Skip to content

Commit a9b1767

Browse files
maia-iyermaia-iyer
authored
Add GET ClusterFederatedTrustDomain API (#542)
* removed handlers Signed-off-by: Maia Iyer <[email protected]> * nit spacing fixes Signed-off-by: Maia Iyer <[email protected]> * Nits Signed-off-by: Maia Iyer <[email protected]> * added plugin config parsing Signed-off-by: Maia Iyer <[email protected]> * Nits Signed-off-by: Maia Iyer <[email protected]> * Initialize Package Signed-off-by: Maia Iyer <[email protected]> * added documentation Signed-off-by: Maia Iyer <[email protected]> * nit lint Signed-off-by: Maia Iyer <[email protected]> * nit Signed-off-by: Maia Iyer <[email protected]> * nit lints Signed-off-by: Maia Iyer <[email protected]> * fix key length check Signed-off-by: Maia Iyer <[email protected]> * add list federation function to crd pkg Signed-off-by: Maia Iyer <[email protected]> * initial function handlers added Signed-off-by: Maia Iyer <[email protected]> * nit Signed-off-by: Maia Iyer <[email protected]> * move types to pkg Signed-off-by: Maia Iyer <[email protected]> * initial crd list attempt Signed-off-by: Maia Iyer <[email protected]> * nit case Signed-off-by: Maia Iyer <[email protected]> * try printing individual crds Signed-off-by: Maia Iyer <[email protected]> * Indexing into spec Signed-off-by: Maia Iyer <[email protected]> * Added parsing code and refactored Signed-off-by: Maia Iyer <[email protected]> * return result value Signed-off-by: Maia Iyer <[email protected]> * Adding API documentation Signed-off-by: Maia Iyer <[email protected]> * Removing print statements Signed-off-by: Maia Iyer <[email protected]> * Added Documentation Signed-off-by: Maia Iyer <[email protected]> * Linted Markdown Signed-off-by: Maia Iyer <[email protected]> * nits Signed-off-by: Maia Iyer <[email protected]> --------- Signed-off-by: Maia Iyer <[email protected]>
1 parent 5de7444 commit a9b1767

12 files changed

+575
-102
lines changed

api/agent/config.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -100,15 +100,15 @@ func NewCRDManager(crdPlugin *ast.ObjectItem) (spirecrd.CRDManager, error) {
100100

101101
// check if data is defined
102102
if data == nil {
103-
return "", errors.New("SPIRECRDManager plugin ('config > plugins > SPIRECRDManager > plugin_data') not populated")
103+
return nil, errors.New("SPIRECRDManager plugin ('config > plugins > SPIRECRDManager > plugin_data') not populated")
104104
}
105105
// decode config to struct
106106
var config pluginControllerManager
107107
if err := hcl.DecodeObject(&config, data); err != nil {
108-
return "", errors.Errorf("Couldn't parse SPIREControllerManager config: %v", err)
108+
return nil, errors.Errorf("Couldn't parse SPIREControllerManager config: %v", err)
109109
}
110110

111-
fmt.Println("CRD Controller configured. WARNING: This is currently a no-op")
111+
fmt.Println("CRD Controller configured. spire-controller-manager APIs enabled")
112112

113113
crdManager, err := spirecrd.NewSPIRECRDManager(config.Classname)
114114
if err != nil {

api/agent/crd_handlers.go

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
package api
2+
3+
import (
4+
"encoding/json"
5+
"fmt"
6+
"io"
7+
"net/http"
8+
"strings"
9+
10+
crdmanager "github.com/spiffe/tornjak/pkg/agent/spirecrd"
11+
)
12+
13+
func (s *Server) CRDFederationList(w http.ResponseWriter, r *http.Request) {
14+
// if CRD management not configured
15+
if s.CRDManager == nil {
16+
emsg := "Error: CRD Manager not configured on Tornjak."
17+
retError(w, emsg, http.StatusBadRequest)
18+
return
19+
}
20+
// if CRD management is configured
21+
var input crdmanager.ListFederationRelationshipsRequest
22+
buf := new(strings.Builder)
23+
24+
n, err := io.Copy(buf, r.Body)
25+
if err != nil {
26+
emsg := fmt.Sprintf("Error parsing data: %v", err.Error())
27+
retError(w, emsg, http.StatusBadRequest)
28+
return
29+
}
30+
data := buf.String()
31+
32+
if n == 0 {
33+
input = crdmanager.ListFederationRelationshipsRequest{}
34+
} else {
35+
err := json.Unmarshal([]byte(data), &input)
36+
if err != nil {
37+
emsg := fmt.Sprintf("Error parsing data: %v", err.Error())
38+
retError(w, emsg, http.StatusBadRequest)
39+
return
40+
}
41+
}
42+
43+
ret, err := s.CRDManager.ListClusterFederatedTrustDomains(input) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
44+
if err != nil {
45+
emsg := fmt.Sprintf("Error: %v", err.Error())
46+
retError(w, emsg, http.StatusInternalServerError)
47+
return
48+
}
49+
50+
cors(w, r)
51+
je := json.NewEncoder(w)
52+
err = je.Encode(ret) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
53+
if err != nil {
54+
emsg := fmt.Sprintf("Error: %v", err.Error())
55+
retError(w, emsg, http.StatusBadRequest)
56+
return
57+
}
58+
59+
}

