Skip to content

Commit

Permalink
federated_trust_domains as a boolean, including all certs
Browse files Browse the repository at this point in the history
Signed-off-by: Eduardo <[email protected]>
  • Loading branch information
edurra committed Jan 16, 2024
1 parent 46602d6 commit 6dd0de4
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 18 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
| `jwt_audience` | JWT SVID audience. | `"your-audience"` |
| `jwt_svid_file_name` | File name to be used to store JWT SVID in Base64-encoded string. | `"jwt_svid.token"` |
| `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` |
| `federated_trust_domains` | In federation scenarios, trust domains managed by the federated server. These trust domains must be specified in the workload registration entry by using the `federatesWith` parameter. | `["example.org", "example2.org2"]` |
| `federated_trust_domains` | Include trust domains from federated servers in the CA bundle. | `true` |


### Configuration example
Expand Down
2 changes: 1 addition & 1 deletion pkg/sidecar/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ type Config struct {
SvidBundleFileNameDeprecated string `hcl:"svidBundleFileName"`
RenewSignal string `hcl:"renew_signal"`
RenewSignalDeprecated string `hcl:"renewSignal"`
FederatedTrustDomains []string `hcl:"federated_trust_domains"`
FederatedTrustDomains bool `hcl:"federated_trust_domains"`

// JWT configuration
JWTAudience string `hcl:"jwt_audience"`
Expand Down
26 changes: 10 additions & 16 deletions pkg/sidecar/sidecar.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/spiffe/go-spiffe/v2/bundle/jwtbundle"
"github.com/spiffe/go-spiffe/v2/svid/jwtsvid"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
Expand Down Expand Up @@ -214,10 +213,12 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
svidBundleFile := path.Join(s.config.CertDir, s.config.SvidBundleFileName)

certs := svid.Certificates

bundleSet, found := svidResponse.Bundles.Get(svid.ID.TrustDomain())
if !found {
return fmt.Errorf("no bundles found for %s trust domain", svid.ID.TrustDomain().String())
}

bundles := bundleSet.X509Authorities()
privateKey, err := x509.MarshalPKCS8PrivateKey(svid.PrivateKey)
if err != nil {
Expand All @@ -231,25 +232,18 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
}

// If using federated domains, add them to the CA bundle
if len(s.config.FederatedTrustDomains) > 0 {
for _,trustDomain := range s.config.FederatedTrustDomains {
federatedTrustDomain, err := spiffeid.TrustDomainFromString(trustDomain)
if err == nil {
federationBundleSet, foundFederatedBundle := svidResponse.Bundles.Get(federatedTrustDomain)

if !foundFederatedBundle {
return fmt.Errorf("no bundles found for %s trust domain", federatedTrustDomain.String())
}

federationBundles := federationBundleSet.X509Authorities()
bundles = append(bundles, federationBundles[0:]...)

} else {
return err
if s.config.FederatedTrustDomains {
bundleSets := svidResponse.Bundles.Bundles()
for _,bundle := range bundleSets {
//The bundle corresponding to svid.ID.TrustDomain is already stored
if bundle.TrustDomain().String() != svid.ID.TrustDomain().String() {
bundles = append(bundles, bundle.X509Authorities()...)
}
}
}



if err := writeCerts(svidFile, certs); err != nil {
return err
}
Expand Down

0 comments on commit 6dd0de4

Please sign in to comment.