Prepare the v0.12 release branch for v0.12.2

cmd/spire-server/cli/agent/agent_test.go

@@ -20,7 +20,17 @@ import (
 )
 
 var (
-	testAgents = []*types.Agent{{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent1"}}}
+	testAgents              = []*types.Agent{{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent1"}}}
+	testAgentsWithSelectors = []*types.Agent{
+		{
+			Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent2"},
+			Selectors: []*types.Selector{
+				{Type: "k8s_psat", Value: "agent_ns:spire"},
+				{Type: "k8s_psat", Value: "agent_sa:spire-agent"},
+				{Type: "k8s_psat", Value: "cluster:demo-cluster"},
+			},
+		},
+	}
 )
 
 type agentTest struct {
@@ -205,6 +215,13 @@ func TestShow(t *testing.T) {
 			expectedReturnCode: 1,
 			expectedStderr:     "Error: connection error: desc = \"transport: error while dialing: dial unix does-not-exist.sock: connect: no such file or directory\"\n",
 		},
+		{
+			name:               "show selectors",
+			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/agent2"},
+			existentAgents:     testAgentsWithSelectors,
+			expectedReturnCode: 0,
+			expectedStdout:     "Selectors         : k8s_psat:agent_ns:spire\nSelectors         : k8s_psat:agent_sa:spire-agent\nSelectors         : k8s_psat:cluster:demo-cluster",
+		},
 	} {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {

cmd/spire-server/cli/agent/show.go

@@ -62,6 +62,9 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return err
 	}
 
+	for _, s := range agent.Selectors {
+		env.Printf("Selectors         : %s:%s\n", s.Type, s.Value)
+	}
 	return nil
 }
 

cmd/spire-server/cli/healthcheck/healthcheck.go

@@ -83,6 +83,8 @@ func (c *healthCheckCommand) run() error {
 		}
 		return errors.New("cannot create registration client")
 	}
+	defer client.Release()
+
 	bundleClient := client.NewBundleClient()
 
 	// Currently using the ability to fetch a bundle as the health check. This

cmd/spire-server/cli/run/run.go

@@ -48,7 +48,7 @@ var (
 		Organization: []string{"SPIFFE"},
 	}
 
-	defaultRateLimitAttestation = true
+	defaultRateLimit = true
 )
 
 // Config contains all available configurables, arranged by section
@@ -155,6 +155,7 @@ type federatesWithBundleEndpointConfig struct {
 
 type rateLimitConfig struct {
 	Attestation *bool    `hcl:"attestation"`
+	Signing     *bool    `hcl:"signing"`
 	UnusedKeys  []string `hcl:",unusedKeys"`
 }
 
@@ -368,11 +369,17 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	sc.Log = logger
 
 	if c.Server.RateLimit.Attestation == nil {
-		c.Server.RateLimit.Attestation = &defaultRateLimitAttestation
+		c.Server.RateLimit.Attestation = &defaultRateLimit
 	}
 	sc.RateLimit.Attestation = *c.Server.RateLimit.Attestation
 
+	if c.Server.RateLimit.Signing == nil {
+		c.Server.RateLimit.Signing = &defaultRateLimit
+	}
+	sc.RateLimit.Signing = *c.Server.RateLimit.Signing
+
 	sc.Experimental.AllowAgentlessNodeAttestors = c.Server.Experimental.AllowAgentlessNodeAttestors
+
 	if c.Server.Federation != nil {
 		if c.Server.Federation.BundleEndpoint != nil {
 			sc.Federation.BundleEndpoint = &bundle.EndpointConfig{

cmd/spire-server/cli/run/run_test.go

@@ -835,6 +835,34 @@ func TestNewServerConfig(t *testing.T) {
 				require.True(t, c.RateLimit.Attestation)
 			},
 		},
+		{
+			msg: "signing rate limit is on by default",
+			input: func(c *Config) {
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.True(t, c.RateLimit.Signing)
+			},
+		},
+		{
+			msg: "signing rate limit can be explicitly disabled",
+			input: func(c *Config) {
+				value := false
+				c.Server.RateLimit.Signing = &value
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.False(t, c.RateLimit.Signing)
+			},
+		},
+		{
+			msg: "signing rate limit can be explicitly enabled",
+			input: func(c *Config) {
+				value := true
+				c.Server.RateLimit.Signing = &value
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.True(t, c.RateLimit.Signing)
+			},
+		},
 	}
 
 	for _, testCase := range cases {

conf/agent/agent_full.conf

@@ -1,5 +1,5 @@
 # This is the SPIRE Agent configuration file including all possible configuration
-# options. 
+# options.
 
