Update jwt test to work with newer slim images (#139)

* install newer version of slim debug - switch to step tool for jwt verification against jwk public keys Signed-off-by: Drew Wells <[email protected]> * use step-cli image Signed-off-by: Drew Wells <[email protected]> * Fix image tag and add upgrade logic Signed-off-by: Kevin Fox <[email protected]> * use registry for consistency Signed-off-by: Kevin Fox <[email protected]> * Fix merge conflicts Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Drew Wells <[email protected]> Signed-off-by: kfox1111 <[email protected]> Signed-off-by: Kevin Fox <[email protected]> Co-authored-by: kfox1111 <[email protected]>
spiffe · Dec 21, 2023 · e630008 · e630008
1 parent c39dd44
commit e630008
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 9 deletions.
diff --git a/.github/tests/images.json b/.github/tests/images.json
@@ -34,6 +34,10 @@
       "query": "telemetry.prometheus.nginxExporter.image",
       "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
       "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    }, {
+      "query": "tests.step.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
     },
     {
       "query": "tests.bash.image",

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@@ -110,7 +110,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/slim-toolkit-debug`                                                  |
 | `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.toolkit.image.version`                         | This value is deprecated in favor of tag. (Will be removed in a future release)                                                                                                                                                        | `""`                                                                             |
-| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` |
+| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb` |
+| `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
+| `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                             |
+| `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.step.image.version`                            | This value is deprecated in favor of tag. (Will be removed in a future release)                                                                                                                                                        | `""`                                                                             |
+| `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.25.1`                                                                         |
 | `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                             |
 | `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                        |
 | `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
@@ -25,6 +25,19 @@ spec:
       volumeMounts:
         - name: data-volume
           mountPath: /data
+    - name: install-step
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.step.image "global" .Values.global) }}
+      workingDir: /data
+      command:
+        - sh
+        - -c
+        - |
+          cp /usr/local/bin/step /data/step
+      securityContext:
+        {{- include "spire-lib.securitycontext" . | nindent 8 }}
+      volumeMounts:
+        - name: data-volume
+          mountPath: /data
     - name: gettoken
       image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version "image" .Values.tests.agent.image) }}
       command:
@@ -50,19 +63,22 @@ spec:
       image: {{ template "spire-lib.image" (dict "image" .Values.tests.toolkit.image "global" .Values.global) }}
       command:
         - bash
+      workingDir: /data
       env:
       - name: TMPDIR
         value: /data
       args:
-        - -c
+        - -cx
         - |
           URL=http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}
-          curl -k -s -f "${URL}"/keys
-          JWT=$(cat /data/token.svid | jq -r '.[].svids[0].svid' | xargs)
-          cat <<'EOF' >> /data/jwt-decode.sh
-          {{- (.Files.Get "files/test/jwt-decode.sh") | nindent 10 }}
-          EOF
-          bash /data/jwt-decode.sh "${URL}"/keys "${JWT}"
+
+          cat /data/token.svid
+          JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs)
+          KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid')
+          # Retrieve public key from JWK set, match kid from JWT to locate the correct one
+          curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem
+          # Verify JWT with public pem
+          echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle
       securityContext:
         {{- include "spire-lib.securitycontext" . | nindent 8 }}
       volumeMounts:

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -303,7 +303,21 @@ tests:
       repository: chainguard/slim-toolkit-debug
       pullPolicy: IfNotPresent
       version: ""
-      tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79
+      tag: latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb
+
+  step:
+    ## @param tests.step.image.registry The OCI registry to pull the image from
+    ## @param tests.step.image.repository The repository within the registry
+    ## @param tests.step.image.pullPolicy The image pull policy
+    ## @param tests.step.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
+    ## @param tests.step.image.tag Overrides the image tag whose default is the chart appVersion
+    ##
+    image:
+      registry: "docker.io"
+      repository: smallstep/step-cli
+      pullPolicy: IfNotPresent
+      version: ""
+      tag: 0.25.1
 
   busybox:
     ## @param tests.busybox.image.registry The OCI registry to pull the image from