.9.9/go.mod h1:Kh6hTsSGffh4ui079FHrR5Gg+5D0hgihqDcsDN2B github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= @@ -149,10 +159,14 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0j github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77 h1:7GoSOOW2jpsfkntVKaS2rAr1TJqfcxotyaUcuxoZSzg= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -162,6 +176,7 @@ github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -193,6 +208,7 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spiffe/go-spiffe v0.0.0-20190717182101-d8657cb50cae h1:GB1bW3Tds3dAewsZpQFaTg93KFkaIc4bbVFjQpYf4fQ= github.com/spiffe/go-spiffe v0.0.0-20190717182101-d8657cb50cae/go.mod h1:HyNeJnVYkDyQgB2qcSPxVYkAA2F3lQu51bDxNpFcKxY= github.com/spiffe/spire v0.0.0-20191112225448-d341e7fdf021 h1:/4SrEhvE1IdZQD+pprwwfRNyV9bqb0CQnNaJ9QgEZ0A= github.com/spiffe/spire v0.0.0-20191112225448-d341e7fdf021/go.mod h1:X7eSeH1NwhQwTLvmQKduRw0TNeHpJMykwSu2gLV+Pyo= @@ -246,6 +262,7 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980 h1:dfGZHvZk057jK2MCeWus/TowK golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -274,6 +291,7 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -310,6 +328,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4= @@ -318,6 +337,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637/go.mod h1:BHsqpu/nsuzkT5BpiH1EMZPLyqSMM8JbIavyFACoFNk= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -326,8 +346,13 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= istio.io/gogo-genproto v0.0.0-20190124151557-6d926a6e6feb/go.mod h1:eIDJ6jNk/IeJz6ODSksHl5Aiczy5JUq6vFhJWI5OtiI= +k8s.io/api v0.0.0-20190222213804-5cb15d344471 h1:MzQGt8qWQCR+39kbYRd0uQqsvSidpYqJLFeWiJ9l4OE= k8s.io/api v0.0.0-20190222213804-5cb15d344471/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= +k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628 h1:UYfHH+KEF88OTg+GojQUwFTNxbxwmoktLwutUzR0GPg= k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= +k8s.io/client-go v10.0.0+incompatible h1:F1IqCqw7oMBzDkqlcBymRq1450wD0eNqLE9jzUrIi34= k8s.io/client-go v10.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/main.go b/main.go index 11849b6..3a848be 100644 --- a/main.go +++ b/main.go @@ -17,6 +17,14 @@ var ( leafCertPath = flag.String("leafCertPath", "/etc/server/cert-chain.pem", "The leaf certificate to use for serving TLS") leafKeyPath = flag.String("leafKeyPath", "/etc/server/key.pem", "The private key of the leaf certificate to serve TLS with") + peerTrustDomainName = flag.String("peerTrustDomain", "spiffe://cluster-2", "The trust domain name to federate with") + peerEndpointAddress = flag.String("peerEndpointAddress", "35.193.205.112", "The address of the remote trust domain's bundle endpoint") + peerSpiffeID = flag.String("peerSpiffeID", "spiffe://cluster-2/spire/server", "The SPIFFE ID of the remote trust domain's bundle endpoint") + + namespace = flag.String("namespace", "istio-system", "The namespace of the config map to keep updated with the peer's CA certificates") + configMapName = flag.String("configMapName", "cluster-2-ca-certs", "The name of the config map to keep updated with the peer's CA certificates") + configMapKey = flag.String("configMapKey", "cluster-2-ca-certs", "The key to store the peer's CA certificates under in the configured config map") + logLevel = flag.String("logLevel", "DEBUG", "The level to log at") ) @@ -38,6 +46,23 @@ func run(ctx context.Context) error { var handler http.Handler = NewHandler(*rootCAPath, log) handler = logHandler(log, handler) + clientConfig := &BundleEndpointClientConfig{ + TrustDomain: *peerTrustDomainName, + EndpointAddress: *peerEndpointAddress, + EndpointSpiffeID: *peerSpiffeID, + + Namespace: *namespace, + ConfigMapName: *configMapName, + ConfigMapKey: *configMapKey, + + Log: log, + } + log.Info("Starting SPIFFE bundle endpoint client") + err = StartBundleEndpointClient(ctx, clientConfig) + if err != nil { + return err + } + log.Info("Starting SPIFFE bundle endpoint server") return http.ListenAndServeTLS("0.0.0.0:443", *leafCertPath, *leafKeyPath, handler) } From d2982f866deb79d3536ac77ca2997a606f95703a Mon Sep 17 00:00:00 2001 From: Evan Gilman Date: Mon, 18 Nov 2019 12:24:10 -0800 Subject: [PATCH 2/2] Update default flag values and hardcode configmap keys Also set trust domain name in config map Signed-off-by: Evan Gilman --- bundle_client.go | 6 +++--- main.go | 8 +++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/bundle_client.go b/bundle_client.go index 46cc001..164a65c 100644 --- a/bundle_client.go +++ b/bundle_client.go @@ -23,7 +23,6 @@ type BundleEndpointClientConfig struct { Namespace string ConfigMapName string - ConfigMapKey string Log logrus.FieldLogger } @@ -103,7 +102,7 @@ func (b *BundleEndpointClient) getEndpointRoots(ctx context.Context) ([]*x509.Ce return nil, err } - roots, err := pemutil.ParseCertificates([]byte(configMap.Data[b.cfg.ConfigMapKey])) + roots, err := pemutil.ParseCertificates([]byte(configMap.Data["trust_bundle"])) if err != nil { return nil, err } @@ -141,7 +140,8 @@ func (b *BundleEndpointClient) updateRoots(ctx context.Context, roots, currentRo } pemBytes := pemutil.EncodeCertificates(currentRoots) - configMap.Data[b.cfg.ConfigMapKey] = string(pemBytes) + configMap.Data["trust_domain"] = b.cfg.TrustDomain + configMap.Data["trust_bundle"] = string(pemBytes) return b.updateConfigMap(ctx, b.cfg.Namespace, configMap) } diff --git a/main.go b/main.go index 3a848be..6173aba 100644 --- a/main.go +++ b/main.go @@ -13,17 +13,16 @@ import ( ) var ( - rootCAPath = flag.String("rootCAPath", "/etc/client/roots.pem", "File containing trust domain root certificates") + rootCAPath = flag.String("rootCAPath", "/etc/client/roots.pem", "File containing this trust domain's root certificates") leafCertPath = flag.String("leafCertPath", "/etc/server/cert-chain.pem", "The leaf certificate to use for serving TLS") leafKeyPath = flag.String("leafKeyPath", "/etc/server/key.pem", "The private key of the leaf certificate to serve TLS with") peerTrustDomainName = flag.String("peerTrustDomain", "spiffe://cluster-2", "The trust domain name to federate with") - peerEndpointAddress = flag.String("peerEndpointAddress", "35.193.205.112", "The address of the remote trust domain's bundle endpoint") + peerEndpointAddress = flag.String("peerEndpointAddress", "240.0.0.10", "The address of the remote trust domain's bundle endpoint") peerSpiffeID = flag.String("peerSpiffeID", "spiffe://cluster-2/spire/server", "The SPIFFE ID of the remote trust domain's bundle endpoint") namespace = flag.String("namespace", "istio-system", "The namespace of the config map to keep updated with the peer's CA certificates") - configMapName = flag.String("configMapName", "cluster-2-ca-certs", "The name of the config map to keep updated with the peer's CA certificates") - configMapKey = flag.String("configMapKey", "cluster-2-ca-certs", "The key to store the peer's CA certificates under in the configured config map") + configMapName = flag.String("configMapName", "spiffe-tb-1", "The name of the config map to keep updated with the peer's CA certificates") logLevel = flag.String("logLevel", "DEBUG", "The level to log at") ) @@ -53,7 +52,6 @@ func run(ctx context.Context) error { Namespace: *namespace, ConfigMapName: *configMapName, - ConfigMapKey: *configMapKey, Log: log, }