Add support for the VenafiConnection CRD so that users can start using the Workload Identity Federation authentication ("secretless")

.github/workflows/release-master.yml

@@ -11,17 +11,46 @@ jobs:
   vet:
     name: vet
     runs-on: ubuntu-22.04
-    container: golang:1.19
+    container: golang:1.22
     steps:
+    - name: "Add GitHub to the SSH known hosts file"
+      run: |
+        mkdir -p -m 0700 /root/.ssh
+        cat <<EOF >/root/.ssh/known_hosts
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
+        chmod 600 /root/.ssh/known_hosts
+        touch /root/.ssh/config
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - uses: actions/checkout@v4
     - run: make vet
       shell: bash
   test:
     name: go test
     runs-on: ubuntu-22.04
-    container: golang:1.19
+    container: golang:1.22
     steps:
+    - name: "Add GitHub to the SSH known hosts file"
+      run: |
+        mkdir -p -m 0700 /root/.ssh
+        cat <<EOF >/root/.ssh/known_hosts
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
+        chmod 600 /root/.ssh/known_hosts
+        touch /root/.ssh/config
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - uses: actions/checkout@v4
+    - name: Adding github workspace as safe directory
+      # See issue https://github.com/actions/checkout/issues/760
+      run: git config --global --add safe.directory $GITHUB_WORKSPACE
     - run: make test
   docker_build:
     name: docker_build
@@ -41,6 +70,9 @@ jobs:
       packages: write
       id-token: write
     steps:
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - name: Install Tools
       # Installing 'bash' because it's required by the 'cosign-installer' action
       # and 'coreutils' because the 'slsa-provenance-action' requires a version

.github/workflows/test.yml

@@ -9,21 +9,63 @@ on:
     branches:
       - "*"
 
+env:
+  GOPRIVATE: github.com/jetstack/venafi-connection-lib
+
 jobs:
   vet:
     name: vet
     runs-on: ubuntu-22.04
-    container: golang:1.19
+    container: golang:1.22
     steps:
     - uses: actions/checkout@v4
+    # The only reason we need to configure ~/.ssh/known_hosts is because we are
+    # using a container-based runner. Non-container runners already have the
+    # github.com fingerprints in their known_hosts file. We could use `curl
+    # --silent https://api.github.com/meta` to fetch it but golang:1.22 does not
+    # have jq installed.
+    #
+    # Remember that the container "golang:1.22.0" has two "homes": /root is the
+    # home returned by getent(), which is what the GitHub Action and SSH will
+    # use to load .ssh/config and keys under .ssh/, and $HOME is /github/home,
+    # which is where Git loads ~/.gitconfig from.
+    - name: "Add GitHub to the SSH known hosts file"
+      run: |
+        mkdir -p -m 0700 /root/.ssh
+        cat <<EOF >/root/.ssh/known_hosts
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
+        chmod 600 /root/.ssh/known_hosts
+        touch /root/.ssh/config
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - run: make vet
       shell: bash
   test:
     name: go test
     runs-on: ubuntu-22.04
-    container: golang:1.19
+    container: golang:1.22
     steps:
+    - name: "Add GitHub to the SSH known hosts file"
+      run: |
+        mkdir -p -m 0700 /root/.ssh
+        cat <<EOF >/root/.ssh/known_hosts
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
+        chmod 600 /root/.ssh/known_hosts
+        touch /root/.ssh/config
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - uses: actions/checkout@v4
+    - name: Adding github workspace as safe directory
+      # See issue https://github.com/actions/checkout/issues/760
+      run: git config --global --add safe.directory $GITHUB_WORKSPACE
     - run: make test
   docker_build:
     name: docker_build
@@ -41,6 +83,9 @@ jobs:
     steps:
     - name: Install Tools
       run: apk add --update make git jq rsync curl
+    - uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
     - name: Adding github workspace as safe directory
       # See issue https://github.com/actions/checkout/issues/760
       run: git config --global --add safe.directory $GITHUB_WORKSPACE

.gitignore

@@ -13,3 +13,4 @@ predicate.json
 *.pub
 *.tgz
 
+_bin

Makefile

@@ -7,6 +7,8 @@ GOVERSION:=$(shell go version | awk '{print $$3 " " $$4}')
 GOOS:=$(shell go env GOOS)
 GOARCH:=$(shell go env GOARCH)
 
+export GOPRIVATE=github.com/jetstack/venafi-connection-lib
+
 BIN_NAME:=preflight
 
 DOCKER_IMAGE?=quay.io/jetstack/preflight
@@ -48,6 +50,8 @@ build:
 install:
 	cd $(ROOT_DIR) && $(GO_INSTALL)
 
+export KUBEBUILDER_ASSETS=$(ROOT_DIR)/_bin/tools
+test: _bin/tools/etcd _bin/tools/kube-apiserver
 test:
 	cd $(ROOT_DIR) && go test ./...
 
