Support downstream entries/spiffeIds (closes #43)

keeganwitt · keeganwitt · commit fe2e29d6709c · 2023-01-09T13:43:43.000-05:00
Signed-off-by: Keegan Witt &lt;keeganwitt@gmail.com&gt;
diff --git a/api/v1alpha1/clusterspiffeid_types.go b/api/v1alpha1/clusterspiffeid_types.go
@@ -67,6 +67,9 @@ type ClusterSPIFFEIDSpec struct {
 	// administrative APIs. Extra care should be taken to only apply this
 	// SPIFFE ID to admin workloads.
 	Admin bool `json:"admin,omitempty"`
+
+	// Downstream indicates that the entry describes a downstream SPIRE server.
+	Downstream bool `json:"downstream,omitempty"`
 }
 
 // ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
diff --git a/api/v1alpha1/clusterspiffeid_webhook.go b/api/v1alpha1/clusterspiffeid_webhook.go
@@ -89,6 +89,7 @@ type ParsedClusterSPIFFEIDSpec struct {
 	DNSNameTemplates          []*template.Template
 	WorkloadSelectorTemplates []*template.Template
 	Admin                     bool
+	Downstream                bool
 }
 
 // ParseClusterSPIFFEIDSpec parses and validates the fields in the ClusterSPIFFEIDSpec
diff --git a/config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml b/config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml
@@ -48,6 +48,9 @@ spec:
                 items:
                   type: string
                 type: array
+              downstream:
+                description: Downstream indicates that the entry describes a downstream SPIRE server.
+                type: boolean
               federatesWith:
                 description: FederatesWith is a list of trust domain names that workloads
                   that obtain this SPIFFE ID will federate with.
diff --git a/demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml b/demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml
@@ -48,6 +48,9 @@ spec:
                 items:
                   type: string
                 type: array
+              downstream:
+                description: Downstream indicates that the entry describes a downstream SPIRE server.
+                type: boolean
               federatesWith:
                 description: FederatesWith is a list of trust domain names that workloads
                   that obtain this SPIFFE ID will federate with.
diff --git a/demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml b/demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml
@@ -48,6 +48,9 @@ spec:
                 items:
                   type: string
                 type: array
+              downstream:
+                description: Downstream indicates that the entry describes a downstream SPIRE server.
+                type: boolean
               federatesWith:
                 description: FederatesWith is a list of trust domain names that workloads
                   that obtain this SPIFFE ID will federate with.
diff --git a/docs/clusterspiffeid-crd.md b/docs/clusterspiffeid-crd.md
@@ -24,6 +24,7 @@ The definition can be found [here](../api/v1alpha1/clusterspiffeid_types.go).
 | `ttl`                       | OPTIONAL | Duration value indicating an upper bound on the time-to-live for SVIDs issued to target workload |
 | `federatesWith`             | OPTIONAL | One or more trust domain names that target workloads federate with |
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
+| `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 
 ## ClusterSPIFFEIDStatus
 
diff --git a/pkg/spireapi/types.go b/pkg/spireapi/types.go
@@ -40,6 +40,7 @@ type Entry struct {
 	TTL           time.Duration
 	FederatesWith []spiffeid.TrustDomain
 	Admin         bool
+	Downstream    bool
 	DnsNames      []string
 }
 
diff --git a/pkg/spireapi/types_test.go b/pkg/spireapi/types_test.go
@@ -30,6 +30,7 @@ var (
 		TTL:           time.Minute,
 		FederatesWith: []spiffeid.TrustDomain{spiffeid.RequireTrustDomainFromString("domain2.test")},
 		Admin:         true,
+		Downstream:    true,
 		DnsNames:      []string{"dnsname"},
 	}
 
@@ -47,6 +48,7 @@ var (
 		Ttl:           60,
 		FederatesWith: []string{"domain2.test"},
 		Admin:         true,
+		Downstream:    true,
 		DnsNames:      []string{"dnsname"},
 	}
 )
diff --git a/pkg/spireentry/entries.go b/pkg/spireentry/entries.go
@@ -80,6 +80,7 @@ func renderPodEntry(spec *spirev1alpha1.ParsedClusterSPIFFEIDSpec, node *corev1.
 		FederatesWith: spec.FederatesWith,
 		DnsNames:      dnsNames,
 		Admin:         spec.Admin,
+		Downstream:    spec.Downstream,
 	}, nil
 }
 
diff --git a/pkg/spireentry/logging.go b/pkg/spireentry/logging.go
@@ -37,6 +37,7 @@ const (
 	federatesWithKey      = "federatesWith"
 	dnsNamesKey           = "dnsNames"
 	adminKey              = "admin"
+	downstreamKey         = "downstream"
 )
 
 func objectName(o metav1.Object) string {
@@ -55,6 +56,7 @@ func entryLogFields(entry spireapi.Entry) []interface{} {
 		federatesWithKey, stringFromTrustDomains(entry.FederatesWith),
 		dnsNamesKey, stringList(entry.DnsNames),
 		adminKey, entry.Admin,
+		downstreamKey, entry.Downstream,
 	}
 }
 
