Separate Cluster message from TrustZone

This change modifies cofidectl to adapt to the changes in cofide/cofide-api-sdk#25, in which the TrustZone message has been refactored to extract per-Kubernetes cluster details into a Cluster message. For now we restrict the number of clusters per trust zone to one. Clusters are not yet exposed by the CLI as separate from trust zones. They are currently embedded into trust zones in the data model but will be referenced by name or ID in future. Fixes: #126
cofide · Jan 17, 2025 · b3c47f2 · b3c47f2
1 parent 6b51407
commit b3c47f2
Show file tree

Hide file tree

Showing 23 changed files with 423 additions and 198 deletions.
diff --git a/cmd/cofidectl/cmd/federation/federation.go b/cmd/cofidectl/cmd/federation/federation.go
@@ -7,8 +7,10 @@ import (
 	"context"
 	"os"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	federation_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/federation/v1alpha1"
 	trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 
 	kubeutil "github.com/cofide/cofidectl/pkg/kube"
@@ -128,13 +130,18 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
 	compare := make(map[*trust_zone_proto.TrustZone]bundles)
 
 	for _, tz := range []*trust_zone_proto.TrustZone{from, to} {
-		if deployed, err := isTrustZoneDeployed(ctx, tz); err != nil {
+		cluster, err := trustzone.GetClusterFromTrustZone(tz)
+		if err != nil {
+			return "", "", err
+		}
+
+		if deployed, err := isClusterDeployed(ctx, cluster); err != nil {
 			return "", "", err
 		} else if !deployed {
 			return "Inactive", "", nil
 		}
 
-		client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, tz.GetKubernetesContext())
+		client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 		if err != nil {
 			return "", "", err
 		}
@@ -164,9 +171,9 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
 	return FederationStatusHealthy, "", nil
 }
 
-// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
-func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
-	prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+// isClusterDeployed returns whether a cluster has been deployed, i.e. whether a SPIRE Helm release has been installed.
+func isClusterDeployed(ctx context.Context, cluster *clusterpb.Cluster) (bool, error) {
+	prov, err := helm.NewHelmSPIREProvider(ctx, cluster, nil, nil)
 	if err != nil {
 		return false, err
 	}

diff --git a/cmd/cofidectl/cmd/trustzone/helm/helm.go b/cmd/cofidectl/cmd/trustzone/helm/helm.go
@@ -12,6 +12,7 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 	"gopkg.in/yaml.v3"
 
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	"github.com/cofide/cofidectl/pkg/plugin/datasource"
 	"github.com/cofide/cofidectl/pkg/provider/helm"
@@ -101,13 +102,18 @@ func (c *HelmCommand) overrideValues(ds datasource.DataSource, tzName string, va
 		return err
 	}
 
-	trustZone.ExtraHelmValues, err = structpb.NewStruct(values)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return err
+	}
+
+	cluster.ExtraHelmValues, err = structpb.NewStruct(values)
 	if err != nil {
 		return err
 	}
 
 	// Check that the values are acceptable.
-	generator := helm.NewHelmValuesGenerator(trustZone, ds, nil)
+	generator := helm.NewHelmValuesGenerator(trustZone, cluster, ds, nil)
 	if _, err = generator.GenerateValues(); err != nil {
 		return err
 	}
@@ -183,7 +189,12 @@ func (c *HelmCommand) getValues(ds datasource.DataSource, tzName string) (map[st
 		return nil, err
 	}
 
-	generator := helm.NewHelmValuesGenerator(trustZone, ds, nil)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return nil, err
+	}
+
+	generator := helm.NewHelmValuesGenerator(trustZone, cluster, ds, nil)
 	values, err := generator.GenerateValues()
 	if err != nil {
 		return nil, err

diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go
@@ -11,8 +11,10 @@ import (
 	"slices"
 	"strconv"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/trustzone/helm"
 	trustprovider "github.com/cofide/cofidectl/internal/pkg/trustprovider"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	"github.com/manifoldco/promptui"
 
@@ -84,10 +86,15 @@ func (c *TrustZoneCommand) GetListCommand() *cobra.Command {
 
 			data := make([][]string, len(trustZones))
 			for i, trustZone := range trustZones {
+				cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+				if err != nil {
+					return err
+				}
+
 				data[i] = []string{
 					trustZone.Name,
 					trustZone.TrustDomain,
-					trustZone.GetKubernetesCluster(),
+					cluster.GetName(),
 				}
 			}
 
