cofide · markgoddard · Nov 18, 2024 · Nov 15, 2024 · Nov 18, 2024
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go
@@ -102,16 +102,17 @@ var trustZoneAddCmdDesc = `
 This command will add a new trust zone to the Cofide configuration state.
 `
 
-type Opts struct {
-	name               string
-	trust_domain       string
-	kubernetes_cluster string
-	context            string
-	profile            string
+type addOpts struct {
+	name              string
+	trustDomain       string
+	kubernetesCluster string
+	context           string
+	profile           string
+	jwtIssuer         string
 }
 
 func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
-	opts := Opts{}
+	opts := addOpts{}
 	cmd := &cobra.Command{
 		Use:   "add [NAME]",
 		Short: "Add a new trust zone",
@@ -137,10 +138,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 
 			newTrustZone := &trust_zone_proto.TrustZone{
 				Name:              opts.name,
-				TrustDomain:       opts.trust_domain,
-				KubernetesCluster: &opts.kubernetes_cluster,
+				TrustDomain:       opts.trustDomain,
+				KubernetesCluster: &opts.kubernetesCluster,
 				KubernetesContext: &opts.context,
 				TrustProvider:     &trust_provider_proto.TrustProvider{Kind: &opts.profile},
+				JwtIssuer:         &opts.jwtIssuer,
 			}
 
 			_, err = ds.AddTrustZone(newTrustZone)
@@ -153,10 +155,11 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 	}
 
 	f := cmd.Flags()
-	f.StringVar(&opts.trust_domain, "trust-domain", "", "Trust domain to use for this trust zone")
-	f.StringVar(&opts.kubernetes_cluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
+	f.StringVar(&opts.trustDomain, "trust-domain", "", "Trust domain to use for this trust zone")
+	f.StringVar(&opts.kubernetesCluster, "kubernetes-cluster", "", "Kubernetes cluster associated with this trust zone")
 	f.StringVar(&opts.context, "kubernetes-context", "", "Kubernetes context to use for this trust zone")
 	f.StringVar(&opts.profile, "profile", "kubernetes", "Cofide profile used in the installation (e.g. kubernetes, istio)")
+	f.StringVar(&opts.jwtIssuer, "jwt-issuer", "", "JWT issuer to use for this trust zone")
 
 	cobra.CheckErr(cmd.MarkFlagRequired("trust-domain"))
 	cobra.CheckErr(cmd.MarkFlagRequired("kubernetes-cluster"))
@@ -320,7 +323,7 @@ func renderStatus(trustZone *trust_zone_proto.TrustZone, server *spire.ServerSta
 	return nil
 }
 
-func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *Opts) error {
+func (c *TrustZoneCommand) getKubernetesContext(cmd *cobra.Command, opts *addOpts) error {
 	kubeConfig, err := cmd.Flags().GetString("kube-config")
 	if err != nil {
 		return err
@@ -371,7 +374,7 @@ func checkContext(contexts []string, context string) bool {
 	return slices.Contains(contexts, context)
 }
 
-func validateOpts(opts Opts) error {
-	_, err := spiffeid.TrustDomainFromString(opts.trust_domain)
+func validateOpts(opts addOpts) error {
+	_, err := spiffeid.TrustDomainFromString(opts.trustDomain)
 	return err
 }
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone_test.go b/cmd/cofidectl/cmd/trustzone/trustzone_test.go
@@ -29,7 +29,7 @@ func TestValidateOpts(t *testing.T) {
 
 	for _, tc := range tt {
 		t.Run(tc.domain, func(t *testing.T) {
-			err := validateOpts(Opts{trust_domain: tc.domain})
+			err := validateOpts(addOpts{trustDomain: tc.domain})
 			assert.Equal(t, tc.errExpected, err != nil)
 		})
 	}

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.22.7
 require (
 	buf.build/go/protoyaml v0.2.0
 	cuelang.org/go v0.10.0
-	github.com/cofide/cofide-api-sdk v0.2.0
+	github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3
 	github.com/fatih/color v1.13.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0

diff --git a/go.sum b/go.sum
@@ -84,8 +84,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
-github.com/cofide/cofide-api-sdk v0.2.0 h1:O9Uad8q0QPS6athR31DDrY09K7g/Vnl/1U+ess5IKNQ=
-github.com/cofide/cofide-api-sdk v0.2.0/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3 h1:czwH71MW2gt8bhMjMkeaiQ5M5vrvNDJixoY2t+rlhJI=
+github.com/cofide/cofide-api-sdk v0.2.1-0.20241115095234-9cbc477358a3/go.mod h1:tgwoy3fctWC/+9OwwBrDRQKcal37ETEfpNBp15zQGGQ=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ=

diff --git a/internal/pkg/config/schema.cue b/internal/pkg/config/schema.cue
@@ -10,6 +10,7 @@
 	bundle?: string
 	federations: [...#Federation]
 	attestation_policies: [...#APBinding]
+	jwt_issuer?: string
 }
 
 #TrustProvider: {

diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml
@@ -15,6 +15,7 @@ trust_zones:
           policy: ap1
           federates_with:
             - tz2
+      jwt_issuer: https://tz1.example.com
     - name: tz2
       trust_domain: td2
       kubernetes_cluster: local2
@@ -30,6 +31,7 @@ trust_zones:
           policy: ap2
           federates_with:
             - tz1
+      jwt_issuer: https://tz2.example.com
 attestation_policies:
     - name: ap1
       kubernetes:

diff --git a/internal/pkg/provider/helm/values.go b/internal/pkg/provider/helm/values.go
@@ -45,6 +45,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]interface{}, error) {
 		"global.deleteHooks.enabled":            false,
 	}
 
+	if issuer := g.trustZone.GetJwtIssuer(); issuer != "" {
+		globalValues["global.spire.jwtIssuer"] = issuer
+	}
+
 	spireAgentValues := map[string]interface{}{
 		`"spire-agent"."fullnameOverride"`: "spire-agent", // NOTE: https://github.com/cue-lang/cue/issues/358
 		`"spire-agent"."logLevel"`:         "DEBUG",

diff --git a/internal/pkg/provider/helm/values_test.go b/internal/pkg/provider/helm/values_test.go
@@ -33,6 +33,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 				tz.Bundle = nil
 				tz.BundleEndpointUrl = nil
 				tz.Federations = nil
+				tz.JwtIssuer = nil
 				return tz
 			}(),
 			want: Values{
@@ -128,6 +129,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 					},
 					"spire": Values{
 						"clusterName": "local1",
+						"jwtIssuer":   "https://tz1.example.com",
 						"recommendations": Values{
 							"create": true,
 						},

diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go
@@ -38,6 +38,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz2"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz1.example.com"),
 	},
 	"tz2": {
 		Name:              "tz2",
@@ -61,6 +62,7 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 				FederatesWith: []string{"tz1"},
 			},
 		},
+		JwtIssuer: StringPtr("https://tz2.example.com"),
 	},
 }