Separate Cluster message from TrustZone

cmd/cofidectl/cmd/federation/federation.go

@@ -7,8 +7,10 @@ import (
 	"context"
 	"os"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	federation_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/federation/v1alpha1"
 	trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 
 	kubeutil "github.com/cofide/cofidectl/pkg/kube"
@@ -128,13 +130,18 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
 	compare := make(map[*trust_zone_proto.TrustZone]bundles)
 
 	for _, tz := range []*trust_zone_proto.TrustZone{from, to} {
-		if deployed, err := isTrustZoneDeployed(ctx, tz); err != nil {
+		cluster, err := trustzone.GetClusterFromTrustZone(tz)
+		if err != nil {
+			return "", "", err
+		}
+
+		if deployed, err := isClusterDeployed(ctx, cluster); err != nil {
 			return "", "", err
 		} else if !deployed {
 			return "Inactive", "", nil
 		}
 
-		client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, tz.GetKubernetesContext())
+		client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 		if err != nil {
 			return "", "", err
 		}
@@ -164,9 +171,9 @@ func checkFederationStatus(ctx context.Context, kubeConfig string, from *trust_z
 	return FederationStatusHealthy, "", nil
 }
 
-// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
-func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
-	prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+// isClusterDeployed returns whether a cluster has been deployed, i.e. whether a SPIRE Helm release has been installed.
+func isClusterDeployed(ctx context.Context, cluster *clusterpb.Cluster) (bool, error) {
+	prov, err := helm.NewHelmSPIREProvider(ctx, cluster, nil, nil)
 	if err != nil {
 		return false, err
 	}

cmd/cofidectl/cmd/trustzone/helm/helm.go

@@ -12,6 +12,7 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 	"gopkg.in/yaml.v3"
 
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	"github.com/cofide/cofidectl/pkg/plugin/datasource"
 	"github.com/cofide/cofidectl/pkg/provider/helm"
@@ -101,13 +102,18 @@ func (c *HelmCommand) overrideValues(ds datasource.DataSource, tzName string, va
 		return err
 	}
 
-	trustZone.ExtraHelmValues, err = structpb.NewStruct(values)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return err
+	}
+
+	cluster.ExtraHelmValues, err = structpb.NewStruct(values)
 	if err != nil {
 		return err
 	}
 
 	// Check that the values are acceptable.
-	generator := helm.NewHelmValuesGenerator(trustZone, ds, nil)
+	generator := helm.NewHelmValuesGenerator(trustZone, cluster, ds, nil)
 	if _, err = generator.GenerateValues(); err != nil {
 		return err
 	}
@@ -183,7 +189,12 @@ func (c *HelmCommand) getValues(ds datasource.DataSource, tzName string) (map[st
 		return nil, err
 	}
 
-	generator := helm.NewHelmValuesGenerator(trustZone, ds, nil)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return nil, err
+	}
+
+	generator := helm.NewHelmValuesGenerator(trustZone, cluster, ds, nil)
 	values, err := generator.GenerateValues()
 	if err != nil {
 		return nil, err

cmd/cofidectl/cmd/trustzone/trustzone.go

@@ -11,8 +11,10 @@ import (
 	"slices"
 	"strconv"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/trustzone/helm"
 	trustprovider "github.com/cofide/cofidectl/internal/pkg/trustprovider"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	"github.com/manifoldco/promptui"
 
@@ -84,10 +86,15 @@ func (c *TrustZoneCommand) GetListCommand() *cobra.Command {
 
 			data := make([][]string, len(trustZones))
 			for i, trustZone := range trustZones {
+				cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+				if err != nil {
+					return err
+				}
+
 				data[i] = []string{
 					trustZone.Name,
 					trustZone.TrustDomain,
-					trustZone.GetKubernetesCluster(),
+					cluster.GetName(),
 				}
 			}
 
@@ -148,16 +155,21 @@ func (c *TrustZoneCommand) GetAddCommand() *cobra.Command {
 			}
 
 			bundleEndpointProfile := trust_zone_proto.BundleEndpointProfile_BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
+
+			newCluster := &clusterpb.Cluster{
+				Name:              &opts.kubernetesCluster,
+				TrustZone:         &opts.name,
+				KubernetesContext: &opts.context,
+				TrustProvider:     &trust_provider_proto.TrustProvider{Kind: &trustProviderKind},
+				Profile:           &opts.profile,
+				ExternalServer:    &opts.externalServer,
+			}
 			newTrustZone := &trust_zone_proto.TrustZone{
 				Name:                  opts.name,
 				TrustDomain:           opts.trustDomain,
-				KubernetesCluster:     &opts.kubernetesCluster,
-				KubernetesContext:     &opts.context,
-				TrustProvider:         &trust_provider_proto.TrustProvider{Kind: &trustProviderKind},
-				Profile:               &opts.profile,
 				JwtIssuer:             &opts.jwtIssuer,
 				BundleEndpointProfile: &bundleEndpointProfile,
-				ExternalServer:        &opts.externalServer,
+				Clusters:              []*clusterpb.Cluster{newCluster},
 			}
 