@@ -148,16 +155,21 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 			}
 
 			bundleEndpointProfile := trust_zone_proto.BundleEndpointProfile_BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
+
+			newCluster := &clusterpb.Cluster{
+				Name:              &opts.kubernetesCluster,
+				TrustZone:         &opts.name,
+				KubernetesContext: &opts.context,
+				TrustProvider:     &trust_provider_proto.TrustProvider{Kind: &trustProviderKind},
+				Profile:           &opts.profile,
+				ExternalServer:    &opts.externalServer,
+			}
 			newTrustZone := &trust_zone_proto.TrustZone{
 				Name:                  opts.name,
 				TrustDomain:           opts.trustDomain,
-				KubernetesCluster:     &opts.kubernetesCluster,
-				KubernetesContext:     &opts.context,
-				TrustProvider:         &trust_provider_proto.TrustProvider{Kind: &trustProviderKind},
-				Profile:               &opts.profile,
 				JwtIssuer:             &opts.jwtIssuer,
 				BundleEndpointProfile: &bundleEndpointProfile,
-				ExternalServer:        &opts.externalServer,
+				Clusters:              []*clusterpb.Cluster{newCluster},
 			}
 
 			_, err = ds.AddTrustZone(newTrustZone)
@@ -218,15 +230,21 @@ func (c *TrustZoneCommand) status(ctx context.Context, source datasource.DataSou
 		return err
 	}
 
-	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, trustZone.GetKubernetesContext())
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
 	if err != nil {
 		return err
 	}
 
-	prov, err := helmprovider.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 	if err != nil {
 		return err
 	}
+
+	prov, err := helmprovider.NewHelmSPIREProvider(ctx, cluster, nil, nil)
+	if err != nil {
+		return err
+	}
+
 	if installed, err := prov.CheckIfAlreadyInstalled(); err != nil {
 		return err
 	} else if !installed {

diff --git a/cmd/cofidectl/cmd/workload/workload.go b/cmd/cofidectl/cmd/workload/workload.go
@@ -8,9 +8,11 @@ import (
 	"fmt"
 	"os"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	provisionpb "github.com/cofide/cofide-api-sdk/gen/go/proto/provision_plugin/v1alpha1"
 	trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/statusspinner"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	"github.com/cofide/cofidectl/internal/pkg/workload"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	kubeutil "github.com/cofide/cofidectl/pkg/kube"
@@ -162,7 +164,12 @@ func (w *WorkloadCommand) status(ctx context.Context, kubeConfig string, opts St
 		return err
 	}
 
-	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, *trustZone.KubernetesContext)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return err
+	}
+
+	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 	if err != nil {
 		return err
 	}
@@ -187,13 +194,18 @@ func renderRegisteredWorkloads(ctx context.Context, kubeConfig string, trustZone
 	data := make([][]string, 0, len(trustZones))
 
 	for _, trustZone := range trustZones {
-		if deployed, err := isTrustZoneDeployed(ctx, trustZone); err != nil {
+		cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+		if err != nil {
+			return err
+		}
+
+		if deployed, err := isClusterDeployed(ctx, cluster); err != nil {
 			return err
 		} else if !deployed {
 			return fmt.Errorf("trust zone %s has not been deployed", trustZone.Name)
 		}
 
-		registeredWorkloads, err := workload.GetRegisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext())
+		registeredWorkloads, err := workload.GetRegisteredWorkloads(ctx, kubeConfig, cluster.GetKubernetesContext())
 		if err != nil {
 			return err
 		}
@@ -300,12 +312,17 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo
 	data := make([][]string, 0, len(trustZones))
 
 	for _, trustZone := range trustZones {
-		deployed, err := isTrustZoneDeployed(ctx, trustZone)
+		cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+		if err != nil {
+			return err
+		}
+
+		deployed, err := isClusterDeployed(ctx, cluster)
 		if err != nil {
 			return err
 		}
 
-		registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext(), includeSecrets, deployed)
+		registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, cluster.GetKubernetesContext(), includeSecrets, deployed)
 		if err != nil {
 			return err
 		}
@@ -338,9 +355,9 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo
 	return nil
 }
 
-// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
-func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
-	prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+// isClusterDeployed returns whether a cluster has been deployed, i.e. whether a SPIRE Helm release has been installed.
+func isClusterDeployed(ctx context.Context, cluster *clusterpb.Cluster) (bool, error) {
+	prov, err := helm.NewHelmSPIREProvider(ctx, cluster, nil, nil)
 	if err != nil {
 		return false, err
 	}