 # agent: Contains core configuration parameters.
 agent {
@@ -24,16 +24,16 @@ agent {
 
     # server_address: DNS name or IP address of the SPIRE server.
     server_address = "127.0.0.1"
-    
+
     # server_port: Port number of the SPIRE server.
     server_port = "8081"
-    
+
     # socket_path: Location to bind the workload API socket. Default: /tmp/agent.sock.
     socket_path = "/tmp/agent.sock"
-    
+
     # trust_bundle_path: Path to the SPIRE server CA bundle.
     trust_bundle_path = "./conf/agent/dummy_root_ca.crt"
-    
+
     # trust_bundle_url: URL to download the initial SPIRE server trust bundle.
     # trust_bundle_url = ""
 
@@ -56,9 +56,9 @@ agent {
 # Each nested object has the following format:
 #
 #     PluginType "plugin_name" {
-#    
+#
 #         # plugin_cmd: Path to the plugin implementation binary (optional, not
-#         # needed for built-ins)    
+#         # needed for built-ins)
 #         plugin_cmd = <string>
 #
 #         # plugin_checksum: An optional sha256 of the plugin binary (optional,
@@ -149,7 +149,7 @@ plugins {
             # cluster: Name of the cluster. It must correspond to a cluster
             # configured in the server plugin.
             # cluster = ""
-            
+
             # token_path: Path to the service account token on disk.
             # Default: /run/secrets/kubernetes.io/serviceaccount/token.
             # token_path = "/run/secrets/kubernetes.io/serviceaccount/token"
@@ -180,7 +180,7 @@ plugins {
             # certificate_path: The path to the certificate bundle on disk. The
             # file must contain one or more PEM blocks, starting with the identity
             # certificate followed by any intermediate certificates necessary for
-            # chain-of-trust validation.	
+            # chain-of-trust validation.
             # certificate_path = ""
 
             # intermediates_path: Optional. The path to a chain of intermediate
@@ -204,7 +204,7 @@ plugins {
             # docker_version = ""
         }
     }
-    
+
     # WorkloadAttestor "k8s": A workload attestor which allows selectors based
     # on Kubernetes constructs such ns (namespace) and sa (service account).
     WorkloadAttestor "k8s" {
@@ -244,7 +244,7 @@ plugins {
             # node_name_env = "MY_NODE_NAME"
 
             # node_name: The name of the node. Overrides the value obtained by
-            # the environment variable specified by node_name_env.            
+            # the environment variable specified by node_name_env.
             # node_name = ""
         }
     }
@@ -276,7 +276,7 @@ plugins {
 #         port = 9988
 #     }
 
-#     DogStatsd = [ 
+#     DogStatsd = [
 #         # List of DogStatsd addresses.
 #         { address = "localhost:8125" },
 #         { address = "collector.example.org:1337" },
@@ -301,7 +301,7 @@ plugins {
 # }
 
 # health_checks: If health checking is desired use this section to configure
-# and expose an additional server endpoint for such purpose.
+# and expose an additional agent endpoint for such purpose.
 # health_checks {
 #     # listener_enabled: Enables health checks endpoint.
 #     listener_enabled = true
@@ -312,9 +312,9 @@ plugins {
 #     # bind_port: HTTP Port number of the health checks endpoint. Default: 80.
 #     # bind_port = "80"
 
-#     # live_path: HTTP resource path for checking server liveness. Default: /live.
+#     # live_path: HTTP resource path for checking agent liveness. Default: /live.
 #     # live_path = "/live"
 