diff --git a/pkg/spireentry/reconciler.go b/pkg/spireentry/reconciler.go
@@ -426,6 +426,9 @@ func getOutdatedEntryFields(newEntry, oldEntry spireapi.Entry) []string {
 	if oldEntry.Admin != newEntry.Admin {
 		outdated = append(outdated, "admin")
 	}
+	if oldEntry.Downstream != newEntry.Downstream {
+		outdated = append(outdated, "downstream")
+	}
 	if !stringsMatch(oldEntry.DnsNames, newEntry.DnsNames) {
 		outdated = append(outdated, "dnsNames")
 	}
diff --git a/pkg/spireentry/reconciler_test.go b/pkg/spireentry/reconciler_test.go
@@ -63,6 +63,12 @@ func TestMakeEntryKey(t *testing.T) {
 		require.Equal(t, makeEntryKey(a), makeEntryKey(b))
 	})
 
+	t.Run("Downstream has no impact", func(t *testing.T) {
+		a := spireapi.Entry{ID: "A", ParentID: id1, SPIFFEID: id2, Selectors: sAABB, Downstream: false}
+		b := spireapi.Entry{ID: "B", ParentID: id1, SPIFFEID: id2, Selectors: sAABB, Downstream: true}
+		require.Equal(t, makeEntryKey(a), makeEntryKey(b))
+	})
+
 	t.Run("DNSNames have no impact", func(t *testing.T) {
 		a := spireapi.Entry{ID: "A", ParentID: id1, SPIFFEID: id2, Selectors: sAABB, DnsNames: []string{"A"}}
 		b := spireapi.Entry{ID: "B", ParentID: id1, SPIFFEID: id2, Selectors: sAABB, DnsNames: []string{"B"}}

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,9 @@ type ClusterSPIFFEIDSpec struct {`
`67`	`67`	`// administrative APIs. Extra care should be taken to only apply this`
`68`	`68`	`// SPIFFE ID to admin workloads.`
`69`	`69`	Admin bool `json:"admin,omitempty"`
	`70`	`+`
	`71`	`+ // Downstream indicates that the entry describes a downstream SPIRE server.`
	`72`	+ Downstream bool `json:"downstream,omitempty"`
`70`	`73`	`}`
`71`	`74`
`72`	`75`	`// ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@ type ParsedClusterSPIFFEIDSpec struct {`
`89`	`89`	`DNSNameTemplates []*template.Template`
`90`	`90`	`WorkloadSelectorTemplates []*template.Template`
`91`	`91`	`Admin bool`
	`92`	`+ Downstream bool`
`92`	`93`	`}`
`93`	`94`
`94`	`95`	`// ParseClusterSPIFFEIDSpec parses and validates the fields in the ClusterSPIFFEIDSpec`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ type Entry struct {`
`40`	`40`	`TTL time.Duration`
`41`	`41`	`FederatesWith []spiffeid.TrustDomain`
`42`	`42`	`Admin bool`
	`43`	`+ Downstream bool`
`43`	`44`	`DnsNames []string`
`44`	`45`	`}`
`45`	`46`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ var (`
`30`	`30`	`TTL: time.Minute,`
`31`	`31`	`FederatesWith: []spiffeid.TrustDomain{spiffeid.RequireTrustDomainFromString("domain2.test")},`
`32`	`32`	`Admin: true,`
	`33`	`+ Downstream: true,`
`33`	`34`	`DnsNames: []string{"dnsname"},`
`34`	`35`	`}`
`35`	`36`
`@@ -47,6 +48,7 @@ var (`
`47`	`48`	`Ttl: 60,`
`48`	`49`	`FederatesWith: []string{"domain2.test"},`
`49`	`50`	`Admin: true,`
	`51`	`+ Downstream: true,`
`50`	`52`	`DnsNames: []string{"dnsname"},`
`51`	`53`	`}`
`52`	`54`	`)`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ func renderPodEntry(spec spirev1alpha1.ParsedClusterSPIFFEIDSpec, node corev1.`
`80`	`80`	`FederatesWith: spec.FederatesWith,`
`81`	`81`	`DnsNames: dnsNames,`
`82`	`82`	`Admin: spec.Admin,`
	`83`	`+ Downstream: spec.Downstream,`
`83`	`84`	`}, nil`
`84`	`85`	`}`
`85`	`86`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ const (`
`37`	`37`	`federatesWithKey = "federatesWith"`
`38`	`38`	`dnsNamesKey = "dnsNames"`
`39`	`39`	`adminKey = "admin"`
	`40`	`+ downstreamKey = "downstream"`
`40`	`41`	`)`
`41`	`42`
`42`	`43`	`func objectName(o metav1.Object) string {`
`@@ -55,6 +56,7 @@ func entryLogFields(entry spireapi.Entry) []interface{} {`
`55`	`56`	`federatesWithKey, stringFromTrustDomains(entry.FederatesWith),`
`56`	`57`	`dnsNamesKey, stringList(entry.DnsNames),`
`57`	`58`	`adminKey, entry.Admin,`
	`59`	`+ downstreamKey, entry.Downstream,`
`58`	`60`	`}`
`59`	`61`	`}`
`60`	`62`