Skip to content

Commit

Permalink
Creates separates files for JWT SVID and Bundles, updates README.
Browse files Browse the repository at this point in the history 
Signed-off-by: JU4N98 <juanpablocabana2@gmail.com>
  • Loading branch information
@JU4N98
JU4N98 committed Oct 25, 2023
1 parent fa6a696 commit e53e6fd
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 27 deletions.
29 changes: 19 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,20 @@ If `-config` is not specified, the default value `helper.conf` is assumed.
## Configuration
The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted file that defines the following configurations:

|Configuration | Description | Example Value |
|Configuration | Description | Example Value |
|--------------------------|------------------------------------------------------------------------------------------------| ------------- |
|`agent_address` | Socket address of SPIRE Agent. | `"/tmp/agent.sock"` |
|`cmd` | The path to the process to launch. | `"ghostunnel"` |
|`cmd_args` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
|`cert_dir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` |
|`add_intermediates_to_bundle`| Add intermediate certificates into Bundle file instead of SVID file. | `true` |
|`renew_signal` | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"` |
|`svid_file_name` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` |
|`svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` |
|`svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` |
|`agent_address` | Socket address of SPIRE Agent. | `"/tmp/agent.sock"` |
|`cmd` | The path to the process to launch. | `"ghostunnel"` |
|`cmd_args` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
|`cert_dir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` |
|`add_intermediates_to_bundle`| Add intermediate certificates into Bundle file instead of SVID file. | `true` |
|`renew_signal` | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"` |
|`svid_file_name` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` |
|`svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` |
|`svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` |
|`audience` | JWT SVID audience. | `"example.org"`|
|`jwt_file_name` | File name to be used to store JWT SVID certificate in JSON format. | `"jwt.json"` |
|`jwk_file_name` | File name to be used to store JWT SVID Bundle in JSON format. | `"jwk.json"` |

### Configuration example
```
Expand All @@ -38,6 +41,9 @@ renew_signal = "SIGUSR1"
svid_file_name = "svid.pem"
svid_key_file_name = "svid_key.pem"
svid_bundle_file_name = "svid_bundle.pem"
audience = "example.org"
jwt_file_name = "jwt.json"
jwk_file_name = "jwk.json"
```

