diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go index a0ec4fb..01bf724 100644 --- a/cmd/cofidectl/cmd/trustzone/trustzone.go +++ b/cmd/cofidectl/cmd/trustzone/trustzone.go @@ -106,16 +106,17 @@ var trustZoneAddCmdDesc = ` This command will add a new trust zone to the Cofide configuration state. ` -type Opts struct { - name string - trust_domain string - kubernetes_cluster string - context string - profile string +type addOpts struct { + name string + trustDomain string + kubernetesCluster string + context string + profile string + jwtIssuer string } func (c *TrustZoneCommand) GetAddCommand() *cobra.Command { - opts := Opts{} + opts := addOpts{} cmd := &cobra.Command{ Use: "add [NAME]", Short: "Add a new trust zone", @@ -141,10 +142,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command { newTrustZone := &trust_zone_proto.TrustZone{ Name: opts.name, - TrustDomain: opts.trust_domain, - KubernetesCluster: &opts.kubernetes_cluster, + TrustDomain: opts.trustDomain, + KubernetesCluster: &opts.kubernetesCluster, KubernetesContext: &opts.context, TrustProvider: &trust_provider_proto.TrustProvider{Kind: &opts.profile}, + JwtIssuer: &opts.jwtIssuer, } _, err = ds.AddTrustZone(newTrustZone) @@ -157,10 +159,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command { } f := cmd.Flags() - f.StringVar(&opts.trust_domain, "trust-domain", "", "Trust domain to use for this trust zone") - f.StringVar(&opts.kubernetes_cluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone") + f.StringVar(&opts.trustDomain, "trust-domain", "", "Trust domain to use for this trust zone") + f.StringVar(&opts.kubernetesCluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone") f.StringVar(&opts.context, "kubernetes-context", "", "Kubernetes context to use for this trust zone") f.StringVar(&opts.profile, "profile", "kubernetes", "Cofide profile used in the installation (e.g. kubernetes, istio)") + f.StringVar(&opts.jwtIssuer, "jwt-issuer", "", "JWT issuer to use for this trust zone") cobra.CheckErr(cmd.MarkFlagRequired("trust-domain")) cobra.CheckErr(cmd.MarkFlagRequired("kubernetes-cluster")) @@ -324,7 +327,7 @@ func renderStatus(trustZone *trust_zone_proto.TrustZone, server *spire.ServerSta return nil } -func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *Opts) error { +func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *addOpts) error { kubeConfig, err := cmd.Flags().GetString("kube-config") if err != nil { return err @@ -375,7 +378,7 @@ func checkContext(contexts []string, context string) bool { return slices.Contains(contexts, context) } -func validateOpts(opts Opts) error { - _, err := spiffeid.TrustDomainFromString(opts.trust_domain) +func validateOpts(opts addOpts) error { + _, err := spiffeid.TrustDomainFromString(opts.trustDomain) return err } diff --git a/cmd/cofidectl/cmd/trustzone/trustzone_test.go b/cmd/cofidectl/cmd/trustzone/trustzone_test.go index 3ec65ab..ceff524 100644 --- a/cmd/cofidectl/cmd/trustzone/trustzone_test.go +++ b/cmd/cofidectl/cmd/trustzone/trustzone_test.go @@ -29,7 +29,7 @@ func TestValidateOpts(t *testing.T) { for _, tc := range tt { t.Run(tc.domain, func(t *testing.T) { - err := validateOpts(Opts{trust_domain: tc.domain}) + err := validateOpts(addOpts{trustDomain: tc.domain}) assert.Equal(t, tc.errExpected, err != nil) }) } diff --git a/go.mod b/go.mod index 5c16075..f520aa6 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.7 require ( buf.build/go/protoyaml v0.2.0 cuelang.org/go v0.10.1 - github.com/cofide/cofide-api-sdk v0.2.0 + github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3 github.com/fatih/color v1.18.0 github.com/gofrs/flock v0.12.1 github.com/google/go-cmp v0.6.0 diff --git a/go.sum b/go.sum index e2a706e..d1114dc 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= -github.com/cofide/cofide-api-sdk v0.2.0 h1:O9Uad8q0QPS6athR31DDrY09K7g/Vnl/1U+ess5IKNQ= -github.com/cofide/cofide-api-sdk v0.2.0/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ= +github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3 h1:czwH71MW2gt8bhMjMkeaiQ5M5vrvNDJixoY2t+rlhJI= +github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= diff --git a/internal/pkg/config/schema.cue b/internal/pkg/config/schema.cue index 18d67d0..1b18ac1 100644 --- a/internal/pkg/config/schema.cue +++ b/internal/pkg/config/schema.cue @@ -10,6 +10,7 @@ bundle?: string federations: [...#Federation] attestation_policies: [...#APBinding] + jwt_issuer?: string } #TrustProvider: { diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml index 4bbbca5..8f7d3d7 100644 --- a/internal/pkg/config/testdata/config/full.yaml +++ b/internal/pkg/config/testdata/config/full.yaml @@ -15,6 +15,7 @@ trust_zones: policy: ap1 federates_with: - tz2 + jwt_issuer: https://tz1.example.com - name: tz2 trust_domain: td2 kubernetes_cluster: local2 @@ -30,6 +31,7 @@ trust_zones: policy: ap2 federates_with: - tz1 + jwt_issuer: https://tz2.example.com attestation_policies: - name: ap1 kubernetes: diff --git a/internal/pkg/provider/helm/values.go b/internal/pkg/provider/helm/values.go index 88fa871..62bd1e5 100644 --- a/internal/pkg/provider/helm/values.go +++ b/internal/pkg/provider/helm/values.go @@ -45,6 +45,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]interface{}, error) { "global.deleteHooks.enabled": false, } + if issuer := g.trustZone.GetJwtIssuer(); issuer != "" { + globalValues["global.spire.jwtIssuer"] = issuer + } + spireAgentValues := map[string]interface{}{ `"spire-agent"."fullnameOverride"`: "spire-agent", // NOTE: https://github.com/cue-lang/cue/issues/358 `"spire-agent"."logLevel"`: "DEBUG", diff --git a/internal/pkg/provider/helm/values_test.go b/internal/pkg/provider/helm/values_test.go index 99dd085..cff3326 100644 --- a/internal/pkg/provider/helm/values_test.go +++ b/internal/pkg/provider/helm/values_test.go @@ -33,6 +33,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { tz.Bundle = nil tz.BundleEndpointUrl = nil tz.Federations = nil + tz.JwtIssuer = nil return tz }(), want: Values{ @@ -125,6 +126,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) { }, "spire": Values{ "clusterName": "local1", + "jwtIssuer": "https://tz1.example.com", "recommendations": Values{ "create": true, }, diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go index af42598..acb8c5d 100644 --- a/internal/pkg/test/fixtures/fixtures.go +++ b/internal/pkg/test/fixtures/fixtures.go @@ -38,6 +38,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust FederatesWith: []string{"tz2"}, }, }, + JwtIssuer: StringPtr("https://tz1.example.com"), }, "tz2": { Name: "tz2", @@ -61,6 +62,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust FederatesWith: []string{"tz1"}, }, }, + JwtIssuer: StringPtr("https://tz2.example.com"), }, }