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ toolchain go1.23.4
 require (
 	buf.build/go/protoyaml v0.3.1
 	cuelang.org/go v0.10.1
-	github.com/cofide/cofide-api-sdk v0.5.1
+	github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0
 	github.com/fatih/color v1.18.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0

diff --git a/go.sum b/go.sum
@@ -86,8 +86,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
-github.com/cofide/cofide-api-sdk v0.5.1 h1:rIiqhz/+7G5jrpRMt418VQ59OUM8d0cQ2YuuXtziZuY=
-github.com/cofide/cofide-api-sdk v0.5.1/go.mod h1:cU46gp7I0XxyqSiPzS17P9zWwU1agzxbexfZjRG5l94=
+github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0 h1:UBmQrMgsH5C2AUpzJKDAd/izBM/N7FFPfM/I6rpo3AY=
+github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0/go.mod h1:cU46gp7I0XxyqSiPzS17P9zWwU1agzxbexfZjRG5l94=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ=

diff --git a/internal/pkg/config/schema.cue b/internal/pkg/config/schema.cue
@@ -3,17 +3,22 @@
 #TrustZone: {
 	name!: string
 	trust_domain!: string
-	kubernetes_cluster!: string
-	kubernetes_context!: string
-	trust_provider!: #TrustProvider
-	profile!: string
 	bundle_endpoint_url?: string
 	bundle?: string
 	federations: [...#Federation]
 	attestation_policies: [...#APBinding]
 	jwt_issuer?: string
-	extra_helm_values?: #HelmValues
 	bundle_endpoint_profile?: #BundleEndpointProfile
+	clusters: [#Cluster]
+}
+
+#Cluster: {
+	name!: string
+	trust_zone!: string
+	kubernetes_context!: string
+	trust_provider!: #TrustProvider
+	profile!: string
+	extra_helm_values?: #HelmValues
 	external_server?: bool
 }
 

diff --git a/internal/pkg/config/testdata/config/empty_trust_zone_clusters.yaml b/internal/pkg/config/testdata/config/empty_trust_zone_clusters.yaml
@@ -0,0 +1,10 @@
+trust_zones:
+    - name: tz1
+      trust_domain: td1
+      bundle_endpoint_url: 127.0.0.1
+      bundle: ""
+      federations:
+        - from: tz1
+          to: tz2
+      attestation_policies: []
+      clusters: []
diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml
@@ -1,10 +1,6 @@
 trust_zones:
     - name: tz1
       trust_domain: td1
-      kubernetes_cluster: local1
-      kubernetes_context: kind-local1
-      trust_provider:
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.1
       federations:
         - from: tz1
@@ -15,24 +11,26 @@ trust_zones:
           federates_with:
             - tz2
       jwt_issuer: https://tz1.example.com
-      extra_helm_values:
-        global:
-            spire:
-                caSubject:
-                    commonName: cn.example.com
-                    organization: acme-org
-        spire-server:
-            logLevel: INFO
-            nameOverride: custom-server-name
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
-      profile: kubernetes
-      external_server: false
+      clusters:
+        - name: local1
+          trust_zone: tz1
+          kubernetes_context: kind-local1
+          trust_provider:
+            kind: kubernetes
+          extra_helm_values:
+            global:
+                spire:
+                    caSubject:
+                        commonName: cn.example.com
+                        organization: acme-org
+            spire-server:
+                logLevel: INFO
+                nameOverride: custom-server-name
+          profile: kubernetes
+          external_server: false
     - name: tz2
       trust_domain: td2
-      kubernetes_cluster: local2
-      kubernetes_context: kind-local2
-      trust_provider:
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.2
       federations:
         - from: tz2
@@ -44,8 +42,14 @@ trust_zones:
             - tz1
       jwt_issuer: https://tz2.example.com
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_WEB
-      profile: kubernetes
-      external_server: false
+      clusters:
+        - name: local2
+          trust_zone: tz2
+          kubernetes_context: kind-local2
+          trust_provider:
+            kind: kubernetes
+          profile: kubernetes
+          external_server: false
 attestation_policies:
     - name: ap1
       kubernetes:

diff --git a/internal/pkg/config/testdata/config/missing_trust_zone_field.yaml b/internal/pkg/config/testdata/config/missing_trust_zone_field.yaml
@@ -1,13 +1,16 @@
 trust_zones:
     - trust_domain: td1
-      kubernetes_cluster: local1
-      kubernetes_context: kind-local1
-      trust_provider:
-        name: ""
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.1
       bundle: ""
       federations:
         - from: tz1
           to: tz2
       attestation_policies: []
+      clusters:
+      - name: local1
+        trust_zone: tz1
+        kubernetes_context: kind-local1
+        trust_provider:
+          name: ""
+          kind: kubernetes
+        profile: kubernetes