Support setting JWT issuer on trust zones

For some use cases it would be helpful to be able to customise the JWT issuer (globals.jwtIssuer) in Helm values. This is implemented as an optional argument to the trust-zone add command: cofidectl trust-zone add foo --trust-domain bar.baz --jwt-issuer example-issuer ... Depends-On: cofide/cofide-api-sdk#3 Fixes: #25
cofide · Nov 15, 2024 · f6f1b94 · f6f1b94
1 parent 536cd1c
commit f6f1b94
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 18 deletions.
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go
@@ -102,16 +102,17 @@ var trustZoneAddCmdDesc = `
 This command will add a new trust zone to the Cofide configuration state.
 `
 
-type Opts struct {
-	name               string
-	trust_domain       string
-	kubernetes_cluster string
-	context            string
-	profile            string
+type addOpts struct {
+	name              string
+	trustDomain       string
+	kubernetesCluster string
+	context           string
+	profile           string
+	jwtIssuer         string
 }
 
 func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
-	opts := Opts{}
+	opts := addOpts{}
 	cmd := &cobra.Command{
 		Use:   "add [NAME]",
 		Short: "Add a new trust zone",
@@ -137,10 +138,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 
 			newTrustZone := &trust_zone_proto.TrustZone{
 				Name:              opts.name,
-				TrustDomain:       opts.trust_domain,
-				KubernetesCluster: &opts.kubernetes_cluster,
+				TrustDomain:       opts.trustDomain,
+				KubernetesCluster: &opts.kubernetesCluster,
 				KubernetesContext: &opts.context,
 				TrustProvider:     &trust_provider_proto.TrustProvider{Kind: &opts.profile},
+				JwtIssuer:         &opts.jwtIssuer,
 			}
 
 			_, err = ds.AddTrustZone(newTrustZone)
@@ -153,10 +155,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 	}
 
 	f := cmd.Flags()
-	f.StringVar(&opts.trust_domain, "trust-domain", "", "Trust domain to use for this trust zone")
-	f.StringVar(&opts.kubernetes_cluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
+	f.StringVar(&opts.trustDomain, "trust-domain", "", "Trust domain to use for this trust zone")
+	f.StringVar(&opts.kubernetesCluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
 	f.StringVar(&opts.context, "kubernetes-context", "", "Kubernetes context to use for this trust zone")
 	f.StringVar(&opts.profile, "profile", "kubernetes", "Cofide profile used in the installation (e.g. kubernetes, istio)")
+	f.StringVar(&opts.jwtIssuer, "jwt-issuer", "", "JWT issuer to use for this trust zone")
 
 	cobra.CheckErr(cmd.MarkFlagRequired("trust-domain"))
 	cobra.CheckErr(cmd.MarkFlagRequired("kubernetes-cluster"))
@@ -320,7 +323,7 @@ func renderStatus(trustZone *trust_zone_proto.TrustZone, server *spire.ServerSta
 	return nil
 }
 
-func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *Opts) error {
+func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *addOpts) error {
 	kubeConfig, err := cmd.Flags().GetString("kube-config")
 	if err != nil {
 		return err
@@ -371,7 +374,7 @@ func checkContext(contexts []string, context string) bool {
 	return slices.Contains(contexts, context)
 }
 
-func validateOpts(opts Opts) error {
-	_, err := spiffeid.TrustDomainFromString(opts.trust_domain)
+func validateOpts(opts addOpts) error {
+	_, err := spiffeid.TrustDomainFromString(opts.trustDomain)
 	return err
 }
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone_test.go b/cmd/cofidectl/cmd/trustzone/trustzone_test.go
@@ -29,7 +29,7 @@ func TestValidateOpts(t *testing.T) {
 
 	for _, tc := range tt {
 		t.Run(tc.domain, func(t *testing.T) {
-			err := validateOpts(Opts{trust_domain: tc.domain})
+			err := validateOpts(addOpts{trustDomain: tc.domain})
 			assert.Equal(t, tc.errExpected, err != nil)
 		})
 	}

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.22.7
 require (
 	buf.build/go/protoyaml v0.2.0
 	cuelang.org/go v0.10.0
-	github.com/cofide/cofide-api-sdk v0.2.0
+	github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3
 	github.com/fatih/color v1.13.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0

diff --git a/go.sum b/go.sum
@@ -84,8 +84,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
-github.com/cofide/cofide-api-sdk v0.2.0 h1:O9Uad8q0QPS6athR31DDrY09K7g/Vnl/1U+ess5IKNQ=
-github.com/cofide/cofide-api-sdk v0.2.0/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3 h1:czwH71MW2gt8bhMjMkeaiQ5M5vrvNDJixoY2t+rlhJI=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ=

diff --git a/internal/pkg/config/schema.cue b/internal/pkg/config/schema.cue
@@ -10,6 +10,7 @@
 	bundle?: string
 	federations: [...#Federation]
 	attestation_policies: [...#APBinding]
+	jwt_issuer?: string
 }
 
 #TrustProvider: {

diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml
@@ -15,6 +15,7 @@ trust_zones:
           policy: ap1
           federates_with:
             - tz2
+      jwt_issuer: https://tz1.example.com
     - name: tz2
       trust_domain: td2
       kubernetes_cluster: local2
@@ -30,6 +31,7 @@ trust_zones:
           policy: ap2
           federates_with:
             - tz1
+      jwt_issuer: https://tz2.example.com
 attestation_policies:
     - name: ap1
       kubernetes:

diff --git a/internal/pkg/provider/helm/values.go b/internal/pkg/provider/helm/values.go
@@ -45,6 +45,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]interface{}, error) {
 		"global.deleteHooks.enabled":            false,
 	}
 
+	if issuer := g.trustZone.GetJwtIssuer(); issuer != "" {
+		globalValues["global.spire.jwtIssuer"] = issuer
+	}
+
 	spireAgentValues := map[string]interface{}{
 		`"spire-agent"."fullnameOverride"`: "spire-agent", // NOTE: https://github.com/cue-lang/cue/issues/358
 		`"spire-agent"."logLevel"`:         "DEBUG",

diff --git a/internal/pkg/provider/helm/values_test.go b/internal/pkg/provider/helm/values_test.go
@@ -33,6 +33,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 				tz.Bundle = nil
 				tz.BundleEndpointUrl = nil
 				tz.Federations = nil
+				tz.JwtIssuer = nil
 				return tz
 			}(),
 			want: Values{
@@ -128,6 +129,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 					},
 					"spire": Values{
 						"clusterName": "local1",
+						"jwtIssuer":   "https://tz1.example.com",
 						"recommendations": Values{
 							"create": true,
 						},

diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go
@@ -38,6 +38,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz2"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz1.example.com"),
 	},
 	"tz2": {
 		Name:              "tz2",
@@ -61,6 +62,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz1"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz2.example.com"),
 	},
 }