diff --git a/README.md b/README.md index 965cc2c9..cf2f5edc 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f | `jwt_audience` | JWT SVID audience. | `"your-audience"` | | `jwt_svid_file_name` | File name to be used to store JWT SVID in Base64-encoded string. | `"jwt_svid.token"` | | `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | - | `federated_trust_domains` | In federation scenarios, trust domains managed by the federated server. These trust domains must be specified in the workload registration entry by using the `federatesWith` parameter. | `["example.org", "example2.org2"]` | + | `federated_trust_domains` | Include trust domains from federated servers in the CA bundle. | `true` | ### Configuration example diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go index d702975b..d6bab28d 100644 --- a/pkg/sidecar/config.go +++ b/pkg/sidecar/config.go @@ -31,7 +31,7 @@ type Config struct { SvidBundleFileNameDeprecated string `hcl:"svidBundleFileName"` RenewSignal string `hcl:"renew_signal"` RenewSignalDeprecated string `hcl:"renewSignal"` - FederatedTrustDomains []string `hcl:"federated_trust_domains"` + FederatedTrustDomains bool `hcl:"federated_trust_domains"` // JWT configuration JWTAudience string `hcl:"jwt_audience"` diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go index b9105827..0ff96f71 100644 --- a/pkg/sidecar/sidecar.go +++ b/pkg/sidecar/sidecar.go @@ -20,7 +20,6 @@ import ( "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" "github.com/spiffe/go-spiffe/v2/workloadapi" - "github.com/spiffe/go-spiffe/v2/spiffeid" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -214,10 +213,12 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error { svidBundleFile := path.Join(s.config.CertDir, s.config.SvidBundleFileName) certs := svid.Certificates + bundleSet, found := svidResponse.Bundles.Get(svid.ID.TrustDomain()) if !found { return fmt.Errorf("no bundles found for %s trust domain", svid.ID.TrustDomain().String()) } + bundles := bundleSet.X509Authorities() privateKey, err := x509.MarshalPKCS8PrivateKey(svid.PrivateKey) if err != nil { @@ -231,25 +232,18 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error { } // If using federated domains, add them to the CA bundle - if len(s.config.FederatedTrustDomains) > 0 { - for _,trustDomain := range s.config.FederatedTrustDomains { - federatedTrustDomain, err := spiffeid.TrustDomainFromString(trustDomain) - if err == nil { - federationBundleSet, foundFederatedBundle := svidResponse.Bundles.Get(federatedTrustDomain) - - if !foundFederatedBundle { - return fmt.Errorf("no bundles found for %s trust domain", federatedTrustDomain.String()) - } - - federationBundles := federationBundleSet.X509Authorities() - bundles = append(bundles, federationBundles[0:]...) - - } else { - return err + if s.config.FederatedTrustDomains { + bundleSets := svidResponse.Bundles.Bundles() + for _,bundle := range bundleSets { + //The bundle corresponding to svid.ID.TrustDomain is already stored + if bundle.TrustDomain().String() != svid.ID.TrustDomain().String() { + bundles = append(bundles, bundle.X509Authorities()...) } } } + + if err := writeCerts(svidFile, certs); err != nil { return err }