Skip to content

Commit

Permalink
Add GET ClusterFederatedTrustDomain API (#542)
Browse files Browse the repository at this point in the history 
* removed handlers

Signed-off-by: Maia Iyer <[email protected]>

* nit spacing fixes

Signed-off-by: Maia Iyer <[email protected]>

* Nits

Signed-off-by: Maia Iyer <[email protected]>

* added plugin config parsing

Signed-off-by: Maia Iyer <[email protected]>

* Nits

Signed-off-by: Maia Iyer <[email protected]>

* Initialize Package

Signed-off-by: Maia Iyer <[email protected]>

* added documentation

Signed-off-by: Maia Iyer <[email protected]>

* nit lint

Signed-off-by: Maia Iyer <[email protected]>

* nit

Signed-off-by: Maia Iyer <[email protected]>

* nit lints

Signed-off-by: Maia Iyer <[email protected]>

* fix key length check

Signed-off-by: Maia Iyer <[email protected]>

* add list federation function to crd pkg

Signed-off-by: Maia Iyer <[email protected]>

* initial function handlers added

Signed-off-by: Maia Iyer <[email protected]>

* nit

Signed-off-by: Maia Iyer <[email protected]>

* move types to pkg

Signed-off-by: Maia Iyer <[email protected]>

* initial crd list attempt

Signed-off-by: Maia Iyer <[email protected]>

* nit case

Signed-off-by: Maia Iyer <[email protected]>

* try printing individual crds

Signed-off-by: Maia Iyer <[email protected]>

* Indexing into spec

Signed-off-by: Maia Iyer <[email protected]>

* Added parsing code and refactored

Signed-off-by: Maia Iyer <[email protected]>

* return result value

Signed-off-by: Maia Iyer <[email protected]>

* Adding API documentation

Signed-off-by: Maia Iyer <[email protected]>

* Removing print statements

Signed-off-by: Maia Iyer <[email protected]>

* Added Documentation

Signed-off-by: Maia Iyer <[email protected]>

* Linted Markdown

Signed-off-by: Maia Iyer <[email protected]>

* nits

Signed-off-by: Maia Iyer <[email protected]>

---------

Signed-off-by: Maia Iyer <[email protected]>
  • Loading branch information
@maia-iyer
maia-iyer authored Oct 28, 2024
1 parent 5de7444 commit a9b1767
Show file tree
Hide file tree
Showing 12 changed files with 575 additions and 102 deletions.
6 changes: 3 additions & 3 deletions api/agent/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,15 +100,15 @@ func NewCRDManager(crdPlugin *ast.ObjectItem) (spirecrd.CRDManager, error) {

// check if data is defined
if data == nil {
return "", errors.New("SPIRECRDManager plugin ('config > plugins > SPIRECRDManager > plugin_data') not populated")
return nil, errors.New("SPIRECRDManager plugin ('config > plugins > SPIRECRDManager > plugin_data') not populated")
}
// decode config to struct
var config pluginControllerManager
if err := hcl.DecodeObject(&config, data); err != nil {
return "", errors.Errorf("Couldn't parse SPIREControllerManager config: %v", err)
return nil, errors.Errorf("Couldn't parse SPIREControllerManager config: %v", err)
}

fmt.Println("CRD Controller configured. WARNING: This is currently a no-op")
fmt.Println("CRD Controller configured. spire-controller-manager APIs enabled")

crdManager, err := spirecrd.NewSPIRECRDManager(config.Classname)
if err != nil {
Expand Down
59 changes: 59 additions & 0 deletions api/agent/crd_handlers.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
package api

import (
"encoding/json"
"fmt"
"io"
"net/http"
"strings"

crdmanager "github.com/spiffe/tornjak/pkg/agent/spirecrd"
)

func (s *Server) CRDFederationList(w http.ResponseWriter, r *http.Request) {
// if CRD management not configured
if s.CRDManager == nil {
emsg := "Error: CRD Manager not configured on Tornjak."
retError(w, emsg, http.StatusBadRequest)
return
}
// if CRD management is configured
var input crdmanager.ListFederationRelationshipsRequest
buf := new(strings.Builder)

n, err := io.Copy(buf, r.Body)
if err != nil {
emsg := fmt.Sprintf("Error parsing data: %v", err.Error())
retError(w, emsg, http.StatusBadRequest)
return
}
data := buf.String()

if n == 0 {
input = crdmanager.ListFederationRelationshipsRequest{}
} else {
err := json.Unmarshal([]byte(data), &input)
if err != nil {
emsg := fmt.Sprintf("Error parsing data: %v", err.Error())
retError(w, emsg, http.StatusBadRequest)
return
}
}

ret, err := s.CRDManager.ListClusterFederatedTrustDomains(input) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
if err != nil {
emsg := fmt.Sprintf("Error: %v", err.Error())
retError(w, emsg, http.StatusInternalServerError)
return
}

cors(w, r)
je := json.NewEncoder(w)
err = je.Encode(ret) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
if err != nil {
emsg := fmt.Sprintf("Error: %v", err.Error())
retError(w, emsg, http.StatusBadRequest)
return
}

}
3 changes: 3 additions & 0 deletions api/agent/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,9 @@ func (s *Server) GetRouter() http.Handler {
apiRtr.HandleFunc("/api/v1/spire/federations", s.federationUpdate).Methods(http.MethodPatch)
apiRtr.HandleFunc("/api/v1/spire/federations", s.federationDelete).Methods(http.MethodDelete)

// SPIRE CRD Federations
apiRtr.HandleFunc("/api/v1/spire-controller-manager/clusterfederatedtrustdomains", s.CRDFederationList).Methods(http.MethodGet, http.MethodOptions)

