include federation bundles in the SVID CA bundle

Signed-off-by: Eduardo <[email protected]>
spiffe · Jan 16, 2024 · 46602d6 · 46602d6
1 parent 7cc2b6d
commit 46602d6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -31,8 +31,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
  | `jwt_audience`                | JWT SVID audience.                                                                                             | `"your-audience"`                                                                                                                                                    |
  | `jwt_svid_file_name`          | File name to be used to store JWT SVID in Base64-encoded string.                                               | `"jwt_svid.token"`                                                                                                                                                   |
  | `jwt_bundle_file_name`        | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`                                                                                                                                                  |
- | `federated_trust_domain`        | In federation scenarios, trust domain managed by the federated server.                                                       | `"example.org"`                                                                                                                                                  |
- | `federation_bundle_file`        | File name to be used to store the federated domain bundle.                                                       | `"federated_bundle.pem"`                                                                                                                                                  |
+ | `federated_trust_domains`        | In federation scenarios, trust domains managed by the federated server. These trust domains must be specified in the workload registration entry by using the `federatesWith` parameter.                                                      | `["example.org", "example2.org2"]`                                                                                                                                                  |
 
 
 ### Configuration example

diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go
@@ -31,8 +31,7 @@ type Config struct {
 	SvidBundleFileNameDeprecated       string `hcl:"svidBundleFileName"`
 	RenewSignal                        string `hcl:"renew_signal"`
 	RenewSignalDeprecated              string `hcl:"renewSignal"`
-	FederatedTrustDomain               string `hcl:"federated_trust_domain"`
-	FederationBundleFile               string `hcl:"federation_bundle_file"`
+	FederatedTrustDomains              []string `hcl:"federated_trust_domains"`
 
 	// JWT configuration
 	JWTAudience       string `hcl:"jwt_audience"`
@@ -123,11 +122,6 @@ func ValidateConfig(c *Config) error {
 		c.RenewSignal = c.RenewSignalDeprecated
 	}
 
-	if c.FederatedTrustDomain != "" {
-		if c.FederationBundleFile == "" {
-			return errors.New("federation_bundle_file must be used when using federated_trust_domain")
-		}
-	}
 
 	x509EmptyCount := countEmpty(c.SvidFileName, c.SvidBundleFileName, c.SvidKeyFileName)
 	jwtSVIDEmptyCount := countEmpty(c.JWTSvidFilename, c.JWTAudience)

diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go
@@ -230,6 +230,26 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
 		certs = []*x509.Certificate{certs[0]}
 	}
 
+	// If using federated domains, add them to the CA bundle
+	if len(s.config.FederatedTrustDomains) > 0 {
+		for _,trustDomain := range s.config.FederatedTrustDomains {
+			federatedTrustDomain, err := spiffeid.TrustDomainFromString(trustDomain)
+			if err == nil {
+				federationBundleSet, foundFederatedBundle := svidResponse.Bundles.Get(federatedTrustDomain)
+
+				if !foundFederatedBundle {
+					return fmt.Errorf("no bundles found for %s trust domain", federatedTrustDomain.String())
+				}
+
+				federationBundles := federationBundleSet.X509Authorities()
+				bundles = append(bundles, federationBundles[0:]...)
+
+			} else {
+				return err
+			}
+		}
+	}
+
 	if err := writeCerts(svidFile, certs); err != nil {
 		return err
 	}
@@ -242,27 +262,6 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
 		return err
 	}
 
-	if s.config.FederatedTrustDomain != "" {
-		federatedTrustDomain, err := spiffeid.TrustDomainFromString(s.config.FederatedTrustDomain)
-		if err == nil {
-			federationBundleSet, foundFederatedBundle := svidResponse.Bundles.Get(federatedTrustDomain)
-
-			if !foundFederatedBundle {
-				return fmt.Errorf("no bundles found for %s trust domain", federatedTrustDomain.String())
-			}
-
-			federationBundles := federationBundleSet.X509Authorities()
-
-			federationBundleFile := path.Join(s.config.CertDir, s.config.FederationBundleFile)
-			if err := writeCerts(federationBundleFile, federationBundles); err != nil {
-				return err
-			}
-
-		} else {
-			return err
-		}
-	}
-
 	return nil
 }
 
@@ -466,4 +465,4 @@ func (w JWTBundlesWatcher) OnJWTBundlesWatchError(err error) {
 	if status.Code(err) != codes.Canceled {
 		w.sidecar.config.Log.Errorf("Error while watching JWT bundles: %v", err)
 	}
-}
+}