From 735276b3d5daf155c7674080956b51a296c03a37 Mon Sep 17 00:00:00 2001 From: kchiranjewee63 Date: Tue, 9 Jul 2024 16:44:04 -0400 Subject: [PATCH 1/2] Implement mtls for config plane communications --- build/build.sh | 1 + installation/config.yaml | 5 +- installation/resources/deployment.yaml | 2 +- installation/resources/service.yaml | 6 +-- service/api/handler/handler.go | 54 ++++++++++++++++---- service/api/pkg/service/service.go | 47 ++++++++++++++--- service/api/setup.go | 19 +++++-- service/cmd/main.go | 46 ++++++++++++----- service/common/common.go | 2 +- service/config/config.go | 11 ++-- service/configdispatcher/configdispatcher.go | 24 +++++++-- service/spiffe/spiffe.go | 17 ++++++ service/webhook/handler/handler.go | 17 ++++-- service/webhook/pkg/util/util.go | 37 ++++++++++---- service/webhook/setup.go | 9 ++-- 15 files changed, 226 insertions(+), 71 deletions(-) create mode 100755 build/build.sh create mode 100644 service/spiffe/spiffe.go diff --git a/build/build.sh b/build/build.sh new file mode 100755 index 0000000..c2b7df0 --- /dev/null +++ b/build/build.sh @@ -0,0 +1 @@ +docker build -t tconfigd:latest -f ../service/Dockerfile ../service/ \ No newline at end of file diff --git a/installation/config.yaml b/installation/config.yaml index 7517050..cfdf16d 100644 --- a/installation/config.yaml +++ b/installation/config.yaml @@ -1,5 +1,6 @@ enableTratInterception: "true" # Enable or disable incoming requests interception for TraT verification -agentApiPort: "9040" # Port number for the tratteria agent API +agentHttpsApiPort: "9040" # Port number for the tratteria agent HTTPS APIs +agentHttpApiPort: "9030" # Port number for the tratteria agent HTTP APIs agentInterceptorPort: "9050" # Port number for the tratteria agent incoming requests interceptor spiffeEndpointSocket: "unix:///run/spire/sockets/agent.sock" # Don't change this if you are using tconfigd SPIRE installation -tconfigdSpiffeId: "spiffe://tratteria.io/tconfigd" # Don't change this if you are using tconfigd SPIRE installation +tratteriaSpiffeId: "spiffe:///tratteria" # Replace "" with your trust domain diff --git a/installation/resources/deployment.yaml b/installation/resources/deployment.yaml index c18c7c3..3d90ee0 100644 --- a/installation/resources/deployment.yaml +++ b/installation/resources/deployment.yaml @@ -22,7 +22,7 @@ spec: args: ["/etc/tconfigd/config/config.yaml"] imagePullPolicy: Never ports: - - containerPort: 9060 + - containerPort: 8443 protocol: TCP - containerPort: 443 protocol: TCP diff --git a/installation/resources/service.yaml b/installation/resources/service.yaml index 34b64f9..4355968 100644 --- a/installation/resources/service.yaml +++ b/installation/resources/service.yaml @@ -6,9 +6,9 @@ metadata: spec: type: ClusterIP ports: - - name: rules - port: 9060 - targetPort: 9060 + - name: api + port: 8443 + targetPort: 8443 protocol: TCP - name: webhook port: 443 diff --git a/service/api/handler/handler.go b/service/api/handler/handler.go index fca170f..3935700 100644 --- a/service/api/handler/handler.go +++ b/service/api/handler/handler.go @@ -3,7 +3,9 @@ package handler import ( "encoding/json" "net/http" + "strings" + "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/tratteria/tconfigd/api/pkg/service" "go.uber.org/zap" @@ -22,24 +24,38 @@ func NewHandlers(service *service.Service, logger *zap.Logger) *Handlers { } type registrationRequest struct { - IpAddress string `json:"ipAddress"` - Port int `json:"port"` - ServiceName string `json:"serviceName"` - NameSpace string `json:"namespace"` + IpAddress string `json:"ipAddress"` + Port int `json:"port"` + NameSpace string `json:"namespace"` } type heartBeatRequest