Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable agent path template customization for azure_msi node attestor plugin #3488

Merged
merged 15 commits into from
Oct 19, 2022
Merged

Enable agent path template customization for azure_msi node attestor plugin #3488

merged 15 commits into from
Oct 19, 2022

Conversation

guilhermocc
Copy link
Contributor

@guilhermocc guilhermocc commented Oct 6, 2022
edited
Loading

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

  • Added the ability to use a custom agent path template for azure_msi server node attestor plugin.

Description of change

  • Keep the actual azure_msi agent SPIFFE ID form as the default to maintain compatibility
  • azure_msi plugin now accepts a new optional configuration agent_path_template that is used for building the agent's SPIFFE ID.
  • Added missing documentation for gcp_iit plugin

Which issue this PR fixes
fixes #3420

@guilhermocc
Enable the usage of agent path template for building agent id in azur…
d47c456 
…e_msi plugin spiffe#3420

Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc
Update azure_msi server node attestor documentation spiffe#3420
c799d2c 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc
Update gcp_iit server node attestor documentation
feb7c06 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc
Reformat node attestor plugins documentation tables
b2288d1 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@azdagron azdagron added this to the 1.5.0 milestone Oct 7, 2022
@azdagron
Copy link
Member

Thanks for opening this, @guilhermocc ! I'll see if I can get it reviewed here shortly. Just for information, you don't need to bother keeping the branch up to date. Once it has been approved, we (the maintainers) will update it as needed.

azdagron
azdagron reviewed Oct 12, 2022
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @guilhermocc! Just a few comments.

pkg/common/plugin/azure/msi.go Outdated Show resolved Hide resolved
pkg/common/plugin/azure/msi.go
}
return u.String()
TenantID string `json:"tid,omitempty"`
PrincipalID string `json:"sub,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a double take and had to remind myself what happens with the JSON decoder when there are two fields with the same tag. Fortunately the top level field takes precedence over the embedded struct but this is going to be a little subtle if there is any code that tries to use the .Subject field (since it will be unset). Should be easy enough to catch in testing though. I think we're ok here.

Copy link
Contributor Author

@guilhermocc guilhermocc Oct 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about creating a new struct for only storing claims/fields that we want to expose and use. But we would still have another struct being composed by jwt.Claims only, since we use the ValidateWithLeeway method for validation, but I'm not sure if that would make the code clearer since we will be going to deserialize the token two times for two different structs, what do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we're ok with it as-is. If the Subject field is used at all the unit-tests should catch that it is empty.

@guilhermocc @azdagron
Update pkg/common/plugin/azure/msi.go
d9c540f 
Co-authored-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc guilhermocc force-pushed the enable-agent-path-template-azuremsi-nattestor branch from fa1ff86 to d9c540f Compare October 13, 2022 13:01
@guilhermocc
Fix lint issues
430a6c6 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc guilhermocc force-pushed the enable-agent-path-template-azuremsi-nattestor branch from b038635 to 430a6c6 Compare October 13, 2022 13:20
azdagron
azdagron previously approved these changes Oct 13, 2022
View reviewed changes
MarcosDY
MarcosDY reviewed Oct 13, 2022
View reviewed changes
pkg/common/plugin/azure/msi_test.go Outdated

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
td, _ := spiffeid.TrustDomainFromString(test.args.td)
Copy link
Collaborator

@MarcosDY MarcosDY Oct 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
td, _ := spiffeid.TrustDomainFromString(test.args.td)
td := spiffeid.RequireTrustDomainFromString(test.args.td)

pkg/common/plugin/azure/msi_test.go Outdated
{
name: "successfully applies template",
args: args{
"example.org",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you set far names in all cases you create a new struct? it can resutl in unexpected errors if we choose to add more fields

pkg/common/plugin/azure/msi_test.go Outdated
name string
args args
want string
wantErr bool
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of want error, can you instead validate the error you are getting? it is possible to get into situations where you get another error and not the expected one

pkg/server/plugin/nodeattestor/azuremsi/msi_test.go Outdated
Comment on lines 245 to 246
var selectorValues []string
selectorValues = append(selectorValues, vmSelectors...)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var selectorValues []string
selectorValues = append(selectorValues, vmSelectors...)
selectorValues := append([]string(nil), vmSelectors...)

MarcosDY
MarcosDY reviewed Oct 13, 2022
View reviewed changes
doc/plugin_server_nodeattestor_azure_msi.md
| Configuration | Required | Description | Default |
|-----------------------|----------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|
| `tenants` | Required | A map of tenants, keyed by tenant ID, that are authorized for attestation. Tokens for unspecified tenants are rejected. | |
| `agent_path_template` | Optional | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | `"/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}"` |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you update server_full.conf, with this new configuration?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure!

@guilhermocc
Improve MakeAgentID test assertion
5cef0ef 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc
Add new azure plugin option in server_full.conf
7575ad5 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc
Remove white lines from imports
ab6f893 
Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
@guilhermocc guilhermocc requested a review from MarcosDY October 13, 2022 19:45
MarcosDY
MarcosDY approved these changes Oct 14, 2022
View reviewed changes
Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!!

@guilhermocc guilhermocc requested a review from azdagron October 17, 2022 16:11
@azdagron azdagron merged commit 50d677f into spiffe:main Oct 19, 2022
stevend-uber pushed a commit to stevend-uber/spire that referenced this pull request Oct 16, 2023
@guilhermocc @stevend-uber
Enable agent path template customization for azure_msi node attestor …
6890072 
…plugin (spiffe#3488)

Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcosDY MarcosDY MarcosDY approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

Assignees

@azdagron azdagron

Labels
None yet
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.

Allow setting Agent Path Template for Azure MSI Node Attestation
3 participants
@guilhermocc @azdagron @MarcosDY