api/agent/server.go

+3
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,9 @@ func (s *Server) GetRouter() http.Handler {
212212
apiRtr.HandleFunc("/api/v1/spire/federations", s.federationUpdate).Methods(http.MethodPatch)
213213
apiRtr.HandleFunc("/api/v1/spire/federations", s.federationDelete).Methods(http.MethodDelete)
214214

215+
// SPIRE CRD Federations
216+
apiRtr.HandleFunc("/api/v1/spire-controller-manager/clusterfederatedtrustdomains", s.CRDFederationList).Methods(http.MethodGet, http.MethodOptions)
217+
215218
// Tornjak specific
216219
apiRtr.HandleFunc("/api/v1/tornjak/serverinfo", s.tornjakGetServerInfo).Methods(http.MethodGet, http.MethodOptions)
217220
// Agents Selectors

api/agent/spire_apis.go

+18-18
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ type HealthcheckResponse grpc_health_v1.HealthCheckResponse
2222
func (s *Server) SPIREHealthcheck(inp HealthcheckRequest) (*HealthcheckResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
2323
inpReq := grpc_health_v1.HealthCheckRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
2424
var conn *grpc.ClientConn
25-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
25+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
2626
if err != nil {
2727
return nil, err
2828
}
@@ -43,7 +43,7 @@ type DebugServerResponse debugServer.GetInfoResponse
4343
func (s *Server) DebugServer(inp DebugServerRequest) (*DebugServerResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
4444
inpReq := debugServer.GetInfoRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
4545
var conn *grpc.ClientConn
46-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
46+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
4747
if err != nil {
4848
return nil, err
4949
}
@@ -64,7 +64,7 @@ type ListAgentsResponse agent.ListAgentsResponse
6464
func (s *Server) ListAgents(inp ListAgentsRequest) (*ListAgentsResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
6565
inpReq := agent.ListAgentsRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
6666
var conn *grpc.ClientConn
67-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
67+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
6868
if err != nil {
6969
return nil, err
7070
}
@@ -84,7 +84,7 @@ type BanAgentRequest agent.BanAgentRequest
8484
func (s *Server) BanAgent(inp BanAgentRequest) error { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
8585
inpReq := agent.BanAgentRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
8686
var conn *grpc.ClientConn
87-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
87+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
8888
if err != nil {
8989
return err
9090
}
@@ -104,7 +104,7 @@ type DeleteAgentRequest agent.DeleteAgentRequest
104104
func (s *Server) DeleteAgent(inp DeleteAgentRequest) error { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
105105
inpReq := agent.DeleteAgentRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
106106
var conn *grpc.ClientConn
107-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
107+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
108108
if err != nil {
109109
return err
110110
}
@@ -125,7 +125,7 @@ type CreateJoinTokenResponse types.JoinToken
125125
func (s *Server) CreateJoinToken(inp CreateJoinTokenRequest) (*CreateJoinTokenResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
126126
inpReq := agent.CreateJoinTokenRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
127127
var conn *grpc.ClientConn
128-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
128+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
129129
if err != nil {
130130
return nil, err
131131
}
@@ -148,7 +148,7 @@ type ListEntriesResponse entry.ListEntriesResponse
148148
func (s *Server) ListEntries(inp ListEntriesRequest) (*ListEntriesResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
149149
inpReq := entry.ListEntriesRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
150150
var conn *grpc.ClientConn
151-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
151+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
152152
if err != nil {
153153
return nil, err
154154
}
@@ -169,7 +169,7 @@ type BatchCreateEntryResponse entry.BatchCreateEntryResponse
169169
func (s *Server) BatchCreateEntry(inp BatchCreateEntryRequest) (*BatchCreateEntryResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
170170
inpReq := entry.BatchCreateEntryRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
171171
var conn *grpc.ClientConn
172-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
172+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
173173
if err != nil {
174174
return nil, err
175175
}
@@ -190,7 +190,7 @@ type BatchDeleteEntryResponse entry.BatchDeleteEntryResponse
190190
func (s *Server) BatchDeleteEntry(inp BatchDeleteEntryRequest) (*BatchDeleteEntryResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
191191
inpReq := entry.BatchDeleteEntryRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
192192
var conn *grpc.ClientConn
193-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
193+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
194194
if err != nil {
195195
return nil, err
196196
}
@@ -222,7 +222,7 @@ type GetBundleResponse types.Bundle
222222
func (s *Server) GetBundle(inp GetBundleRequest) (*GetBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
223223
inpReq := bundle.GetBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
224224
var conn *grpc.ClientConn
225-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
225+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
226226
if err != nil {
227227
return nil, err
228228
}
