Deny production runs of example.org trust domains (#229)

spiffe · Sep 25, 2023 · 50825d9 · 50825d9
1 parent 712a0f6
commit 50825d9
Show file tree

Hide file tree

Showing 16 changed files with 101 additions and 19 deletions.
diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -1,3 +1,9 @@
+global:
+  spire:
+    clusterName: production
+    trustDomain: production.other
+    jwtIssuer: oidc-discovery.production.other
+
 spire-server:
   controllerManager:
     enabled: false

diff --git a/.github/tests/dependencies/testcert.yaml b/.github/tests/dependencies/testcert.yaml
@@ -43,8 +43,8 @@ metadata:
   name: oidc
 spec:
   dnsNames:
-    - oidc-discovery.example.org
-    - spire-server-federation.example.org
+    - oidc-discovery.production.other
+    - spire-server-federation.production.other
   secretName: tls-cert
   issuerRef:
     name: demo-ca

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -98,6 +98,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | `global.spire.trustDomain`              | The trust domain for Spire install                                                                         | `example.org`                |
 | `global.spire.upstreamServerAddress`    | Set what address to use for the upstream server when using nested spire                                    | `""`                         |
 | `global.spire.image.registry`           | Override all Spire image registries at once                                                                | `""`                         |
+| `global.spire.strictMode`               | Check values, such as trustDomain, are overridden with a suitable value for production.                    | `false`                      |
 | `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true`                       |
 | `global.deleteHooks.enabled`            | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)          | `true`                       |
 

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
@@ -1,3 +1,5 @@
+{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
+{{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
 {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
 {{- define "spiffe-oidc-discovery-provider.yaml-config" -}}
 {{- $oidcSocket := .oidcSocket }}

diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml
@@ -1,3 +1,5 @@
+{{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
+{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- define "spire-agent.yaml-config" -}}
 agent:
   data_dir: "/run/spire"

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -153,7 +153,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `federation.ingress.annotations`                                 | Annotations for the ingress object                                                                                                                                                                                                                                                                                                                                   | `{}`                                                                                           |
 | `federation.ingress.hosts`                                       | Host paths for ingress object                                                                                                                                                                                                                                                                                                                                        | `[]`                                                                                           |
 | `federation.ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress                                                                                                                                                                                                                                                                                                            | `[]`                                                                                           |
-| `ca_subject.country`                                             | Country for Spire server CA                                                                                                                                                                                                                                                                                                                                          | `NL`                                                                                           |
+| `ca_subject.country`                                             | Country for Spire server CA                                                                                                                                                                                                                                                                                                                                          | `ARPA`                                                                                         |
 | `ca_subject.organization`                                        | Organization for Spire server CA                                                                                                                                                                                                                                                                                                                                     | `Example`                                                                                      |
 | `ca_subject.common_name`                                         | Common Name for Spire server CA                                                                                                                                                                                                                                                                                                                                      | `example.org`                                                                                  |
 | `keyManager.disk.enabled`                                        | Flag to enable keyManager on disk                                                                                                                                                                                                                                                                                                                                    | `true`                                                                                         |

diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -1,3 +1,9 @@
+{{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
+{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
+{{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
+{{- include "spire-lib.check-strict-mode" (list . "ca_subject.county must be set" (eq .Values.ca_subject.country "ARPA"))}}
+{{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}}
+{{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}}
 {{- range $type, $tvals := .Values.customPlugins }}
 {{-   if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
 {{-     fail (printf "Unknown plugin type specified: %s" $type) }}

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -225,7 +225,7 @@ federation:
 
 ca_subject:
   ## @param ca_subject.country Country for Spire server CA
-  country: NL
+  country: ARPA
   ## @param ca_subject.organization Organization for Spire server CA
   organization: Example
   ## @param ca_subject.common_name Common Name for Spire server CA

diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl
@@ -107,3 +107,18 @@ rules:
 {{- end }}
 {{- include "spire-lib.image" $root }}
 {{- end }}
+
+{{/*
+Take in an array of, '.', a failure string to display, and boolean to to display it,
+if strictMode is enabled and the boolean is true
+*/}}
+{{- define "spire-lib.check-strict-mode" }}
+{{ $root := index . 0 }}
+{{ $message := index . 1 }}
+{{ $condition := index . 2 }}
+{{- if (dig "spire" "strictMode" false $root.Values.global) }}
+{{- if $condition }}
+{{- fail $message }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
@@ -24,6 +24,9 @@ global:
       ## @param global.spire.image.registry Override all Spire image registries at once
       registry: ""
 
