diff --git a/k8s/deploy-all.yaml b/k8s/deploy-all.yaml new file mode 100644 index 0000000..1011dd0 --- /dev/null +++ b/k8s/deploy-all.yaml @@ -0,0 +1,246 @@ +- hosts: localhost + vars: + hpcs_server_policy: | + path "auth/jwt/role/*" { + capabilities = ["sudo","read","create","delete","update"] + } + path "sys/policies/acl/*" { + capabilities = ["sudo","read","create","delete","update"] + } + + tasks: + - name: create hpcs namespace + k8s: + state: present + src: hpcs-namespace.yaml + + - name: create spire-server account + k8s: + state: present + src: spire-server-account.yaml + + - name: create spire-server clusterrole + k8s: + state: present + src: spire-server-cluster-role.yaml + + - name: create spire-server configmap + k8s: + state: present + src: spire-server-configmap.yaml + + - name: create spire-oidc configmap + k8s: + state: present + src: spire-oidc-configmap.yaml + + - name: create spire nginx proxy configmap + k8s: + state: present + src: spire-server-nginx-configmap.yaml + + - name: Create spire-oidc private key + openssl_privatekey: + path: /etc/certs/hpcs-spire-oidc/selfsigned.key + size: 4096 + + - name: Create spire-oidc csr + openssl_csr: + path: /etc/certs/hpcs-spire-oidc/selfsigned.csr + privatekey_path: /etc/certs/hpcs-spire-oidc/selfsigned.key + + - name: Create spire-oidc certificate + openssl_certificate: + provider: selfsigned + path: /etc/certs/hpcs-spire-oidc/selfsigned.crt + privatekey_path: /etc/certs/hpcs-spire-oidc/selfsigned.key + csr_path: /etc/certs/hpcs-spire-oidc/selfsigned.csr + + - name: create spire-server pod (spire-server, spire-oidc, hpcs-nginx) + k8s: + state: present + src: spire-server-statefulset.yaml + + - name: create spire-server service (expose spire server port) + k8s: + state: present + src: spire-server-service.yaml + + - name: create spire-server service (expose spire oidc port) + k8s: + state: present + src: spire-oidc-service.yaml + + - name: Add hashicorp to helm repositories + kubernetes.core.helm_repository: + name: stable + repo_url: "https://helm.releases.hashicorp.com" + + - name: Deploy hashicorp vault + kubernetes.core.helm: + release_name: vault + chart_ref: hashicorp/vault + release_namespace: hpcs + chart_version: 0.27.0 + + - name: Wait for vault to be created + shell: "kubectl get po -n hpcs vault-0 --output=jsonpath='{.status}'" + register: pod_ready_for_init + until: (pod_ready_for_init.stdout | from_json)['containerStatuses'] is defined + retries: 10 + delay: 2 + + - name: Initialize vault + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: vault operator init -n 1 -t 1 -format json + register: vault_init + ignore_errors: True + + - name: Showing tokens + ansible.builtin.debug: + msg: + - "Please note the unseal token : {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }}" + - "Please note the root-token : '{{ (vault_init.stdout | from_json)['root_token' ] }}'" + when: vault_init.rc == 0 + + - name: Unseal vault + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: vault operator unseal {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }} + when: vault_init.rc == 0 + ignore_errors: True + + - name: Enable jwt authentication in vault + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault auth enable jwt" + when: vault_init.rc == 0 + + - name: Enable kv secrets in vault + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault secrets enable -version=2 kv" + when: vault_init.rc == 0 + + - name: Create hpcs-server vault policy file + copy: + content: "{{ hpcs_server_policy }}" + dest: /tmp/policy + when: vault_init.rc == 0 + + - name: Copy oidc cert to vault's pod + kubernetes.core.k8s_cp: + namespace: hpcs + pod: vault-0 + remote_path: /tmp/cert + local_path: /etc/certs/hpcs-spire-oidc/selfsigned.crt + when: vault_init.rc == 0 + + - name: Write oidc config to vault + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/config oidc_discovery_url=https://spire-oidc oidc_discovery_ca_pem=\"$(cat /tmp/cert)\"" + when: vault_init.rc == 0 + + - name: Copy policy file to vault's pod + kubernetes.core.k8s_cp: + namespace: hpcs + pod: vault-0 + remote_path: /tmp/policy + local_path: /tmp/policy + when: vault_init.rc == 0 + + - name: Write hpcs-server vault policy + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault policy write hpcs-server /tmp/policy" + when: vault_init.rc == 0 + + - name: Write hpcs-server vault role + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/role/hpcs-server role_type=jwt user_claim=sub bound_audiences=TESTING bound_subject=spiffe://hpcs/hpcs-server/workload token_ttl=24h token_policies=hpcs-server" + when: vault_init.rc == 0 + + - name: Check cgroups version + kubernetes.core.k8s_exec: + namespace: hpcs + pod: vault-0 + command: sh -c "cat /proc/filesystems | grep cgroup2" + register: cgroups_check + + - name: Register node uid and nodename + shell: "kubectl get nodes -o json" + register: kubectl_node_info + + - name: Register hpcs-server identity + kubernetes.core.k8s_exec: + namespace: hpcs + pod: spire-server-0 + container: spire-server + command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['name'] }}/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector unix:uid:0 + register: cgroups_check + when: cgroups_check.rc == 0 + ignore_errors: True + + - name: Register hpcs-server identity + kubernetes.core.k8s_exec: + namespace: hpcs + pod: spire-server-0 + container: spire-server + command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['name'] }}/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector k8s:pod-name:hpcs-server + register: cgroups_check + when: cgroups_check.rc == 1 + ignore_errors: True + + - name: Expose vault's web port + kubernetes.core.k8s_service: + state: present + name: vault-external + type: NodePort + namespace: hpcs + ports: + - port: 8200 + protocol: TCP + selector: + service: vault + + - name: Create hpcs-server account + k8s: + state: present + src: hpcs-server-account.yaml + + - name: Create hpcs-spire account + k8s: + state: present + src: hpcs-spire-account.yaml + + - name: Create hpcs-server configmap + k8s: + state: present + src: hpcs-server-configmap.yaml + + - name: Create hpcs-server statefulset and pod + k8s: + state: present + src: hpcs-server-statefulset.yaml + + - name: Expose hpcs-server's web port + kubernetes.core.k8s_service: + state: present + name: hpcs-external + type: NodePort + namespace: hpcs + ports: + - port: 10080 + protocol: TCP + selector: + service: hpcs-server diff --git a/k8s/hpcs-namespace.yaml b/k8s/hpcs-namespace.yaml new file mode 100644 index 0000000..8280228 --- /dev/null +++ b/k8s/hpcs-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hpcs diff --git a/k8s/hpcs-server-account.yaml b/k8s/hpcs-server-account.yaml new file mode 100644 index 0000000..e51e313 --- /dev/null +++ b/k8s/hpcs-server-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hpcs-server + namespace: hpcs diff --git a/k8s/hpcs-server-configmap.yaml b/k8s/hpcs-server-configmap.yaml new file mode 100644 index 0000000..f58e239 --- /dev/null +++ b/k8s/hpcs-server-configmap.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: hpcs-server + namespace: hpcs +data: + hpcs-server.conf: | + [spire-server] + address = localhost + port = 8081 + trust-domain = hpcs + pre-command = "" + spire-server-bin = spire-server + socket-path = /var/run/sockets/server/api.sock + + [spire-agent] + spire-agent-socket = /run/sockets/agent/agent.sock + + [vault] + url = http://vault:8200 + server-role = hpcs-server + + agent.conf: | + agent { + data_dir = "./data/agent" + log_level = "DEBUG" + trust_domain = "hpcs" + server_address = "spire-server" + server_port = 8081 + socket_path = "/var/run/sockets/agent/agent.sock" + admin_socket_path = "/var/run/sockets/admin/admin.sock" + + # Insecure bootstrap is NOT appropriate for production use but is ok for + # simple testing/evaluation purposes. + insecure_bootstrap = true + } + + plugins { + KeyManager "disk" { + plugin_data { + directory = "./data/agent" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "docker-desktop" + } + } + + WorkloadAttestor "k8s" { + plugin_data { + } + } + + WorkloadAttestor "unix" { + plugin_data { + discover_workload_path = true + } + } + } diff --git a/k8s/hpcs-server-service.yaml b/k8s/hpcs-server-service.yaml new file mode 100644 index 0000000..59d45fc --- /dev/null +++ b/k8s/hpcs-server-service.yaml @@ -0,0 +1,14 @@ +# Service definition for spire-oidc (expose the OIDC socket) +apiVersion: v1 +kind: Service +metadata: + name: hpcs-server + namespace: hpcs +spec: + clusterIP: None + selector: + app: hpcs-server + ports: + - name: https + port: 10080 + targetPort: hpcs-server diff --git a/k8s/hpcs-server-statefulset.yaml b/k8s/hpcs-server-statefulset.yaml new file mode 100644 index 0000000..276f876 --- /dev/null +++ b/k8s/hpcs-server-statefulset.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: hpcs-server + namespace: hpcs + labels: + app: hpcs-server +spec: + replicas: 1 + selector: + matchLabels: + app: hpcs-server + serviceName: hpcs-server + template: + metadata: + namespace: hpcs + labels: + app: hpcs-server + spec: + serviceAccountName: hpcs-server + shareProcessNamespace: true + containers: + - name: hpcs-server + image: ghcr.io/cscfi/hpcs/server:0.1.1 + ports: + - containerPort: 10080 + name: hpcs-server + volumeMounts: + - name: hpcs-server-configs + mountPath: /tmp/ + readOnly: false + - name: hpcs-spire-sockets + mountPath: /var/run/sockets + readOnly: false + - name: hpcs-spire-agent-token + mountPath: /var/run/secrets/tokens + readOnly: true + volumes: + - name: hpcs-server-configs + configMap: + name: hpcs-server + - name: hpcs-spire-sockets + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + - name: hpcs-spire-agent-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + volumeClaimTemplates: + - metadata: + name: spire-agent-data + namespace: hpcs + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/k8s/hpcs-spire-account.yaml b/k8s/hpcs-spire-account.yaml new file mode 100644 index 0000000..690a8a6 --- /dev/null +++ b/k8s/hpcs-spire-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hpcs-spire + namespace: hpcs diff --git a/k8s/spire-oidc-configmap.yaml b/k8s/spire-oidc-configmap.yaml new file mode 100644 index 0000000..9de2be7 --- /dev/null +++ b/k8s/spire-oidc-configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-oidc + namespace: hpcs +data: + oidc-discovery-provider.conf: | + log_level = "debug" + domains = ["spire-oidc"] + listen_socket_path = "/tmp/spire-server/private/oidc-api.sock" + + server_api { + address = "unix:///tmp/spire-server/private/api.sock" + } + + health_checks {} diff --git a/k8s/spire-oidc-service.yaml b/k8s/spire-oidc-service.yaml new file mode 100644 index 0000000..c425c1e --- /dev/null +++ b/k8s/spire-oidc-service.yaml @@ -0,0 +1,14 @@ +# Service definition for spire-oidc (expose the OIDC socket) +apiVersion: v1 +kind: Service +metadata: + name: spire-oidc + namespace: hpcs +spec: + type: LoadBalancer + selector: + app: spire-server + ports: + - name: https + port: 443 + targetPort: hpcs-nginx diff --git a/k8s/spire-server-account.yaml b/k8s/spire-server-account.yaml new file mode 100644 index 0000000..2135836 --- /dev/null +++ b/k8s/spire-server-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: hpcs diff --git a/k8s/spire-server-cluster-role.yaml b/k8s/spire-server-cluster-role.yaml new file mode 100644 index 0000000..41defa1 --- /dev/null +++ b/k8s/spire-server-cluster-role.yaml @@ -0,0 +1,28 @@ +# ClusterRole to allow spire-server node attestor to query Token Review API +# and to be able to push certificate bundles to a configmap +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: [""] + resources: ["configmaps","pods","nodes"] + verbs: ["patch", "get", "list"] + +--- +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: hpcs +roleRef: + kind: ClusterRole + name: spire-server-trust-role + apiGroup: rbac.authorization.k8s.io diff --git a/k8s/spire-server-configmap.yaml b/k8s/spire-server-configmap.yaml new file mode 100644 index 0000000..6a9a079 --- /dev/null +++ b/k8s/spire-server-configmap.