From f6f1b94cc228aea45d37459dac17cf3bb8a8aefb Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@cofide.io>
Date: Fri, 15 Nov 2024 10:54:50 +0000
Subject: [PATCH] Support setting JWT issuer on trust zones

For some use cases it would be helpful to be able to customise the JWT
issuer (globals.jwtIssuer) in Helm values. This is implemented as an
optional argument to the trust-zone add command:

  cofidectl trust-zone add foo --trust-domain bar.baz --jwt-issuer example-issuer ...

Depends-On: https://github.com/cofide/cofide-api-sdk/pull/3
Fixes: #25
---
 cmd/cofidectl/cmd/trustzone/trustzone.go      | 31 ++++++++++---------
 cmd/cofidectl/cmd/trustzone/trustzone_test.go |  2 +-
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 internal/pkg/config/schema.cue                |  1 +
 internal/pkg/config/testdata/config/full.yaml |  2 ++
 internal/pkg/provider/helm/values.go          |  4 +++
 internal/pkg/provider/helm/values_test.go     |  2 ++
 internal/pkg/test/fixtures/fixtures.go        |  2 ++
 9 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go
index 9043d0f..108b667 100644
--- a/cmd/cofidectl/cmd/trustzone/trustzone.go
+++ b/cmd/cofidectl/cmd/trustzone/trustzone.go
@@ -102,16 +102,17 @@ var trustZoneAddCmdDesc = `
 This command will add a new trust zone to the Cofide configuration state.
 `
 
-type Opts struct {
-	name               string
-	trust_domain       string
-	kubernetes_cluster string
-	context            string
-	profile            string
+type addOpts struct {
+	name              string
+	trustDomain       string
+	kubernetesCluster string
+	context           string
+	profile           string
+	jwtIssuer         string
 }
 
 func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
-	opts := Opts{}
+	opts := addOpts{}
 	cmd := &cobra.Command{
 		Use:   "add [NAME]",
 		Short: "Add a new trust zone",
@@ -137,10 +138,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 
 			newTrustZone := &trust_zone_proto.TrustZone{
 				Name:              opts.name,
-				TrustDomain:       opts.trust_domain,
-				KubernetesCluster: &opts.kubernetes_cluster,
+				TrustDomain:       opts.trustDomain,
+				KubernetesCluster: &opts.kubernetesCluster,
 				KubernetesContext: &opts.context,
 				TrustProvider:     &trust_provider_proto.TrustProvider{Kind: &opts.profile},
+				JwtIssuer:         &opts.jwtIssuer,
 			}
 
 			_, err = ds.AddTrustZone(newTrustZone)
@@ -153,10 +155,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 	}
 
 	f := cmd.Flags()
-	f.StringVar(&opts.trust_domain, "trust-domain", "", "Trust domain to use for this trust zone")
-	f.StringVar(&opts.kubernetes_cluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
+	f.StringVar(&opts.trustDomain, "trust-domain", "", "Trust domain to use for this trust zone")
+	f.StringVar(&opts.kubernetesCluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
 	f.StringVar(&opts.context, "kubernetes-context", "", "Kubernetes context to use for this trust zone")
 	f.StringVar(&opts.profile, "profile", "kubernetes", "Cofide profile used in the installation (e.g. kubernetes, istio)")
+	f.StringVar(&opts.jwtIssuer, "jwt-issuer", "", "JWT issuer to use for this trust zone")
 
 	cobra.CheckErr(cmd.MarkFlagRequired("trust-domain"))
 	cobra.CheckErr(cmd.MarkFlagRequired("kubernetes-cluster"))
@@ -320,7 +323,7 @@ func renderStatus(trustZone *trust_zone_proto.TrustZone, server *spire.ServerSta
 	return nil
 }
 
-func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *Opts) error {
+func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *addOpts) error {
 	kubeConfig, err := cmd.Flags().GetString("kube-config")
 	if err != nil {
 		return err
@@ -371,7 +374,7 @@ func checkContext(contexts []string, context string) bool {
 	return slices.Contains(contexts, context)
 }
 