 			_, err = ds.AddTrustZone(newTrustZone)
@@ -218,15 +230,21 @@ func (c *TrustZoneCommand) status(ctx context.Context, source datasource.DataSou
 		return err
 	}
 
-	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, trustZone.GetKubernetesContext())
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
 	if err != nil {
 		return err
 	}
 
-	prov, err := helmprovider.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 	if err != nil {
 		return err
 	}
+
+	prov, err := helmprovider.NewHelmSPIREProvider(ctx, cluster, nil, nil)
+	if err != nil {
+		return err
+	}
+
 	if installed, err := prov.CheckIfAlreadyInstalled(); err != nil {
 		return err
 	} else if !installed {

cmd/cofidectl/cmd/workload/workload.go

@@ -8,9 +8,11 @@ import (
 	"fmt"
 	"os"
 
+	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	provisionpb "github.com/cofide/cofide-api-sdk/gen/go/proto/provision_plugin/v1alpha1"
 	trust_zone_proto "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/statusspinner"
+	"github.com/cofide/cofidectl/internal/pkg/trustzone"
 	"github.com/cofide/cofidectl/internal/pkg/workload"
 	cmdcontext "github.com/cofide/cofidectl/pkg/cmd/context"
 	kubeutil "github.com/cofide/cofidectl/pkg/kube"
@@ -162,7 +164,12 @@ func (w *WorkloadCommand) status(ctx context.Context, kubeConfig string, opts St
 		return err
 	}
 
-	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, *trustZone.KubernetesContext)
+	cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+	if err != nil {
+		return err
+	}
+
+	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeConfig, cluster.GetKubernetesContext())
 	if err != nil {
 		return err
 	}
@@ -187,13 +194,18 @@ func renderRegisteredWorkloads(ctx context.Context, kubeConfig string, trustZone
 	data := make([][]string, 0, len(trustZones))
 
 	for _, trustZone := range trustZones {
-		if deployed, err := isTrustZoneDeployed(ctx, trustZone); err != nil {
+		cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+		if err != nil {
+			return err
+		}
+
+		if deployed, err := isClusterDeployed(ctx, cluster); err != nil {
 			return err
 		} else if !deployed {
 			return fmt.Errorf("trust zone %s has not been deployed", trustZone.Name)
 		}
 
-		registeredWorkloads, err := workload.GetRegisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext())
+		registeredWorkloads, err := workload.GetRegisteredWorkloads(ctx, kubeConfig, cluster.GetKubernetesContext())
 		if err != nil {
 			return err
 		}
@@ -300,12 +312,17 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo
 	data := make([][]string, 0, len(trustZones))
 
 	for _, trustZone := range trustZones {
-		deployed, err := isTrustZoneDeployed(ctx, trustZone)
+		cluster, err := trustzone.GetClusterFromTrustZone(trustZone)
+		if err != nil {
+			return err
+		}
+
+		deployed, err := isClusterDeployed(ctx, cluster)
 		if err != nil {
 			return err
 		}
 
-		registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, trustZone.GetKubernetesContext(), includeSecrets, deployed)
+		registeredWorkloads, err := workload.GetUnregisteredWorkloads(ctx, kubeConfig, cluster.GetKubernetesContext(), includeSecrets, deployed)
 		if err != nil {
 			return err
 		}
@@ -338,9 +355,9 @@ func renderUnregisteredWorkloads(ctx context.Context, kubeConfig string, trustZo
 	return nil
 }
 
-// isTrustZoneDeployed returns whether a trust zone has been deployed, i.e. whether a SPIRE Helm release has been installed.
-func isTrustZoneDeployed(ctx context.Context, trustZone *trust_zone_proto.TrustZone) (bool, error) {
-	prov, err := helm.NewHelmSPIREProvider(ctx, trustZone, nil, nil)
+// isClusterDeployed returns whether a cluster has been deployed, i.e. whether a SPIRE Helm release has been installed.
+func isClusterDeployed(ctx context.Context, cluster *clusterpb.Cluster) (bool, error) {
+	prov, err := helm.NewHelmSPIREProvider(ctx, cluster, nil, nil)
 	if err != nil {
 		return false, err
 	}