@@ -73,11 +77,13 @@ build-all-platforms-in-host:
 
 build-all-platforms-in-docker:
 	rm -rf ./builds
-	docker build --rm -t preflight-bin -f ./builder.dockerfile \
+	docker buildx build --load --rm -t preflight-bin -f ./builder.dockerfile \
 		--build-arg oauth_client_id=$(OAUTH_CLIENT_ID) \
 		--build-arg oauth_client_secret=$(OAUTH_CLIENT_SECRET) \
 		--build-arg oauth_auth_server_domain=$(OAUTH_AUTH_SERVER_DOMAIN) \
+		--ssh default \
 		.
+	docker rm -f preflight-bin-container 2>/dev/null || true
 	docker create --rm --name=preflight-bin-container preflight-bin
 	docker cp preflight-bin-container:/go/github.com/jetstack/preflight/builds ./builds
 	docker rm preflight-bin-container
@@ -142,3 +148,54 @@ ci-build: ci-test build build-docker-image build-all-platforms bundle-all-platfo
 
 ci-publish: ci-build push-docker-image
 	echo "ci-publish is going to be disabled. We are adopting Github actions"
+
+# NOTE(mael): The download targets for yq, etcd, and kube-apiserver are a lesser
+# and suboptimal version of what's in venafi-enhanced-issuer. We will migrate to
+# makefile-modules and klone soon, so I didn't want to work too hard on this.
+
+YQ_linux_amd64_SHA256SUM=bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08
+YQ_darwin_amd64_SHA256SUM=b2ff70e295d02695b284755b2a41bd889cfb37454e1fa71abc3a6ec13b2676cf
+YQ_darwin_arm64_SHA256SUM=e9fc15db977875de982e0174ba5dc2cf5ae4a644e18432a4262c96d4439b1686
+YQ_VERSION=v4.35.1
+
+_bin/downloaded/tools/yq@$(YQ_VERSION)_%:
+	mkdir -p _bin/downloaded/tools
+	curl -L https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@
+	./make/util/checkhash.sh $@ $(YQ_$*_SHA256SUM)
+	chmod +x $@
+
+HOST_OS=$(shell uname | tr '[:upper:]' '[:lower:]')
+HOST_ARCH=$(shell uname -m | sed 's/x86_64/amd64/')
+
+_bin/tools/yq: _bin/downloaded/tools/yq@$(YQ_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)
+
+KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=f9699df7b021f71a1ab55329b36b48a798e6ae3a44d2132255fc7e46c6790d4d
+KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e1913674bacaa70c067e15649237e1f67d891ba53f367c0a50786b4a274ee047
+KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=0422632a2bbb0d4d14d7d8b0f05497a4d041c11d770a07b7a55c44bcc5e8ce66
+KUBEBUILDER_ASSETS_VERSION=1.27.1
+
+_bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools
+	./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
+	@# O writes the specified file to stdout
+	tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@
+
+_bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools
+	./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
+	@# O writes the specified file to stdout
+	tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@
+
+_bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | _bin/downloaded/tools
+	curl -L https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@
+
+_bin/downloaded/tools:
+	@mkdir -p $@
+
+_bin/tools/etcd: _bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)
+
+_bin/tools/kube-apiserver: _bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)

builder.dockerfile

@@ -1,13 +1,23 @@
-FROM golang:1.21.6 as builder
+FROM golang:1.22.5 as builder
 
 WORKDIR /go/github.com/jetstack/preflight
 
 # Run a dependency resolve with just the go mod files present for
 # better caching
-COPY ./go.mod .
-COPY ./go.sum .
+COPY go.mod go.sum .
 
-RUN go mod download
+COPY <<EOF /root/.gitconfig
+[url "[email protected]:jetstack/venafi-connection-lib"] \
+insteadOf = https://github.com/jetstack/venafi-connection-lib
+EOF
+COPY <<EOF /root/.ssh/known_hosts
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+EOF
+ENV GOPRIVATE=github.com/jetstack/venafi-connection-lib
+
+RUN --mount=type=ssh go mod download
 
 ## Bring in everything else
 COPY . .
@@ -22,7 +32,6 @@ RUN make build-all-platforms \
     OAUTH_CLIENT_SECRET=${oauth_client_secret} \
     OAUTH_AUTH_SERVER_DOMAIN=${oauth_auth_server_domain}
 
-
 RUN go install github.com/google/[email protected]
 
 # We need this '|| true' because go-licenses could fail to find a license so

cmd/agent.go

@@ -138,6 +138,24 @@ func init() {
 		os.Getenv("API_TOKEN"),
 		"Token used for authentication when API tokens are in use on the backend",
 	)
+	agentCmd.PersistentFlags().StringVar(
+		&agent.VenConnName,
+		"venafi-connection",
+		"",
+		"Name of the VenafiConnection to be used. Using this flag will enable the VenafiConnection mode.",
+	)
+	agentCmd.PersistentFlags().StringVar(
+		&agent.VenConnNS,
+		"venafi-connection-namespace",
+		"",
+		"Namespace of the VenafiConnection to be used. It is only useful when the VenafiConnection isn't in the same namespace as the agent. The field `allowReferencesFrom` must be present on the cross-namespace VenafiConnection for the agent to use it.",
+	)
+	agentCmd.PersistentFlags().StringVar(
+		&agent.InstallNS,
+		"install-namespace",
+		"",
+		"Namespace in which the agent is running. Only needed when running the agent outside of Kubernetes. Used for testing purposes.",
+	)
 	agentCmd.PersistentFlags().BoolVarP(
 		&agent.Profiling,
 		"enable-pprof",

deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml

@@ -1,5 +1,32 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
+  labels:
+    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["jetstack.io"]
+    resources:
+      - venaficonnections
+    verbs: ["get", "list", "watch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
+  labels:
+    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "venafi-kubernetes-agent.fullname" . }}-cluster-viewer