Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce EJBCA UpstreamAuthority plugin for SPIRE Server #5201

Closed
wants to merge 8 commits into from
Closed

Introduce EJBCA UpstreamAuthority plugin for SPIRE Server #5201

wants to merge 8 commits into from

Conversation

m8rmclaren
Copy link
Contributor

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

This PR introduces EJBCA as a Server UpstreamAuthority plugin. This plugin uses a connected EJBCA to issue intermediate certificates for the SPIRE server.

Per #4163, the EJBCA UpstreamAuthority plugin is compatible with EJBCA Community.

Description of change

  • Adds EJBCA as a built-in UpstreamAuthority plugin.
  • Adds the EJBCA Go Client SDK as a required dependency for communicating with the EJBCA REST API.
  • Updates the golang.org/x/oauth2 to v0.21.0 required when importing the EJBCA Go Client SDK.

Which issue this PR fixes

@amartinezfayo amartinezfayo self-assigned this Jun 13, 2024
amartinezfayo
amartinezfayo reviewed Jun 27, 2024
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @m8rmclaren for this contribution!
While we are waiting for the integration tests to complete the review, I just wanted to provide a couple of comments.

pkg/server/plugin/upstreamauthority/ejbca/ejbca.go Outdated Show resolved Hide resolved
pkg/server/plugin/upstreamauthority/ejbca/ejbca.go Outdated Show resolved Hide resolved
@m8rmclaren
Copy link
Contributor Author

Hey everyone, here's the result of the EJBCA UpstreamAuthority integration test running on my Mac:
image

@m8rmclaren
chore(test): Create EJBCA UpstreamAuthority integraiton test and
a742aa2 
refactor EJBCA config to only support certs from file

Signed-off-by: Hayden Roszell <[email protected]>
@m8rmclaren
Copy link
Contributor Author

Hi @amartinezfayo -

I made the recommended changes to ejbca.Config and resolved what seemed like the issue in the EJBCA integration test. Same as before, the test succeeds on my Mac.

@amartinezfayo
Copy link
Member

Hi @m8rmclaren, just checking in here. Do you need any help or have questions about the latests comments?

@m8rmclaren
Copy link
Contributor Author

Hi @amartinezfayo!

I believe I've resolved the suggestions from your review, with the most important change being the removal of OAuth as an auth method. I also resolved the issue in the EJBCA integration test, and verified that the GitHub Actions run in my fork.

@m8rmclaren m8rmclaren deleted the branch spiffe:main August 13, 2024 15:20
@m8rmclaren m8rmclaren closed this Aug 13, 2024
@m8rmclaren m8rmclaren deleted the main branch August 13, 2024 15:20
@m8rmclaren m8rmclaren mentioned this pull request Aug 13, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo left review comments

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@m8rmclaren @amartinezfayo