go.mod

@@ -7,7 +7,7 @@ toolchain go1.23.4
 require (
 	buf.build/go/protoyaml v0.3.1
 	cuelang.org/go v0.10.1
-	github.com/cofide/cofide-api-sdk v0.5.1
+	github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0
 	github.com/fatih/color v1.18.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0

go.sum

@@ -86,8 +86,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
-github.com/cofide/cofide-api-sdk v0.5.1 h1:rIiqhz/+7G5jrpRMt418VQ59OUM8d0cQ2YuuXtziZuY=
-github.com/cofide/cofide-api-sdk v0.5.1/go.mod h1:cU46gp7I0XxyqSiPzS17P9zWwU1agzxbexfZjRG5l94=
+github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0 h1:UBmQrMgsH5C2AUpzJKDAd/izBM/N7FFPfM/I6rpo3AY=
+github.com/cofide/cofide-api-sdk v0.5.2-0.20250117165051-3f40e0c57dc0/go.mod h1:cU46gp7I0XxyqSiPzS17P9zWwU1agzxbexfZjRG5l94=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA=

internal/pkg/config/schema.cue

@@ -3,17 +3,22 @@
 #TrustZone: {
 	name!: string
 	trust_domain!: string
-	kubernetes_cluster!: string
-	kubernetes_context!: string
-	trust_provider!: #TrustProvider
-	profile!: string
 	bundle_endpoint_url?: string
 	bundle?: string
 	federations: [...#Federation]
 	attestation_policies: [...#APBinding]
 	jwt_issuer?: string
-	extra_helm_values?: #HelmValues
 	bundle_endpoint_profile?: #BundleEndpointProfile
+	clusters: [#Cluster]
+}
+
+#Cluster: {
+	name!: string
+	trust_zone!: string
+	kubernetes_context!: string
+	trust_provider!: #TrustProvider
+	profile!: string
+	extra_helm_values?: #HelmValues
 	external_server?: bool
 }
 

internal/pkg/config/testdata/config/empty_trust_zone_clusters.yaml

@@ -0,0 +1,10 @@
+trust_zones:
+    - name: tz1
+      trust_domain: td1
+      bundle_endpoint_url: 127.0.0.1
+      bundle: ""
+      federations:
+        - from: tz1
+          to: tz2
+      attestation_policies: []
+      clusters: []

internal/pkg/config/testdata/config/full.yaml

@@ -1,10 +1,6 @@
 trust_zones:
     - name: tz1
       trust_domain: td1
-      kubernetes_cluster: local1
-      kubernetes_context: kind-local1
-      trust_provider:
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.1
       federations:
         - from: tz1
@@ -15,24 +11,26 @@ trust_zones:
           federates_with:
             - tz2
       jwt_issuer: https://tz1.example.com
-      extra_helm_values:
-        global:
-            spire:
-                caSubject:
-                    commonName: cn.example.com
-                    organization: acme-org
-        spire-server:
-            logLevel: INFO
-            nameOverride: custom-server-name
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
-      profile: kubernetes
-      external_server: false
+      clusters:
+        - name: local1
+          trust_zone: tz1
+          kubernetes_context: kind-local1
+          trust_provider:
+            kind: kubernetes
+          extra_helm_values:
+            global:
+                spire:
+                    caSubject:
+                        commonName: cn.example.com
+                        organization: acme-org
+            spire-server:
+                logLevel: INFO
+                nameOverride: custom-server-name
+          profile: kubernetes
+          external_server: false
     - name: tz2
       trust_domain: td2
-      kubernetes_cluster: local2
-      kubernetes_context: kind-local2
-      trust_provider:
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.2
       federations:
         - from: tz2
@@ -44,8 +42,14 @@ trust_zones:
             - tz1
       jwt_issuer: https://tz2.example.com
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_WEB
-      profile: kubernetes
-      external_server: false
+      clusters:
+        - name: local2
+          trust_zone: tz2
+          kubernetes_context: kind-local2
+          trust_provider:
+            kind: kubernetes
+          profile: kubernetes
+          external_server: false
 attestation_policies:
     - name: ap1
       kubernetes:

internal/pkg/config/testdata/config/missing_trust_zone_field.yaml

@@ -1,13 +1,16 @@
 trust_zones:
     - trust_domain: td1
-      kubernetes_cluster: local1
-      kubernetes_context: kind-local1
-      trust_provider:
-        name: ""
-        kind: kubernetes
       bundle_endpoint_url: 127.0.0.1
       bundle: ""
       federations:
         - from: tz1
           to: tz2
       attestation_policies: []
+      clusters:
+      - name: local1
+        trust_zone: tz1
+        kubernetes_context: kind-local1
+        trust_provider:
+          name: ""
+          kind: kubernetes
+        profile: kubernetes