-func validateOpts(opts Opts) error {
-	_, err := spiffeid.TrustDomainFromString(opts.trust_domain)
+func validateOpts(opts addOpts) error {
+	_, err := spiffeid.TrustDomainFromString(opts.trustDomain)
 	return err
 }
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone_test.go b/cmd/cofidectl/cmd/trustzone/trustzone_test.go
index 3ec65ab..ceff524 100644
--- a/cmd/cofidectl/cmd/trustzone/trustzone_test.go
+++ b/cmd/cofidectl/cmd/trustzone/trustzone_test.go
@@ -29,7 +29,7 @@ func TestValidateOpts(t *testing.T) {
 
 	for _, tc := range tt {
 		t.Run(tc.domain, func(t *testing.T) {
-			err := validateOpts(Opts{trust_domain: tc.domain})
+			err := validateOpts(addOpts{trustDomain: tc.domain})
 			assert.Equal(t, tc.errExpected, err != nil)
 		})
 	}
diff --git a/go.mod b/go.mod
index 6f4cb1b..657e44e 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.22.7
 require (
 	buf.build/go/protoyaml v0.2.0
 	cuelang.org/go v0.10.0
-	github.com/cofide/cofide-api-sdk v0.2.0
+	github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3
 	github.com/fatih/color v1.13.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0
diff --git a/go.sum b/go.sum
index 86b3638..59b3b67 100644
--- a/go.sum
+++ b/go.sum
@@ -84,8 +84,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
-github.com/cofide/cofide-api-sdk v0.2.0 h1:O9Uad8q0QPS6athR31DDrY09K7g/Vnl/1U+ess5IKNQ=
-github.com/cofide/cofide-api-sdk v0.2.0/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3 h1:czwH71MW2gt8bhMjMkeaiQ5M5vrvNDJixoY2t+rlhJI=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ=
diff --git a/internal/pkg/config/schema.cue b/internal/pkg/config/schema.cue
index 18d67d0..1b18ac1 100644
--- a/internal/pkg/config/schema.cue
+++ b/internal/pkg/config/schema.cue
@@ -10,6 +10,7 @@
 	bundle?: string
 	federations: [...#Federation]
 	attestation_policies: [...#APBinding]
+	jwt_issuer?: string
 }
 
 #TrustProvider: {
diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml
index 4bbbca5..8f7d3d7 100644
--- a/internal/pkg/config/testdata/config/full.yaml
+++ b/internal/pkg/config/testdata/config/full.yaml
@@ -15,6 +15,7 @@ trust_zones:
           policy: ap1
           federates_with:
             - tz2
+      jwt_issuer: https://tz1.example.com
     - name: tz2
       trust_domain: td2
       kubernetes_cluster: local2
@@ -30,6 +31,7 @@ trust_zones:
           policy: ap2
           federates_with:
             - tz1
+      jwt_issuer: https://tz2.example.com
 attestation_policies:
     - name: ap1
       kubernetes:
diff --git a/internal/pkg/provider/helm/values.go b/internal/pkg/provider/helm/values.go
index 7a4d5d1..6d625b3 100644
--- a/internal/pkg/provider/helm/values.go
+++ b/internal/pkg/provider/helm/values.go
@@ -45,6 +45,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]interface{}, error) {
 		"global.deleteHooks.enabled":            false,
 	}
 
+	if issuer := g.trustZone.GetJwtIssuer(); issuer != "" {
+		globalValues["global.spire.jwtIssuer"] = issuer
+	}
+
 	spireAgentValues := map[string]interface{}{
 		`"spire-agent"."fullnameOverride"`: "spire-agent", // NOTE: https://github.com/cue-lang/cue/issues/358
 		`"spire-agent"."logLevel"`:         "DEBUG",
diff --git a/internal/pkg/provider/helm/values_test.go b/internal/pkg/provider/helm/values_test.go
index 4e172cb..7f7208c 100644
--- a/internal/pkg/provider/helm/values_test.go
+++ b/internal/pkg/provider/helm/values_test.go
@@ -33,6 +33,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 				tz.Bundle = nil
 				tz.BundleEndpointUrl = nil
 				tz.Federations = nil
+				tz.JwtIssuer = nil
 				return tz
 			}(),
 			want: Values{
@@ -128,6 +129,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 					},
 					"spire": Values{
 						"clusterName": "local1",
+						"jwtIssuer":   "https://tz1.example.com",
 						"recommendations": Values{
 							"create": true,
 						},
diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go
index af42598..acb8c5d 100644
--- a/internal/pkg/test/fixtures/fixtures.go
+++ b/internal/pkg/test/fixtures/fixtures.go
@@ -38,6 +38,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz2"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz1.example.com"),
 	},
 	"tz2": {
 		Name:              "tz2",
@@ -61,6 +62,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz1"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz2.example.com"),
 	},
 }