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 + +kind: ConfigMap +metadata: + name: spire-bundle + namespace: hpcs + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: hpcs +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + socket_path = "/tmp/spire-server/private/api.sock" + trust_domain = "hpcs" + data_dir = "/run/spire/data" + log_level = "DEBUG" + ca_key_type = "rsa-2048" + + jwt_issuer = "spire-server" + default_jwt_svid_ttl = "1h" + + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "docker-desktop" = { + use_token_review_api_validation = true + service_account_allow_list = ["hpcs:hpcs-server"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "hpcs" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } diff --git a/k8s/spire-server-nginx-configmap.yaml b/k8s/spire-server-nginx-configmap.yaml new file mode 100644 index 0000000..0eba7ec --- /dev/null +++ b/k8s/spire-server-nginx-configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: hpcs-nginx + namespace: hpcs +data: + nginx.conf: | + events {} + http { + access_log /tmp/access.log; + error_log /tmp/error.log; + + upstream spire-oidc { + server unix:/tmp/spire-server/private/oidc-api.sock; + } + + server{ + listen 443 ssl; + ssl_certificate /certs/selfsigned.crt; + ssl_certificate_key /certs/selfsigned.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + location / { + proxy_pass http://spire-oidc; + } + } + } diff --git a/k8s/spire-server-service.yaml b/k8s/spire-server-service.yaml new file mode 100644 index 0000000..3e2baf2 --- /dev/null +++ b/k8s/spire-server-service.yaml @@ -0,0 +1,14 @@ +# Service definition for spire server +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: hpcs +spec: + type: LoadBalancer + selector: + app: spire-server + ports: + - name: tcp-spire + port: 8081 + targetPort: spire-server diff --git a/k8s/spire-server-statefulset.yaml b/k8s/spire-server-statefulset.yaml new file mode 100644 index 0000000..f1baa0d --- /dev/null +++ b/k8s/spire-server-statefulset.yaml @@ -0,0 +1,119 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: hpcs + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + serviceName: spire-server + template: + metadata: + namespace: hpcs + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: hpcs-nginx + image: nginx + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/ + readOnly: true + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: nginx-certs + mountPath: /certs + readOnly: true + ports: + - containerPort: 443 + name: hpcs-nginx + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.9.0 + args: + - -config + - /run/spire/config/server.conf + ports: + - containerPort: 8081 + name: spire-server + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: spire-oidc + image: ghcr.io/spiffe/oidc-discovery-provider:1.9.0 + args: + - -config + - /run/spire/oidc/config/oidc-discovery-provider.conf + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-oidc-config + mountPath: /run/spire/oidc/config/ + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + readinessProbe: + httpGet: + path: /ready + port: 8008 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + volumes: + - name: nginx-config + configMap: + name: hpcs-nginx + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + hostPath: + path: /run/spire/sockets/server + type: DirectoryOrCreate + - name: spire-oidc-config + configMap: + name: spire-oidc + - name: nginx-certs + hostPath: + path: /etc/certs/hpcs-spire-oidc + type: DirectoryOrCreate + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: hpcs + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/server/app.py b/server/app.py index 69b0fb3..6335cf5 100644 --- a/server/app.py +++ b/server/app.py @@ -9,6 +9,7 @@ from lib import spire_interactions