@@ -243,7 +243,7 @@ type ListFederatedBundlesResponse bundle.ListFederatedBundlesResponse
243243
func (s *Server) ListFederatedBundles(inp ListFederatedBundlesRequest) (*ListFederatedBundlesResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
244244
inpReq := bundle.ListFederatedBundlesRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
245245
var conn *grpc.ClientConn
246-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
246+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
247247
if err != nil {
248248
return nil, err
249249
}
@@ -264,7 +264,7 @@ type CreateFederatedBundleResponse bundle.BatchCreateFederatedBundleResponse
264264
func (s *Server) CreateFederatedBundle(inp CreateFederatedBundleRequest) (*CreateFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
265265
inpReq := bundle.BatchCreateFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
266266
var conn *grpc.ClientConn
267-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
267+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
268268
if err != nil {
269269
return nil, err
270270
}
@@ -285,7 +285,7 @@ type UpdateFederatedBundleResponse bundle.BatchUpdateFederatedBundleResponse
285285
func (s *Server) UpdateFederatedBundle(inp UpdateFederatedBundleRequest) (*UpdateFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
286286
inpReq := bundle.BatchUpdateFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
287287
var conn *grpc.ClientConn
288-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
288+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
289289
if err != nil {
290290
return nil, err
291291
}
@@ -306,7 +306,7 @@ type DeleteFederatedBundleResponse bundle.BatchDeleteFederatedBundleResponse
306306
func (s *Server) DeleteFederatedBundle(inp DeleteFederatedBundleRequest) (*DeleteFederatedBundleResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
307307
inpReq := bundle.BatchDeleteFederatedBundleRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
308308
var conn *grpc.ClientConn
309-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
309+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
310310
if err != nil {
311311
return nil, err
312312
}
@@ -328,7 +328,7 @@ type ListFederationRelationshipsResponse trustdomain.ListFederationRelationships
328328
func (s *Server) ListFederationRelationships(inp ListFederationRelationshipsRequest) (*ListFederationRelationshipsResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
329329
inpReq := trustdomain.ListFederationRelationshipsRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
330330
var conn *grpc.ClientConn
331-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
331+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
332332
if err != nil {
333333
return nil, err
334334
}
@@ -349,7 +349,7 @@ type CreateFederationRelationshipResponse trustdomain.BatchCreateFederationRelat
349349
func (s *Server) CreateFederationRelationship(inp CreateFederationRelationshipRequest) (*CreateFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
350350
inpReq := trustdomain.BatchCreateFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
351351
var conn *grpc.ClientConn
352-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
352+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
353353
if err != nil {
354354
return nil, err
355355
}
@@ -370,7 +370,7 @@ type UpdateFederationRelationshipResponse trustdomain.BatchUpdateFederationRelat
370370
func (s *Server) UpdateFederationRelationship(inp UpdateFederationRelationshipRequest) (*UpdateFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
371371
inpReq := trustdomain.BatchUpdateFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
372372
var conn *grpc.ClientConn
373-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
373+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
374374
if err != nil {
375375
return nil, err
376376
}
@@ -391,7 +391,7 @@ type DeleteFederationRelationshipResponse trustdomain.BatchDeleteFederationRelat
391391
func (s *Server) DeleteFederationRelationship(inp DeleteFederationRelationshipRequest) (*DeleteFederationRelationshipResponse, error) { //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
392392
inpReq := trustdomain.BatchDeleteFederationRelationshipRequest(inp) //nolint:govet //Ignoring mutex (not being used) - sync.Mutex by value is unused for linter govet
393393
var conn *grpc.ClientConn
394-
conn, err := grpc.Dial(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
394+
conn, err := grpc.NewClient(s.SpireServerAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
395395
if err != nil {
396396
return nil, err
397397
}

docs/plugin_server_spirecrd.md

+6-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
# Server plugin: SPIRECRDManager
22

3-
Note the SPIRECRDManager is an optional plugin. This plugin enables the creation of SPIRE CRDs on the cluster Tornjak is deployed on.
3+
Note the SPIRECRDManager is an optional plugin. This plugin enables the creation of SPIRE CRDs on the cluster Tornjak is deployed on. It enables the following API calls:
4+
5+
- `GET /api/v1/spire-controller-manager/clusterfederatedtrustdomains`
6+
7+
> [!IMPORTANT]
8+
> This plugin requires two things: (a) That Tornjak is deployed in the same cluster as the relevant CRDs as it uses its own service account token to talk to the kube API server. (b) That the proper permissions are given to the Service Account token that Tornjak will use. Current Helm charts deploy SPIRE Controller manager and Tornjak in the same pod as the SPIRE server, so no extra configuration is necessary if deployed this way.
49
510
The configuration has the following key-value pairs:
611

0 commit comments

Comments
 (0)