### Windows example
Expand All @@ -47,4 +53,7 @@ cert_dir = "certs"
svid_file_name = "svid.pem"
svid_key_file_name = "svid_key.pem"
svid_bundle_file_name = "svid_bundle.pem"
audience = "example.org"
jwt_file_name = "jwt.json"
jwk_file_name = "jwk.json"
```
5 changes: 3 additions & 2 deletions pkg/sidecar/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ type Config struct {
RenewSignalDeprecated string `hcl:"renewSignal"`

// JWT configuration
JwtAudience string `hcl:"audience"`
JSONFilename string `hcl:"json_filename"`
JWTAudience string `hcl:"audience"`
JWTFilename string `hcl:"jwt_file_name"`
JWKFilename string `hcl:"jwk_file_name"`

// TODO: is there a reason for this to be exposed? and inside of config?
ReloadExternalProcess func() error
Expand Down
22 changes: 11 additions & 11 deletions pkg/sidecar/sidecar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,8 +189,8 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
return nil
}

func (s *Sidecar) readJSON() map[string]interface{} {
jsonPath := path.Join(s.config.CertDir, s.config.JSONFilename)
func (s *Sidecar) readJSON(file_name string) map[string]interface{} {

Check failure on line 192 in pkg/sidecar/sidecar.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

var-naming: don't use underscores in Go names; method parameter file_name should be fileName (revive)
jsonPath := path.Join(s.config.CertDir, file_name)
file, err := os.ReadFile(jsonPath)
if err != nil {
s.config.Log.Warnf("Unable to read json file: %v", err)
Expand All @@ -205,13 +205,13 @@ func (s *Sidecar) readJSON() map[string]interface{} {
return certs
}

func (s *Sidecar) writeJSON(certs map[string]interface{}) {
func (s *Sidecar) writeJSON(file_name string, certs map[string]interface{}) {

Check failure on line 208 in pkg/sidecar/sidecar.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

var-naming: don't use underscores in Go names; method parameter file_name should be fileName (revive)
file, err := json.Marshal(certs)
if err != nil {
s.config.Log.Warnf("Unable to parse certs: %v", err)
}

jsonPath := path.Join(s.config.CertDir, s.config.JSONFilename)
jsonPath := path.Join(s.config.CertDir, file_name)
err = os.WriteFile(jsonPath, file, os.ModePerm)
if err != nil {
s.config.Log.Warnf("Unable to write JSON file: %v", err)
Expand All @@ -225,15 +225,15 @@ func (s *Sidecar) updateJWTBundle(jwkSet *jwtbundle.Set) {
for _, bundle := range jwkSet.Bundles() {
bytes, err := bundle.Marshal()
if err != nil {
s.config.Log.Warnf("Unable to marshal JWT bundle: %v", err)
s.config.Log.Warnf("Unable to marshal JWK bundle: %v", err)
continue
}
bundles[bundle.TrustDomain().Name()] = base64.StdEncoding.EncodeToString(bytes)
}

certs := s.readJSON()
certs := s.readJSON(s.config.JWKFilename)
certs["bundles"] = bundles
s.writeJSON(certs)
s.writeJSON(s.config.JWKFilename, certs)
}

func (s *Sidecar) fetchJWTSVID(options ...workloadapi.ClientOption) (*jwtsvid.SVID, error) {
Expand All @@ -246,13 +246,13 @@ func (s *Sidecar) fetchJWTSVID(options ...workloadapi.ClientOption) (*jwtsvid.SV
}
defer jwtSource.Close()

jwtSVID, err := jwtSource.FetchJWTSVID(context.Background(), jwtsvid.Params{Audience: s.config.JwtAudience})
jwtSVID, err := jwtSource.FetchJWTSVID(context.Background(), jwtsvid.Params{Audience: s.config.JWTAudience})
if err != nil {
s.config.Log.Warnf("Unable to fetch JWT SVID: %v", err)
return nil, err
}

_, err = jwtsvid.ParseAndValidate(jwtSVID.Marshal(), jwtSource, []string{s.config.JwtAudience})
_, err = jwtsvid.ParseAndValidate(jwtSVID.Marshal(), jwtSource, []string{s.config.JWTAudience})
if err != nil {
s.config.Log.Warnf("Unable to parse or validate token: %v", err)
return nil, err
Expand All @@ -274,9 +274,9 @@ func (s *Sidecar) updateJWTSVID(ctx context.Context, options ...workloadapi.Clie
continue
}

certs := s.readJSON()
certs := s.readJSON(s.config.JWTFilename)
certs["svid"] = jwtSVID.Marshal()
s.writeJSON(certs)
s.writeJSON(s.config.JWTFilename, certs)

s.config.Log.Infof("JWT SVID updated")
time.Sleep(time.Until(jwtSVID.Expiry)/2 + 1*time.Second)
Expand Down
4 changes: 2 additions & 2 deletions pkg/sidecar/util_posix.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
}()
}

if s.config.JSONFilename != "" {
if s.config.JWKFilename != "" {
wg.Add(1)
go func() {
defer wg.Done()
Expand All @@ -43,7 +43,7 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
}()
}

if s.config.JSONFilename != "" && s.config.JwtAudience != "" {
if s.config.JWTFilename != "" && s.config.JWTAudience != "" {
wg.Add(1)
go func() {
defer wg.Done()
Expand Down
4 changes: 2 additions & 2 deletions pkg/sidecar/util_windows.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
}()
}

if s.config.JSONFilename != "" {
if s.config.JWKFilename != "" {
wg.Add(1)
go func() {
defer wg.Done()
Expand All @@ -42,7 +42,7 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
}()
}

if s.config.JSONFilename != "" && s.config.JwtAudience != "" {
if s.config.JWTFilename != "" && s.config.JwtAudience != "" {
wg.Add(1)
go func() {
defer wg.Done()
Expand Down

0 comments on commit e53e6fd

Please sign in to comment.