+    ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
+    strictMode: false
+
   installAndUpgradeHooks:
     ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
     enabled: true

diff --git a/examples/external-mysql/run-tests.sh b/examples/external-mysql/run-tests.sh
@@ -32,7 +32,7 @@ helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO
   --wait
 
 helm upgrade --install --namespace "spire-server" \
-  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
 helm test --namespace "spire-server" spire
 

diff --git a/examples/external-postgresql/run-tests.sh b/examples/external-postgresql/run-tests.sh
@@ -32,7 +32,7 @@ helm upgrade --install postgresql postgresql --version "$VERSION_POSTGRESQL" --r
   --wait
 
 helm upgrade --install --namespace "spire-server" \
-  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
 helm test --namespace "spire-server" spire
 

diff --git a/examples/nested/run-tests.sh b/examples/nested/run-tests.sh
@@ -34,10 +34,10 @@ helm upgrade --install --create-namespace spire charts/spire \
   --wait
 
 kubectl get nodes -o go-template='{{range .items}}{{printf "%s\n" .metadata.uid}}{{end}}' | while read -r line; do
-  kubectl exec -t spire-server-0 -n "spire-root-server" -- spire-server entry create -spiffeID spiffe://example.org/example-cluster/nested-spire -parentID "spiffe://example.org/spire/agent/k8s_psat/example-cluster/$line" -selector k8s:pod-label:app.kubernetes.io/name:server -downstream
+  kubectl exec -t spire-server-0 -n "spire-root-server" -- spire-server entry create -spiffeID spiffe://production.other/production/nested-spire -parentID "spiffe://production.other/spire/agent/k8s_psat/production/$line" -selector k8s:pod-label:app.kubernetes.io/name:server -downstream
 done
 
-helm upgrade --install --create-namespace --namespace spire-server --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml" \
+helm upgrade --install --create-namespace --namespace spire-server --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
   --wait spire charts/spire
 helm test --namespace spire-server spire
 

diff --git a/examples/production/example-your-values.yaml b/examples/production/example-your-values.yaml
@@ -0,0 +1,45 @@
+global:
+  spire:
+    clusterName: production
+    trustDomain: production.other
+    jwtIssuer: oidc-discovery.production.other
+
+spire-server:
+  ca_subject:
+    country: US
+    organization: Production
+    common_name: production.other
+
+  ingress:
+    hosts:
+      - host: spire-server.production.other
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - hosts:
+          - spire-server.production.other
+  federation:
+    ingress:
+      hosts:
+        - host: spire-server-federation.production.other
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - spire-server-federation.production.other
+          secretName: tls-cert
+
+spiffe-oidc-discovery-provider:
+  ingress:
+    hosts:
+      - host: oidc-discovery.production.other
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: tls-cert
+        hosts:
+          - oidc-discovery.production.other
+
diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh
@@ -48,32 +48,26 @@ kubectl apply -f "${DEPS}/testcert.yaml" -n spire-server
  --wait
 
 ip=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ .spec.clusterIP }}')
-echo "$ip" oidc-discovery.example.org
+echo "$ip" oidc-discovery.production.other
 
 cat > /tmp/dummydns <<EOF
 spiffe-oidc-discovery-provider:
   tests:
     hostAliases:
       - ip: "$ip"
         hostnames:
-          - "oidc-discovery.example.org"
+          - "oidc-discovery.production.other"
 spire-agent:
   hostAliases:
     - ip: "$ip"
       hostnames:
-        - "spire-server.example.org"
+        - "spire-server.production.other"
 spire-server:
   tests:
     hostAliases:
       - ip: "$ip"
         hostnames:
-          - "spire-server-federation.example.org"
-  federation:
-    ingress:
-      tls:
-        - hosts:
-            - spire-server-federation.example.org
-          secretName: tls-cert
+          - "spire-server-federation.production.other"
 EOF
 
 "${helm_install[@]}" spire charts/spire \
@@ -84,11 +78,17 @@ EOF
   --values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \
   --values /tmp/dummydns \
   --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
-  --set spire-agent.server.address=spire-server.example.org,spire-agent.server.port=443 \
+  --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
+  --values "${SCRIPTPATH}/example-your-values.yaml" \
   --wait
 
 helm test --namespace "${ns}" spire
 
+if helm get manifest -n spire-server spire | grep -i example; then
+  echo Global settings did not work. Please fix.
+  exit 1
+fi
+
 print_helm_releases
 print_spire_workload_status "${ns}"
 

diff --git a/examples/production/values.yaml b/examples/production/values.yaml
@@ -2,6 +2,8 @@ global:
   telemetry:
     prometheus:
       enabled: true
+  spire:
+    strictMode: true
 
 spire-server:
   nodeAttestor: