SecretDiscoveryService server implementation

cmd/spire-agent/cli/run/run.go

@@ -41,6 +41,7 @@ type runConfig struct {
 
 type agentConfig struct {
 	DataDir         string `hcl:"data_dir"`
+	EnableSDS       bool   `hcl:"enable_sds"`
 	LogFile         string `hcl:"log_file"`
 	LogLevel        string `hcl:"log_level"`
 	ServerAddress   string `hcl:"server_address"`
@@ -220,6 +221,10 @@ func mergeConfig(orig *agent.Config, cmd *runConfig) error {
 		orig.DataDir = cmd.AgentConfig.DataDir
 	}
 
+	if cmd.AgentConfig.EnableSDS {
+		orig.EnableSDS = cmd.AgentConfig.EnableSDS
+	}
+
 	// Handle log file and level
 	if cmd.AgentConfig.LogFile != "" || cmd.AgentConfig.LogLevel != "" {
 		logLevel := defaultLogLevel

go.mod

@@ -11,11 +11,14 @@ require (
 	github.com/denisenkom/go-mssqldb v0.0.0-20181014144952-4e0d7dc8888f // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dimchansky/utfbom v1.0.0 // indirect
+	github.com/envoyproxy/go-control-plane v0.6.6
 	github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 // indirect
 	github.com/go-ini/ini v1.38.2 // indirect
 	github.com/go-ole/go-ole v1.2.1 // indirect
 	github.com/go-sql-driver/mysql v1.4.1 // indirect
 	github.com/gofrs/uuid/v3 v3.1.2
+	github.com/gogo/googleapis v1.1.0
+	github.com/gogo/protobuf v1.2.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
 	github.com/golang/mock v1.1.1
 	github.com/golang/protobuf v1.2.0
@@ -33,6 +36,7 @@ require (
 	github.com/jinzhu/now v0.0.0-20181116074157-8ec929ed50c3 // indirect
 	github.com/jtolds/gls v4.2.1+incompatible // indirect
 	github.com/lib/pq v1.0.0 // indirect
+	github.com/lyft/protoc-gen-validate v0.0.12 // indirect
 	github.com/mattn/go-sqlite3 v1.9.0 // indirect
 	github.com/mitchellh/cli v1.0.0
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect

go.sum

@@ -23,6 +23,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dimchansky/utfbom v1.0.0 h1:fGC2kkf4qOoKqZ4q7iIh+Vef4ubC1c38UDsEyZynZPc=
 github.com/dimchansky/utfbom v1.0.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/envoyproxy/go-control-plane v0.6.6 h1:vIu840n6c17xjQK9NDM3pfU5u1xiAzdbdwTog9V/MlU=
+github.com/envoyproxy/go-control-plane v0.6.6/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
@@ -38,6 +40,10 @@ github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZp
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/gofrs/uuid/v3 v3.1.2 h1:V3IBv1oU82x6YIr5txe3azVHgmOKYdyKQTowm9moBlY=
 github.com/gofrs/uuid/v3 v3.1.2/go.mod h1:xPwMqoocQ1L5G6pXX5BcE7N5jlzn2o19oqAKxwZW/kI=
+github.com/gogo/googleapis v1.1.0 h1:kFkMAZBNAn4j7K0GiZr8cRYzejq68VbheufiV3YuyFI=
+github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
+github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
+github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1 h1:G5FRp8JnTd7RQH5kemVNlMeyXQAztQ3mOWV95KxsXH8=
@@ -84,6 +90,8 @@ github.com/jtolds/gls v4.2.1+incompatible h1:fSuqC+Gmlu6l/ZYAoZzx2pyucC8Xza35fpR
 github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lyft/protoc-gen-validate v0.0.12 h1:4yfI8PSMdUqdTrQqjNIgjTJ7Vl3zFNqtgBGXsB7QJiw=
+github.com/lyft/protoc-gen-validate v0.0.12/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
 github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=

pkg/agent/agent.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 	"syscall"
 
-	"github.com/spiffe/spire/pkg/agent/attestor/node"
+	attestor "github.com/spiffe/spire/pkg/agent/attestor/node"
 	"github.com/spiffe/spire/pkg/agent/catalog"
 	"github.com/spiffe/spire/pkg/agent/endpoints"
 	"github.com/spiffe/spire/pkg/agent/manager"
@@ -175,11 +175,12 @@ func (a *Agent) newManager(ctx context.Context, cat catalog.Catalog, metrics tel
 
 func (a *Agent) newEndpoints(ctx context.Context, cat catalog.Catalog, metrics telemetry.Metrics, mgr manager.Manager) endpoints.Server {
 	config := &endpoints.Config{
-		BindAddr: a.c.BindAddress,
-		Catalog:  cat,
-		Manager:  mgr,
-		Log:      a.c.Log.WithField("subsystem_name", "endpoints"),
-		Metrics:  metrics,
+		BindAddr:  a.c.BindAddress,
+		Catalog:   cat,
+		Manager:   mgr,
+		Log:       a.c.Log.WithField("subsystem_name", "endpoints"),
+		Metrics:   metrics,
+		EnableSDS: a.c.EnableSDS,
 	}
 
 	return endpoints.New(config)

pkg/agent/config.go

@@ -16,6 +16,9 @@ type Config struct {
 	// Directory to store runtime data
 	DataDir string
 
+	// If true, enables an Envoy SecretDiscoveryService server
+	EnableSDS bool
+
 	// Configurations for agent plugins
 	PluginConfigs catalog.PluginConfigMap
 

pkg/agent/endpoints/config.go

@@ -21,6 +21,9 @@ type Config struct {
 
 	Log     logrus.FieldLogger
 	Metrics telemetry.Metrics
+
+	// If true, an SDS server will be served over the UDS socket
+	EnableSDS bool
 }
 
 func New(c *Config) *endpoints {

pkg/agent/endpoints/endpoints.go

@@ -6,6 +6,9 @@ import (
 	"net"
 	"os"
 
+	sds_v2 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"
+	attestor "github.com/spiffe/spire/pkg/agent/attestor/workload"
+	"github.com/spiffe/spire/pkg/agent/endpoints/sds"
 	"github.com/spiffe/spire/pkg/agent/endpoints/workload"
 	"github.com/spiffe/spire/pkg/common/auth"
 
@@ -26,6 +29,9 @@ func (e *endpoints) ListenAndServe(ctx context.Context) error {
 	server := grpc.NewServer(grpc.Creds(auth.NewCredentials()))
 
 	e.registerWorkloadAPI(server)
+	if e.c.EnableSDS {
+		e.registerSecretDiscoveryService(server)
+	}
 
 	l, err := e.createUDSListener()
 	if err != nil {
@@ -67,6 +73,22 @@ func (e *endpoints) registerWorkloadAPI(server *grpc.Server) {
 	workload_pb.RegisterSpiffeWorkloadAPIServer(server, w)
 }
 
+func (e *endpoints) registerSecretDiscoveryService(server *grpc.Server) {
+	attestor := attestor.New(&attestor.Config{
+		Catalog: e.c.Catalog,
+		L:       e.c.Log,
+		M:       e.c.Metrics,
+	})
+
+	h := sds.NewHandler(sds.HandlerConfig{
+		Attestor: attestor,
+		Manager:  e.c.Manager,
+		Log:      e.c.Log.WithField("subsystem_name", "sds_api"),
+		Metrics:  e.c.Metrics,
+	})
+	sds_v2.RegisterSecretDiscoveryServiceServer(server, h)
+}
+
 func (e *endpoints) createUDSListener() (net.Listener, error) {
 	os.Remove(e.c.BindAddr.String())