from tools.docker_utils import get_build_env_image_digests from pyspiffe.spiffe_id.spiffe_id import SpiffeId +from pyspiffe.workloadapi import default_jwt_source from tools.config.config import parse_configuration from tools.cli.cli import parse_arguments @@ -30,6 +31,30 @@ "spire-server-bin" ] +if configuration["spire-agent"].get("spire-agent-socket"): + spire_interactions.jwt_workload_api = default_jwt_source.DefaultJwtSource( + workload_api_client=None, + spiffe_socket_path=f"unix://{configuration['spire-agent'].get('spire-agent-socket')}", + timeout_in_seconds=None, + ) + +else: + spire_interactions.jwt_workload_api = default_jwt_source.DefaultJwtSource( + workload_api_client=None, + spiffe_socket_path="unix:///tmp/spire-agent/public/api.sock", + timeout_in_seconds=None, + ) + +if configuration["spire-agent"].get("hpcs-server-spiffeid"): + spire_interactions.hpcs_server_spiffeid = configuration["spire-agent"].get( + "hpcs-server-spiffeid" + ) + +if configuration["spire-server"].get("socket-path"): + spire_interactions.spire_server_socketpath = configuration["spire-server"].get( + "socket-path" + ) + if configuration["spire-server"].get("pre-command"): spire_interactions.pre_command = configuration["spire-server"]["pre-command"] if configuration["spire-server"]["pre-command"] == '""': diff --git a/server/lib/spire_interactions.py b/server/lib/spire_interactions.py index d6fc428..6416f64 100644 --- a/server/lib/spire_interactions.py +++ b/server/lib/spire_interactions.py @@ -8,11 +8,9 @@ pre_command = "microk8s.kubectl exec -n spire spire-server-0 --" -jwt_workload_api = default_jwt_source.DefaultJwtSource( - workload_api_client=None, - spiffe_socket_path="unix:///tmp/spire-agent/public/api.sock", - timeout_in_seconds=None, -) +jwt_workload_api = None +hpcs_server_spiffeid = "spiffe://hpcs/hpcs-server/workload" +spire_server_socketpath = "/tmp/spire-server/private/api.sock:" def token_generate(spiffeID: SpiffeId) -> subprocess.CompletedProcess: @@ -26,11 +24,11 @@ def token_generate(spiffeID: SpiffeId) -> subprocess.CompletedProcess: """ if pre_command != "": - command = f"{pre_command} {spire_server_bin} token generate -spiffeID {str(spiffeID)}".split( + command = f"{pre_command} {spire_server_bin} token generate -socketPath {spire_server_socketpath} -spiffeID {str(spiffeID)}".split( " " ) else: - command = f"{spire_server_bin} token generate -spiffeID {str(spiffeID)}".split( + command = f"{spire_server_bin} token generate -socketPath {spire_server_socketpath} -spiffeID {str(spiffeID)}".split( " " ) @@ -51,11 +49,11 @@ def entry_create( subprocess.CompletedProcess: result of the cli command to create the entry """ if pre_command != "": - command = f"{pre_command} {spire_server_bin} entry create -parentID {str(parentID)} -spiffeID {str(spiffeID)}".split( + command = f"{pre_command} {spire_server_bin} entry create -socketPath {spire_server_socketpath} -parentID {str(parentID)} -spiffeID {str(spiffeID)}".split( " " ) else: - command = f"{spire_server_bin} entry create -parentID {str(parentID)} -spiffeID {str(spiffeID)}".split( + command = f"{spire_server_bin} entry create -socketPath {spire_server_socketpath} -parentID {str(parentID)} -spiffeID {str(spiffeID)}".split( " " ) @@ -77,7 +75,7 @@ def get_server_identity_JWT() -> JwtSvid: # Perform an api fetch using pyspiffe SVID = jwt_workload_api.fetch_svid( audiences=["TESTING"], - subject=SpiffeId("spiffe://lumi-sd-dev/lumi-sd-server"), + subject=SpiffeId(f"{hpcs_server_spiffeid}"), ) return SVID diff --git a/server/tools/config/config.py b/server/tools/config/config.py index 7280a74..2257e11 100644 --- a/server/tools/config/config.py +++ b/server/tools/config/config.py @@ -5,6 +5,9 @@ def parse_configuration(path: str): config = ConfigParser() config.read(path) + if not "spire-agent" in config: + raise NoSectionError("spire-agent section missing, aborting") + if not "spire-server" in config: raise NoSectionError("spire-server section missing, aborting")