-#     # ready_path: HTTP resource path for checking server readiness. Default: /ready.
+#     # ready_path: HTTP resource path for checking agent readiness. Default: /ready.
 #     # ready_path = "/ready"
 # }

conf/server/server_full.conf

@@ -105,6 +105,10 @@ server {
     #     # Controls whether or not node attestation is rate limited to one
     #     # attempt per-second per-IP. Default: true.
     #     attestation = true
+
+    #     # Controls whether or not X509 and JWT signing are rate limited to 500
+    #     # requests per-second per-IP (separately). Default: true.
+    #     signing = true
     # }
 
     # registration_uds_path: Location to bind the registration API socket.

doc/plugin_agent_workloadattestor_k8s.md

@@ -1,6 +1,6 @@
 # Agent plugin: WorkloadAttestor "k8s"
 
-The `k8s` plugin generates kubernetes-based selectors for workloads calling the agent.
+The `k8s` plugin generates Kubernetes-based selectors for workloads calling the agent.
 It does so by retrieving the workload's pod ID from its cgroup membership, then querying
 the kubelet for information about the pod.
 
@@ -19,16 +19,17 @@ the kubelet is contacted over 127.0.0.1 (requires host networking to be
 enabled). In the latter case, the hostname is used to perform certificate
 server name validation against the kubelet certificate.
 
-**Note** kubelet authentication via bearer token requires that the kubelet be
-started with the `--authentication-token-webhook` flag. See [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
-for details.
+> **Note** kubelet authentication via bearer token requires that the kubelet be
+> started with the `--authentication-token-webhook` flag. 
+> See [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
+> for details.
 
-**Note** The kubelet uses the TokenReview API to validate bearer tokens. This
-requires reachability to the Kubernetes API server. Therefore API server downtime can
-interrupt workload attestation. The `--authentication-token-webhook-cache-ttl` kubelet flag
-controls how long the kubelet caches TokenReview responses and may help to
-mitigate this issue. A large cache ttl value is not recommended however, as
-that can impact permission revocation.
+> **Note** The kubelet uses the TokenReview API to validate bearer tokens. 
+> This requires reachability to the Kubernetes API server. Therefore API server downtime can
+> interrupt workload attestation. The `--authentication-token-webhook-cache-ttl` kubelet flag
+> controls how long the kubelet caches TokenReview responses and may help to
+> mitigate this issue. A large cache ttl value is not recommended however, as
+> that can impact permission revocation.
 
 | Configuration | Description |
 | ------------- | ----------- |
@@ -46,19 +47,23 @@ that can impact permission revocation.
 | -------- | ----- |
 | k8s:ns                   | The workload's namespace |
 | k8s:sa                   | The workload's service account |
-| k8s:container-image      | The image of the workload's container |
+| k8s:container-image      | The Image OR ImageID of the container in the workload's pod which is requesting an SVID, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` |
 | k8s:container-name       | The name of the workload's container |
 | k8s:node-name            | The name of the workload's node |
-| k8s:pod-label            | A label given to the the workload's pod |
+| k8s:pod-label            | A label given to the workload's pod |
 | k8s:pod-owner            | The name of the workload's pod owner |
 | k8s:pod-owner-uid        | The UID of the workload's pod owner |
 | k8s:pod-uid              | The UID of the workload's pod |
 | k8s:pod-name             | The name of the workload's pod |
-| k8s:pod-image            | An image of a container in workload's pod |
+| k8s:pod-image            | An Image OR ImageID of any container in the workload's pod, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb`|
 | k8s:pod-image-count      | The number of container images in workload's pod |
-| k8s:pod-init-image       | An image of an init container in workload's pod |
+| k8s:pod-init-image       | An Image OR ImageID of any init container in the workload's pod, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb`|
 | k8s:pod-init-image-count | The number of init container images in workload's pod |
 
+> **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of 
+> the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, 
+> respectively.
+
 ## Examples
 