struct { IpAddress string `json:"ipAddress"` Port int `json:"port"` - ServiceName string `json:"serviceName"` NameSpace string `json:"namespace"` RulesVersionID string `json:"rulesVersionId"` } func (h *Handlers) RegistrationHandler(w http.ResponseWriter, r *http.Request) { + if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 { + http.Error(w, "No client certificate provided", http.StatusUnauthorized) + + return + } + + spiffeID, err := spiffeid.FromURI(r.TLS.PeerCertificates[0].URIs[0]) + if err != nil { + h.Logger.Error("Failed to parse SPIFFE ID", zap.Error(err)) + http.Error(w, "Invalid SPIFFE ID", http.StatusBadRequest) + + return + } + + serviceName := strings.TrimPrefix(spiffeID.Path(), "/") + var registrationRequest registrationRequest - err := json.NewDecoder(r.Body).Decode(®istrationRequest) + err = json.NewDecoder(r.Body).Decode(®istrationRequest) if err != nil { h.Logger.Error("Invalid registration request.", zap.Error(err)) http.Error(w, "Invalid request", http.StatusBadRequest) @@ -47,9 +63,9 @@ func (h *Handlers) RegistrationHandler(w http.ResponseWriter, r *http.Request) { return } - h.Logger.Info("Received a registration request.", zap.String("service", registrationRequest.ServiceName)) + h.Logger.Info("Received a registration request.", zap.String("service", serviceName)) - registrationResponse := h.Service.RegisterAgent(registrationRequest.IpAddress, registrationRequest.Port, registrationRequest.ServiceName, registrationRequest.NameSpace) + registrationResponse := h.Service.RegisterAgent(registrationRequest.IpAddress, registrationRequest.Port, serviceName, registrationRequest.NameSpace) // TODO: return rules belonging to this service @@ -65,9 +81,25 @@ func (h *Handlers) RegistrationHandler(w http.ResponseWriter, r *http.Request) { } func (h *Handlers) HeartBeatHandler(w http.ResponseWriter, r *http.Request) { + if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 { + http.Error(w, "No client certificate provided", http.StatusUnauthorized) + + return + } + + spiffeID, err := spiffeid.FromURI(r.TLS.PeerCertificates[0].URIs[0]) + if err != nil { + h.Logger.Error("Failed to parse SPIFFE ID", zap.Error(err)) + http.Error(w, "Invalid SPIFFE ID", http.StatusBadRequest) + + return + } + + serviceName := strings.TrimPrefix(spiffeID.Path(), "/") + var heartBeatRequest heartBeatRequest - err := json.NewDecoder(r.Body).Decode(&heartBeatRequest) + err = json.NewDecoder(r.Body).Decode(&heartBeatRequest) if err != nil { h.Logger.Error("Invalid heartbeat request.", zap.Error(err)) http.Error(w, "Invalid request", http.StatusBadRequest) @@ -75,9 +107,9 @@ func (h *Handlers) HeartBeatHandler(w http.ResponseWriter, r *http.Request) { return } - h.Logger.Info("Received a heartbeat.", zap.String("service", heartBeatRequest.ServiceName)) + h.Logger.Info("Received a heartbeat request.", zap.String("service", serviceName)) - h.Service.RegisterHeartBeat(heartBeatRequest.IpAddress, heartBeatRequest.Port, heartBeatRequest.ServiceName, heartBeatRequest.NameSpace) + h.Service.RegisterHeartBeat(heartBeatRequest.IpAddress, heartBeatRequest.Port, serviceName, heartBeatRequest.NameSpace) // TODO: if an agent is heartbeating with an old rule version id, notify it to fetch the latest rules diff --git a/service/api/pkg/service/service.go b/service/api/pkg/service/service.go index a417b91..7480b3d 100644 --- a/service/api/pkg/service/service.go +++ b/service/api/pkg/service/service.go @@ -3,28 +3,34 @@ package service import ( "context" "fmt" + "io" "net/http" "github.com/lestrrat-go/jwx/jwk" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" + "github.com/spiffe/go-spiffe/v2/workloadapi" "github.com/tratteria/tconfigd/common" "github.com/tratteria/tconfigd/dataplaneregistry" "go.uber.org/zap" ) const ( - TRATTERIA_JWKS_ENDPOINT = "/.well-known/jwks.json" + TRATTERIA_JWKS_ENDPOINT = ".well-known/jwks.json" ) type Service struct { dataPlaneRegistryManager dataplaneregistry.Manager - httpClient *http.Client + x509Source *workloadapi.X509Source + tratteriaSpiffeId spiffeid.ID logger *zap.Logger } -func NewService(dataPlaneRegistryManager dataplaneregistry.Manager, httpClient *http.Client, logger *zap.Logger) *Service { +func NewService(dataPlaneRegistryManager dataplaneregistry.Manager, x509Source *workloadapi.X509Source, tratteriaSpiffeId spiffeid.ID, logger *zap.Logger) *Service { return &Service{ dataPlaneRegistryManager: dataPlaneRegistryManager, - httpClient: httpClient, + x509Source: x509Source, + tratteriaSpiffeId: tratteriaSpiffeId, logger: logger, } } @@ -57,14 +63,43 @@ func (s *Service) CollectJwks(ctx context.Context, namespace string) (jwk.Set, e allKeys := jwk.NewSet() + tlsConfig := tlsconfig.MTLSClientConfig(s.x509Source, s.x509Source, tlsconfig.AuthorizeID(s.tratteriaSpiffeId)) + + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + } + for _, instance := range tratteriaInstances { - url := fmt.Sprintf("http://%s:%d/%s", instance.IpAddress, instance.Port, TRATTERIA_JWKS_ENDPOINT) + url := fmt.Sprintf("https://%s/%s", instance.IpAddress, TRATTERIA_JWKS_ENDPOINT) + + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return nil, fmt.Errorf("error creating request for URL %s: %w", url, err) + } - set, err := jwk.Fetch(ctx, url) + resp, err := client.Do(req) if err != nil { return nil, fmt.Errorf("failed to fetch JWKS from URL %s: %w", url, err) } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("received non-ok status code %d from URL %s", resp.StatusCode, url) + } + + body, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("error reading response body from URL %s: %w", url, err) + } + + set, err := jwk.Parse(body) + if err != nil { + return nil, fmt.Errorf("failed to parse JWKS from URL %s: %w", url, err) + } + for iter := set.Iterate(ctx); iter.Next(ctx); { pair := iter.Pair() if key, ok := pair.Value.(jwk.Key); ok { diff --git a/service/api/setup.go b/service/api/setup.go index 7c4c143..13f839e 100644 --- a/service/api/setup.go +++ b/service/api/setup.go @@ -6,6 +6,9 @@ import ( "time" "github.com/gorilla/mux" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" + "github.com/spiffe/go-spiffe/v2/workloadapi" "go.uber.org/zap" "github.com/tratteria/tconfigd/api/handler" @@ -13,29 +16,35 @@ import ( "github.com/tratteria/tconfigd/dataplaneregistry" ) +const API_PORT = 8443 + type API struct { DataPlaneRegistryManager dataplaneregistry.Manager - HttpClient *http.Client + X509Source *workloadapi.X509Source + TratteriaSpiffeId spiffeid.ID Logger *zap.Logger } func (api *API) Run() error { - service := service.NewService(api.DataPlaneRegistryManager, api.HttpClient, api.Logger) + service := service.NewService(api.DataPlaneRegistryManager, api.X509Source, api.TratteriaSpiffeId, api.Logger) handler := handler.NewHandlers(service, api.Logger) router := mux.NewRouter() initializeRulesRoutes(router, handler) + serverTLSConfig := tlsconfig.MTLSServerConfig(api.X509Source, api.X509Source, tlsconfig.AuthorizeAny()) + srv := &http.Server{ Handler: router, - Addr: "0.0.0.0:9060", + Addr: fmt.Sprintf("0.0.0.0:%d", API_PORT), + TLSConfig: serverTLSConfig, WriteTimeout: 15 * time.Second, ReadTimeout: 15 * time.Second, } - api.Logger.Info("Starting api server on port 9060.") + api.Logger.Info("Starting api server...", zap.Int("port", API_PORT)) - if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed { + if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed { api.Logger.Error("Failed to start the api server", zap.Error(err)) return fmt.Errorf("failed to start the api server :%w", err) diff --git a/service/cmd/main.go b/service/cmd/main.go index 344f9d8..40b0d09 100644 --- a/service/cmd/main.go +++ b/service/cmd/main.go @@ -4,12 +4,15 @@ import ( "context" "fmt" "log" - "net/http" "os" "os/signal" "syscall" + "time" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/go-spiffe/v2/workloadapi" "github.com/tratteria/tconfigd/api" + "github.com/tratteria/tconfigd/spiffe" "github.com/tratteria/tconfigd/config" "github.com/tratteria/tconfigd/configdispatcher" "github.com/tratteria/tconfigd/dataplaneregistry" @@ -18,6 +21,8 @@ import ( "go.uber.org/zap" ) +const X509_SOURCE_TIMEOUT = 15 * time.Second + func main() { ctx, cancel := context.WithCancel(context.Background()) defer cancel() @@ -41,21 +46,34 @@ func main() { configPath := os.Args[1] - appConfig, err := config.GetAppConfig(configPath) + config, err := config.GetConfig(configPath) if err != nil { logger.Fatal("Error reading configuration.", zap.Error(err)) } - httpClient := &http.Client{} + x509SrcCtx, cancel := context.WithTimeout(context.Background(), X509_SOURCE_TIMEOUT) + defer cancel() + + x509Source, err := workloadapi.NewX509Source(x509SrcCtx, workloadapi.WithClientOptions(workloadapi.WithAddr(config.SpiffeEndpointSocket))) + if err != nil { + logger.Fatal("Failed to create X.509 source", zap.Error(err)) + } + + defer x509Source.Close() + + tconfigdSpiffeId, err := spiffe.FetchSpiffeIdFromX509(x509Source) + if err != nil { + logger.Fatal("Error getting tconfigd spiffe id.", zap.Error(err)) + } + agentsManager := dataplaneregistry.NewRegistry() - configdispatcher := configdispatcher.NewConfigDispatcher(agentsManager, httpClient) + configdispatcher := configdispatcher.NewConfigDispatcher(agentsManager, x509Source) go func() { - logger.Info("Starting API server...") - apiServer := &api.API{ DataPlaneRegistryManager: agentsManager, - HttpClient: httpClient, + X509Source: x509Source, + TratteriaSpiffeId: spiffeid.ID(config.TratteriaSpiffeId), Logger: logger, } @@ -65,13 +83,13 @@ func main() { }() go func() { - logger.Info("Starting Webhook server...") - webhook := &webhook.Webhook{ - EnableTratInterception: bool(appConfig.EnableTratInterception), - AgentApiPort: int(appConfig.AgentApiPort), - AgentInterceptorPort: int(appConfig.AgentInterceptorPort), - SpiffeEndpointSocket: appConfig.SpiffeEndpointSocket, + EnableTratInterception: bool(config.EnableTratInterception), + AgentHttpsApiPort: int(config.AgentHttpsApiPort), + AgentHttpApiPort: int(config.AgentHttpApiPort), + AgentInterceptorPort: int(config.AgentInterceptorPort), + SpiffeEndpointSocket: config.SpiffeEndpointSocket, + TconfigdSpiffeId: tconfigdSpiffeId, Logger: logger, } @@ -94,7 +112,7 @@ func main() { <-ctx.Done() - logger.Info("Shutting down servers and controllers...") + logger.Info("Shutting down tconfigd...") } func setupSignalHandler(cancel context.CancelFunc) { diff --git a/service/common/common.go b/service/common/common.go index 24bfe51..75f113d 100644 --- a/service/common/common.go +++ b/service/common/common.go @@ -2,5 +2,5 @@ package common const ( DATA_PLANE_HEARTBEAT_INTERVAL_MINUTES = 5 - TRATTERIA_SERVICE_NAME = "TRATTERIA" + TRATTERIA_SERVICE_NAME = "tratteria" ) diff --git a/service/config/config.go b/service/config/config.go index d61c034..ac8f5e5 100644 --- a/service/config/config.go +++ b/service/config/config.go @@ -71,21 +71,22 @@ func (s *SPIFFEIDFromString) UnmarshalYAML(unmarshal func(interface{}) error) er return nil } -type AppConfig struct { +type Config