// Tornjak specific
apiRtr.HandleFunc("/api/v1/tornjak/serverinfo", s.tornjakGetServerInfo).Methods(http.MethodGet, http.MethodOptions)
// Agents Selectors
Expand Down
36 changes: 18 additions & 18 deletions api/agent/spire_apis.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ type HealthcheckResponse grpc_health_v1.HealthCheckResponse
func (s *Server) SPIREHealthcheck(inp HealthcheckRequest) (*HealthcheckResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := grpc_health_v1.HealthCheckRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -43,7 +43,7 @@ type DebugServerResponse debugServer.GetInfoResponse
func (s *Server) DebugServer(inp DebugServerRequest) (*DebugServerResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := debugServer.GetInfoRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -64,7 +64,7 @@ type ListAgentsResponse agent.ListAgentsResponse
func (s *Server) ListAgents(inp ListAgentsRequest) (*ListAgentsResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := agent.ListAgentsRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -84,7 +84,7 @@ type BanAgentRequest agent.BanAgentRequest
func (s *Server) BanAgent(inp BanAgentRequest) error { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := agent.BanAgentRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return err
}
Expand All @@ -104,7 +104,7 @@ type DeleteAgentRequest agent.DeleteAgentRequest
func (s *Server) DeleteAgent(inp DeleteAgentRequest) error { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := agent.DeleteAgentRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return err
}
Expand All @@ -125,7 +125,7 @@ type CreateJoinTokenResponse types.JoinToken
func (s *Server) CreateJoinToken(inp CreateJoinTokenRequest) (*CreateJoinTokenResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := agent.CreateJoinTokenRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -148,7 +148,7 @@ type ListEntriesResponse entry.ListEntriesResponse
func (s *Server) ListEntries(inp ListEntriesRequest) (*ListEntriesResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := entry.ListEntriesRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -169,7 +169,7 @@ type BatchCreateEntryResponse entry.BatchCreateEntryResponse
func (s *Server) BatchCreateEntry(inp BatchCreateEntryRequest) (*BatchCreateEntryResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := entry.BatchCreateEntryRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -190,7 +190,7 @@ type BatchDeleteEntryResponse entry.BatchDeleteEntryResponse
func (s *Server) BatchDeleteEntry(inp BatchDeleteEntryRequest) (*BatchDeleteEntryResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := entry.BatchDeleteEntryRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -222,7 +222,7 @@ type GetBundleResponse types.Bundle
func (s *Server) GetBundle(inp GetBundleRequest) (*GetBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := bundle.GetBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -243,7 +243,7 @@ type ListFederatedBundlesResponse bundle.ListFederatedBundlesResponse
func (s *Server) ListFederatedBundles(inp ListFederatedBundlesRequest) (*ListFederatedBundlesResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := bundle.ListFederatedBundlesRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -264,7 +264,7 @@ type CreateFederatedBundleResponse bundle.BatchCreateFederatedBundleResponse
func (s *Server) CreateFederatedBundle(inp CreateFederatedBundleRequest) (*CreateFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := bundle.BatchCreateFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -285,7 +285,7 @@ type UpdateFederatedBundleResponse bundle.BatchUpdateFederatedBundleResponse
func (s *Server) UpdateFederatedBundle(inp UpdateFederatedBundleRequest) (*UpdateFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := bundle.BatchUpdateFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -306,7 +306,7 @@ type DeleteFederatedBundleResponse bundle.BatchDeleteFederatedBundleResponse
func (s *Server) DeleteFederatedBundle(inp DeleteFederatedBundleRequest) (*DeleteFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := bundle.BatchDeleteFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -328,7 +328,7 @@ type ListFederationRelationshipsResponse trustdomain.ListFederationRelationships
func (s *Server) ListFederationRelationships(inp ListFederationRelationshipsRequest) (*ListFederationRelationshipsResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := trustdomain.ListFederationRelationshipsRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -349,7 +349,7 @@ type CreateFederationRelationshipResponse trustdomain.BatchCreateFederationRelat
func (s *Server) CreateFederationRelationship(inp CreateFederationRelationshipRequest) (*CreateFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := trustdomain.BatchCreateFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -370,7 +370,7 @@ type UpdateFederationRelationshipResponse trustdomain.BatchUpdateFederationRelat
func (s *Server) UpdateFederationRelationship(inp UpdateFederationRelationshipRequest) (*UpdateFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := trustdomain.BatchUpdateFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand All @@ -391,7 +391,7 @@ type DeleteFederationRelationshipResponse trustdomain.BatchDeleteFederationRelat
func (s *Server) DeleteFederationRelationship(inp DeleteFederationRelationshipRequest) (*DeleteFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
inpReq := trustdomain.BatchDeleteFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
var conn *grpc.ClientConn
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
return nil, err
}
Expand Down
7 changes: 6 additions & 1 deletion docs/plugin_server_spirecrd.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Server plugin: SPIRECRDManager

Note the SPIRECRDManager is an optional plugin. This plugin enables the creation of SPIRE CRDs on the cluster Tornjak is deployed on.
Note the SPIRECRDManager is an optional plugin. This plugin enables the creation of SPIRE CRDs on the cluster Tornjak is deployed on. It enables the following API calls:

- `GET /api/v1/spire-controller-manager/clusterfederatedtrustdomains`

> [!IMPORTANT]
> This plugin requires two things: (a) That Tornjak is deployed in the same cluster as the relevant CRDs as it uses its own service account token to talk to the kube API server. (b) That the proper permissions are given to the Service Account token that Tornjak will use. Current Helm charts deploy SPIRE Controller manager and Tornjak in the same pod as the SPIRE server, so no extra configuration is necessary if deployed this way.
The configuration has the following key-value pairs:

Expand Down
Loading

0 comments on commit a9b1767

Please sign in to comment.