 To use the kubelet read-only port:

doc/plugin_server_nodeattestor_aws_iid.md

@@ -14,6 +14,7 @@ this plugin resolves the agent's AWS IID-based SPIFFE ID into a set of selectors
 | `access_key_id`     | AWS access key id     | Value of `AWS_ACCESS_KEY_ID` environment variable |
 | `secret_access_key` | AWS secret access key | Value of `AWS_SECRET_ACCESS_KEY` environment variable |
 | `skip_block_device` | Skip anti-tampering mechanism which checks to make sure that the underlying root volume has not been detached prior to attestation. | false |
+| `disable_instance_profile_selectors` | Disables retrieving the attesting instance profile information that is used in the selectors. Useful in cases where the server cannot reach iam.amazonaws.com | false |
 
 A sample configuration:
 
@@ -25,6 +26,12 @@ A sample configuration:
         }
     }
 ```
+
+## Disabling Instance Profile Selectors
+In cases where spire-server is running in a location with no public internet access available, setting `disable_instance_profile_selectors = true` will prevent the server from making requests to `iam.amazonaws.com`. This is needed as spire-server will fail to attest nodes as it cannot retrieve the metadata information.
+
+When this is enabled, `IAM Role` selector information will no longer be available for use.
+
 ## AWS IAM Permissions
 The user or role identified by the configured credentials must have permissions for `ec2:DescribeInstances`.
 
@@ -58,7 +65,7 @@ This plugin generates the following selectors related to the instance where the
 
 All of the selectors have the type `aws_iid`.
 
-The `IAM role` selector is included in the generated set of selectors only if the instance has an IAM Instance Profile associated.
+The `IAM role` selector is included in the generated set of selectors only if the instance has an IAM Instance Profile associated and `disable_instance_profile_selectors = false`
 
 ## Security Considerations
 The AWS Instance Identity Document, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run.

doc/plugin_server_notifier_k8sbundle.md

@@ -14,6 +14,7 @@ The plugin accepts the following configuration options:
 | config_map            | The name of the ConfigMap                   | `spire-bundle`  |
 | config_map_key        | The key within the ConfigMap for the bundle | `bundle.crt`    |
 | kube_config_file_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, it is assumed the notifier is in-cluster and in-cluster credentials will be used. | |
+| webhook_label         | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to `true`. | |
 
 ## Configuring Kubernetes
 
@@ -22,6 +23,7 @@ The following actions are required to set up the plugin.
 - Bind ClusterRole or Role that can `get` and `patch` the ConfigMap to Service Account
     - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE server
     - In the case of out-of-cluster SPIRE server, it is Service Account that interacts with the Kubernetes API server
+    - In the case of setting `webhook_label`, the ClusterRole additionally needs permissions to `get`, `list`, `patch`, and `watch` `mutatingwebhookconfigurations` and `validatingwebhookconfigurations`.
 - Create the ConfigMap that the plugin pushes
 
 For example:
@@ -62,6 +64,23 @@ metadata:
   namespace: spire
 ```
 
+### Configuration when Rotating Webhook CA Bundles
+When rotating webhook CA bundles, use the below ClusterRole:
+
+```yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "patch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "patch", "watch"]
+```
+
 ## Sample configurations
 
 ### Default In-Cluster
@@ -92,3 +111,17 @@ the credentials found in the `/path/to/kubeconfig` file.
         }
     }
 ```
+
+### Default In-Cluster with Webhook Rotation
+The following configuration pushes bundle contents from an in-cluster SPIRE
+server to
+- The `bundle.crt` key in the `spire:spire-bundle` ConfigMap
+- Validating and mutating webhooks with a label of `spiffe.io/webhook: true`
+
+```
+    Notifier "k8sbundle" {
+        plugin_data {
+            webhook_label = "spiffe.io/webhook"
+        }
+    }
+```

doc/spire_agent.md

@@ -109,7 +109,7 @@ The agent can expose additional endpoint that can be used for health checking. I
 health_checks {
         listener_enabled = true
         bind_address = "localhost"
-        bind_port = "80"
+        bind_port = "8080"
         live_path = "/live"
         ready_path = "/ready"
 }