struct { EnableTratInterception BoolFromString `yaml:"enableTratInterception"` - AgentApiPort IntFromString `yaml:"agentApiPort"` + AgentHttpsApiPort IntFromString `yaml:"agentHttpsApiPort"` + AgentHttpApiPort IntFromString `yaml:"agentHttpApiPort"` AgentInterceptorPort IntFromString `yaml:"agentInterceptorPort"` SpiffeEndpointSocket string `yaml:"spiffeEndpointSocket"` - TconfigdSpiffeId SPIFFEIDFromString `yaml:"tconfigdSpiffeId"` + TratteriaSpiffeId SPIFFEIDFromString `yaml:"tratteriaSpiffeId"` } -func GetAppConfig(configPath string) (*AppConfig, error) { +func GetConfig(configPath string) (*Config, error) { data, err := os.ReadFile(configPath) if err != nil { return nil, fmt.Errorf("failed to read config file: %w", err) } - var cfg AppConfig + var cfg Config if err := yaml.Unmarshal(data, &cfg); err != nil { return nil, fmt.Errorf("failed to unmarshal YAML configuration: %w", err) } diff --git a/service/configdispatcher/configdispatcher.go b/service/configdispatcher/configdispatcher.go index 8b4778e..1792713 100644 --- a/service/configdispatcher/configdispatcher.go +++ b/service/configdispatcher/configdispatcher.go @@ -5,12 +5,16 @@ import ( "context" "encoding/json" "fmt" + "io" "net/http" "strings" "github.com/tratteria/tconfigd/common" "github.com/tratteria/tconfigd/dataplaneregistry" "github.com/tratteria/tconfigd/tratcontroller/pkg/apis/tratteria/v1alpha1" + + "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" + "github.com/spiffe/go-spiffe/v2/workloadapi" ) const ( @@ -25,10 +29,18 @@ type ConfigDispatcher struct { httpClient *http.Client } -func NewConfigDispatcher(dataplaneRegistryRetriever dataplaneregistry.Retriever, httpClient *http.Client) *ConfigDispatcher { +func NewConfigDispatcher(dataplaneRegistryRetriever dataplaneregistry.Retriever, x509Source *workloadapi.X509Source) *ConfigDispatcher { + tlsConfig := tlsconfig.MTLSClientConfig(x509Source, x509Source, tlsconfig.AuthorizeAny()) + + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + } + return &ConfigDispatcher{ dataplaneRegistryRetriever: dataplaneRegistryRetriever, - httpClient: httpClient, + httpClient: &client, } } @@ -48,7 +60,11 @@ func (cd *ConfigDispatcher) dispatchConfigUtil(ctx context.Context, url string, defer resp.Body.Close() if resp.StatusCode != http.StatusOK { - return fmt.Errorf("received non-ok status: %d", resp.StatusCode) + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("error reading response body: %w", err) + } + return fmt.Errorf("received non-ok status: %d, response: %s", resp.StatusCode, string(bodyBytes)) } return nil @@ -61,7 +77,7 @@ func (cd *ConfigDispatcher) dispatchConfig(ctx context.Context, serviceName stri var dispatchErrors []string for _, entry := range entries { - url := fmt.Sprintf("http://%s:%d%s", entry.IpAddress, entry.Port, endpoint) + url := fmt.Sprintf("https://%s:%d%s", entry.IpAddress, entry.Port, endpoint) err := cd.dispatchConfigUtil(ctx, url, config) if err != nil { diff --git a/service/spiffe/spiffe.go b/service/spiffe/spiffe.go new file mode 100644 index 0000000..9939949 --- /dev/null +++ b/service/spiffe/spiffe.go @@ -0,0 +1,17 @@ +package spiffe + +import ( + "fmt" + + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/go-spiffe/v2/workloadapi" +) + +func FetchSpiffeIdFromX509(x509Source *workloadapi.X509Source) (spiffeid.ID, error) { + svid, err := x509Source.GetX509SVID() + if err != nil { + return spiffeid.ID{}, fmt.Errorf("failed to get X.509 SVID: %w", err) + } + + return svid.ID, nil +} diff --git a/service/webhook/handler/handler.go b/service/webhook/handler/handler.go index 422aafc..06fe2d2 100644 --- a/service/webhook/handler/handler.go +++ b/service/webhook/handler/handler.go @@ -4,6 +4,7 @@ import ( "encoding/json" "net/http" + "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/tratteria/tconfigd/webhook/pkg/util" "go.uber.org/zap" @@ -15,16 +16,22 @@ import ( type Handlers struct { enableTratInterception bool - agentApiPort int + agentHttpsApiPort int + agentHttpApiPort int agentInterceptorPort int + spiffeEndpointSocket string + tconfigdSpiffeId spiffeid.ID logger *zap.Logger } -func NewHandlers(enableTratInterception bool, agentApiPort int, agentInterceptorPort int, logger *zap.Logger) *Handlers { +func NewHandlers(enableTratInterception bool, agentHttpsApiPort int, agentHttpApiPort int, agentInterceptorPort int, spiffeEndpointSocket string, tconfigdSpiffeId spiffeid.ID, logger *zap.Logger) *Handlers { return &Handlers{ enableTratInterception: enableTratInterception, - agentApiPort: agentApiPort, + agentHttpsApiPort: agentHttpsApiPort, + agentHttpApiPort: agentHttpApiPort, agentInterceptorPort: agentInterceptorPort, + spiffeEndpointSocket: spiffeEndpointSocket, + tconfigdSpiffeId: tconfigdSpiffeId, logger: logger, } } @@ -60,7 +67,7 @@ func (h *Handlers) InjectTratteriaAgent(w http.ResponseWriter, r *http.Request) Message: err.Error(), } } else { - patchOps, err := util.CreatePodPatch(&pod, h.enableTratInterception, h.agentApiPort, h.agentInterceptorPort) + patchOps, err := util.CreatePodPatch(&pod, h.enableTratInterception, h.agentHttpsApiPort, h.agentHttpApiPort, h.agentInterceptorPort, h.spiffeEndpointSocket, h.tconfigdSpiffeId) if err != nil { h.logger.Error("Could not create patch for pod", zap.Error(err)) @@ -99,5 +106,5 @@ func (h *Handlers) InjectTratteriaAgent(w http.ResponseWriter, r *http.Request) http.Error(w, "failed to write response", http.StatusInternalServerError) } - h.logger.Info("Agent Injection Request Processed Successfully", zap.Any("patched-pod", responseAdmissionReview)) + h.logger.Info("Agent Injection Request Processed Successfully") } diff --git a/service/webhook/pkg/util/util.go b/service/webhook/pkg/util/util.go index 0aa59bf..9635b96 100644 --- a/service/webhook/pkg/util/util.go +++ b/service/webhook/pkg/util/util.go @@ -6,11 +6,12 @@ import ( "strconv" "github.com/mattbaird/jsonpatch" + "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/tratteria/tconfigd/common" corev1 "k8s.io/api/core/v1" ) -func CreatePodPatch(pod *corev1.Pod, injectInitContainer bool, agentApiPort int, agentInterceptorPort int) ([]jsonpatch.JsonPatchOperation, error) { +func CreatePodPatch(pod *corev1.Pod, injectInitContainer bool, agentHttpsApiPort int, agentHttpApiPort int, agentInterceptorPort int, spiffeEndpointSocket string, tconfigdSpiffeId spiffeid.ID) ([]jsonpatch.JsonPatchOperation, error) { var patch []jsonpatch.JsonPatchOperation shouldInject, ok := pod.Annotations["tratteria/inject-sidecar"] @@ -18,11 +19,10 @@ func CreatePodPatch(pod *corev1.Pod, injectInitContainer bool, agentApiPort int, return patch, nil } - serviceName, nameOk := pod.Annotations["tratteria/service-name"] servicePort, portOk := pod.Annotations["tratteria/service-port"] - if !nameOk || !portOk { - return nil, fmt.Errorf("service-name and service-port must be specified when inject-sidecar is 'true'") + if !portOk { + return nil, fmt.Errorf("service-port must be specified when inject-sidecar is 'true'") } if _, err := strconv.Atoi(servicePort); err != nil { @@ -66,21 +66,29 @@ func CreatePodPatch(pod *corev1.Pod, injectInitContainer bool, agentApiPort int, Name: "tratteria-agent", Image: "tratteria-agent:latest", Env: []corev1.EnvVar{ - { - Name: "SERVICE_NAME", - Value: serviceName, - }, { Name: "SERVICE_PORT", Value: servicePort, }, { Name: "TCONFIGD_URL", - Value: "http://tconfigd.tratteria-system.svc.cluster.local:9060", + Value: "https://tconfigd.tratteria-system.svc.cluster.local:8443", + }, + { + Name: "TCONFIGD_SPIFFE_ID", + Value: tconfigdSpiffeId.String(), + }, + { + Name: "SPIFFE_ENDPOINT_SOCKET", + Value: spiffeEndpointSocket, }, { - Name: "AGENT_API_PORT", - Value: strconv.Itoa(agentApiPort), + Name: "AGENT_HTTPS_API_PORT", + Value: strconv.Itoa(agentHttpsApiPort), + }, + { + Name: "AGENT_HTTP_API_PORT", + Value: strconv.Itoa(agentHttpApiPort), }, { Name: "AGENT_INTERCEPTOR_PORT", @@ -101,6 +109,13 @@ func CreatePodPatch(pod *corev1.Pod, injectInitContainer bool, agentApiPort int, }, Ports: []corev1.ContainerPort{{ContainerPort: 9070}}, ImagePullPolicy: corev1.PullNever, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "spire-agent-socket", + MountPath: "/run/spire/sockets", + ReadOnly: true, + }, + }, } sidecarJson, err := json.Marshal(sidecar) diff --git a/service/webhook/setup.go b/service/webhook/setup.go index b86314d..c8c1c77 100644 --- a/service/webhook/setup.go +++ b/service/webhook/setup.go @@ -6,6 +6,7 @@ import ( "time" "github.com/gorilla/mux" + "github.com/spiffe/go-spiffe/v2/spiffeid" "go.uber.org/zap" "github.com/tratteria/tconfigd/webhook/handler" @@ -14,14 +15,16 @@ import ( type Webhook struct { EnableTratInterception bool - AgentApiPort int + AgentHttpsApiPort int + AgentHttpApiPort int AgentInterceptorPort int SpiffeEndpointSocket string + TconfigdSpiffeId spiffeid.ID Logger *zap.Logger } func (wh *Webhook) Run() error { - handler := handler.NewHandlers(wh.EnableTratInterception, wh.AgentApiPort, wh.AgentInterceptorPort, wh.Logger) + handler := handler.NewHandlers(wh.EnableTratInterception, wh.AgentHttpsApiPort, wh.AgentHttpApiPort, wh.AgentInterceptorPort, wh.SpiffeEndpointSocket, wh.TconfigdSpiffeId, wh.Logger) router := mux.NewRouter() initializeRoutes(router, handler) @@ -39,7 +42,7 @@ func (wh *Webhook) Run() error { return fmt.Errorf("error setting up TLS creds: %w", err) } - wh.Logger.Info("Starting webhook server with TLS on port 443") + wh.Logger.Info("Starting webhook server...", zap.Int("port", 443)) if err := srv.ListenAndServeTLS(tlscreds.CertPath, tlscreds.KeyPath); err != nil && err != http.ErrServerClosed { wh.Logger.Error("Failed to start the webhook server", zap.Error(err)) From a98790a95a1424d767dd89bf22738da2ec167af0 Mon Sep 17 00:00:00 2001 From: kchiranjewee63 Date: Tue, 9 Jul 2024 16:46:50 -0400 Subject: [PATCH 2/2] Fix linting --- service/cmd/main.go | 2 +- service/configdispatcher/configdispatcher.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/service/cmd/main.go b/service/cmd/main.go index 40b0d09..4bb3cd8 100644 --- a/service/cmd/main.go +++ b/service/cmd/main.go @@ -12,10 +12,10 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/workloadapi" "github.com/tratteria/tconfigd/api" - "github.com/tratteria/tconfigd/spiffe" "github.com/tratteria/tconfigd/config" "github.com/tratteria/tconfigd/configdispatcher" "github.com/tratteria/tconfigd/dataplaneregistry" + "github.com/tratteria/tconfigd/spiffe" "github.com/tratteria/tconfigd/tratcontroller" "github.com/tratteria/tconfigd/webhook" "go.uber.org/zap" diff --git a/service/configdispatcher/configdispatcher.go b/service/configdispatcher/configdispatcher.go index 1792713..e50f39b 100644 --- a/service/configdispatcher/configdispatcher.go +++ b/service/configdispatcher/configdispatcher.go @@ -64,6 +64,7 @@ func (cd *ConfigDispatcher) dispatchConfigUtil(ctx context.Context, url string, if err != nil { return fmt.Errorf("error reading response body: %w", err) } + return fmt.Errorf("received non-ok status: %d, response: %s", resp.StatusCode, string(bodyBytes)) }