diff --git a/Justfile b/Justfile new file mode 100644 index 0000000..9a8de25 --- /dev/null +++ b/Justfile @@ -0,0 +1,23 @@ + +set export +set shell := ["bash", "-euo", "pipefail", "-c"] + +export KO_DOCKER_REPO := env_var_or_default("KO_DOCKER_REPO", "kind.local") +export KIND_CLUSTER_NAME := env_var_or_default("KIND_CLUSTER_NAME", "kind") + +lint *args: + golangci-lint run --show-stats {{args}} + +check-deps: + # Check for demo script dependencies + for cmd in ko kubectl; do \ + if ! command -v $cmd &> /dev/null; then \ + echo "Error: $cmd is not installed" >&2; \ + exit 1; \ + fi \ + done + echo "All dependencies installed" + +# Build application +build: check-deps + ko build github.com/cofide/cofidectl-debug-container/cmd diff --git a/README.md b/README.md index ec604a1..f895fa3 100644 --- a/README.md +++ b/README.md @@ -1 +1,49 @@ -# cofidectl-debug-container \ No newline at end of file +# cofidectl debug container + +This is a debug container that is used by [`cofidectl`](https://www.github.com/cofide/cofidectl) to discover the SPIFFE SVID and trust bundle issued to a workload, as part of the `cofidectl workload status` command. It helps to debug a running workload in a cluster and ensure it's identity is as intended. + +Cofide provide a ready-made container image used by `cofidectl` but you may wish to [build](#build) your own. + +## Prerequisites + +Building a `cofidectl-debug-container` binary requires: + +* [Go 1.22 toolchain](https://golang.org/doc/install) +* [`just`](https://github.com/casey/just) as a command runner + +## Build + +To run the unit tests and build the `cofidectl-debug-container` binary: + +```sh +just build +``` + +## How it works + +With `cofidectl`, this container is executed in-cluster as a Kubernetes [ephemeral container](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/). The Go application interfaces with the [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md) to obtain the SPIFFE SVID and trust bundle issued to a workload. `cofidectl` prints this to the console - for example: + +``` +./cofidectl workload status foo --namespace demo --pod-name ping-pong-client-f6f6495b5-zb9bd --trust-zone cofide-a +✅ Complete: Successfully executed emphemeral container in ping-pong-client-f6f6495b5-zb9bd + +Trust bundles received +* spiffe://cofide-a.test + Certificate "22:FA:3D:F3:D5:B7:FC:47:5E:AA:A1:7A:66:A6:03:2D:B0:90:E3:30:A7:7C:9F:3C:F0:33:18:78:3A:41:62:EB" + is a CA certificate + valid from "2024-11-22T04:15:53Z" to "2024-11-22T16:16:03Z" + Subject: SERIALNUMBER=134874419949172333976462662483560844916,CN=example.org,O=Example,C=ARPA + DNS names: spiffe://cofide-a.test + Signature algorithm: SHA256-RSA + Issuer: SERIALNUMBER=134874419949172333976462662483560844916,CN=example.org,O=Example,C=ARPA + +SVIDs received +* spiffe://cofide-a.test/ns/demo/sa/ping-pong-client + Certificate "4D:FA:5B:56:EC:B4:73:FF:24:9C:2D:E6:DE:AC:41:3B:0B:BE:42:B8:2F:E9:2C:71:87:FF:BD:E0:C3:C8:9D:E4" + valid from "2024-11-22T09:10:10Z" to "2024-11-22T13:10:20Z" + Subject: O=SPIRE,C=US + DNS names: spiffe://cofide-a.test/ns/demo/sa/ping-pong-client + Signature algorithm: SHA256-RSA + Issuer: SERIALNUMBER=134874419949172333976462662483560844916,CN=example.org,O=Example,C=ARPA + SVID verified against trust bundle +``` \ No newline at end of file diff --git a/cmd/main.go b/cmd/main.go index 10c99c8..1e8c8f2 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -15,7 +15,7 @@ import ( "github.com/spiffe/go-spiffe/v2/workloadapi" ) -const spiffeSocket = "unix:///tmp/spire.sock" +const spiffeSocket = "unix:///spiffe-workload-api/spire-agent.sock" func main() { ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) diff --git a/go.mod b/go.mod index 9a8ca53..824cdb0 100644 --- a/go.mod +++ b/go.mod @@ -6,13 +6,15 @@ require github.com/spiffe/go-spiffe/v2 v2.4.0 require ( github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/go-jose/go-jose/v4 v4.0.4 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/zeebo/errs v1.3.0 // indirect - golang.org/x/crypto v0.26.0 // indirect - golang.org/x/net v0.28.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/text v0.17.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + golang.org/x/crypto v0.28.0 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.2 // indirect + google.golang.org/protobuf v1.35.1 // indirect ) diff --git a/go.sum b/go.sum index 04a3ee4..1e83733 100644 --- a/go.sum +++ b/go.sum @@ -1,32 +1,32 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E= github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/spiffe/go-spiffe/v2 v2.4.0 h1:j/FynG7hi2azrBG5cvjRcnQ4sux/VNj8FAVc99Fl66c= github.com/spiffe/go-spiffe/v2 v2.4.0/go.mod h1:m5qJ1hGzjxjtrkGHZupoXHo/FDWwCB1MdSyBzfHugx0= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=