Removes legacy SPIFFE TLS clients and servers in favour of the new SP…

…IRE TLS clients and servers. (dapr#7037) * Removes legacy SPIFFE TLS clients and servers in favour of the new SPIRE TLS clients and servers. Signed-off-by: joshvanl <[email protected]> * Fix sentry int tests, and adds test to ensure legacy ID is not longer accepted Signed-off-by: joshvanl <[email protected]> * String match on sentry Kubernetes validator longname test Signed-off-by: joshvanl <[email protected]> * Fix namespace of sentry in operator tests Signed-off-by: joshvanl <[email protected]> * Linting Signed-off-by: joshvanl <[email protected]> * Update integration kubernetes process to use leaf certificate with cluster.local Signed-off-by: joshvanl <[email protected]> * Fix setting correct control plane trust domain on daprd Signed-off-by: joshvanl <[email protected]> * Remove SENTRY_LOCAL_IDENTITY form expected env var Signed-off-by: joshvanl <[email protected]> * Fix control plane trust domain setting in test Signed-off-by: joshvanl <[email protected]> * Fixes int version skew tests using legacy client/server Signed-off-by: joshvanl <[email protected]> * Fix int version-skew patch on v1.13.0 Signed-off-by: joshvanl <[email protected]> * Use correct namespace for sentry in injector integration tests Signed-off-by: joshvanl <[email protected]> --------- Signed-off-by: joshvanl <[email protected]> Co-authored-by: Dapr Bot <[email protected]> Co-authored-by: Yaron Schneider <[email protected]>
Reshrahim · Mar 26, 2024 · 9723f55 · 9723f55
1 parent 7b881a7
commit 9723f55
Show file tree

Hide file tree

Showing 47 changed files with 855 additions and 1,171 deletions.
diff --git a/...integration/release-1.13/control-plane-master/0003-daprd-control-plane-trust-domain.patch b/...integration/release-1.13/control-plane-master/0003-daprd-control-plane-trust-domain.patch
diff --git a/.../integration/release-1.13/dapr-sidecar-master/0003-daprd-control-plane-trust-domain.patch b/.../integration/release-1.13/dapr-sidecar-master/0003-daprd-control-plane-trust-domain.patch
@@ -0,0 +1,48 @@
+diff --git a/tests/integration/framework/process/daprd/daprd.go b/tests/integration/framework/process/daprd/daprd.go
+index 8e6960f7c..06c9c9185 100644
+--- a/tests/integration/framework/process/daprd/daprd.go
++++ b/tests/integration/framework/process/daprd/daprd.go
+@@ -140,6 +140,9 @@ func New(t *testing.T, fopts ...Option) *Daprd {
+ 	if opts.blockShutdownDuration != nil {
+ 		args = append(args, "--dapr-block-shutdown-duration="+*opts.blockShutdownDuration)
+ 	}
++	if opts.controlPlaneTrustDomain != nil {
++		args = append(args, "--control-plane-trust-domain="+*opts.controlPlaneTrustDomain)
++	}
+
+ 	ns := "default"
+ 	if opts.namespace != nil {
+diff --git a/tests/integration/framework/process/daprd/options.go b/tests/integration/framework/process/daprd/options.go
+index d6b39a535..739d0481c 100644
+--- a/tests/integration/framework/process/daprd/options.go
++++ b/tests/integration/framework/process/daprd/options.go
+@@ -55,6 +55,7 @@ type options struct {
+ 	disableK8sSecretStore   *bool
+ 	gracefulShutdownSeconds *int
+ 	blockShutdownDuration   *string
++	controlPlaneTrustDomain *string
+ }
+
+ func WithExecOptions(execOptions ...exec.Option) Option {
+@@ -246,3 +247,9 @@ func WithDaprBlockShutdownDuration(duration string) Option {
+ 		o.blockShutdownDuration = &duration
+ 	}
+ }
++
++func WithControlPlaneTrustDomain(trustDomain string) Option {
++	return func(o *options) {
++		o.controlPlaneTrustDomain = &trustDomain
++	}
++}
+diff --git a/tests/integration/suite/daprd/hotreload/operator/informer.go b/tests/integration/suite/daprd/hotreload/operator/informer.go
+index 1af786e19..b8b13652f 100644
+--- a/tests/integration/suite/daprd/hotreload/operator/informer.go
++++ b/tests/integration/suite/daprd/hotreload/operator/informer.go
+@@ -105,6 +105,7 @@ func (i *informer) Setup(t *testing.T) []framework.Option {
+ 		daprd.WithExecOptions(exec.WithEnvVars(t,
+ 			"DAPR_TRUST_ANCHORS", string(sentry.CABundle().TrustAnchors),
+ 		)),
++		daprd.WithControlPlaneTrustDomain("integration.test.dapr.io"),
+ 	)
+
+ 	return []framework.Option{
diff --git a/cmd/injector/app/app.go b/cmd/injector/app/app.go
@@ -26,7 +26,6 @@ import (
 	"github.com/dapr/dapr/pkg/buildinfo"
 	scheme "github.com/dapr/dapr/pkg/client/clientset/versioned"
 	"github.com/dapr/dapr/pkg/health"
-	"github.com/dapr/dapr/pkg/injector/sentry"
 	"github.com/dapr/dapr/pkg/injector/service"
 	"github.com/dapr/dapr/pkg/metrics"
 	"github.com/dapr/dapr/pkg/modes"
@@ -83,10 +82,15 @@ func Run() {
 		log.Fatalf("Failed to get authentication uids from services accounts: %s", err)
 	}
 
+	namespace, err := security.CurrentNamespaceOrError()
+	if err != nil {
+		log.Fatalf("Failed to get current namespace: %s", err)
+	}
+
 	secProvider, err := security.New(ctx, security.Options{
 		SentryAddress:           cfg.SentryAddress,
 		ControlPlaneTrustDomain: cfg.ControlPlaneTrustDomain,
-		ControlPlaneNamespace:   security.CurrentNamespace(),
+		ControlPlaneNamespace:   namespace,
 		TrustAnchorsFile:        cfg.TrustAnchorsFile,
 		AppID:                   "dapr-injector",
 		MTLSEnabled:             true,
@@ -123,19 +127,9 @@ func Run() {
 			if err != nil {
 				return rerr
 			}
-			requester, derr := sentry.New(ctx, sentry.Options{
-				SentryAddress: cfg.SentryAddress,
-				SentryID:      sentryID,
-				Security:      sec,
-			})
-			if derr != nil {
-				return derr
-			}
-
 			return inj.Run(ctx,
 				sec.TLSServerConfigNoClientAuth(),
 				sentryID,
-				requester.RequestCertificateFromSentry,
 				sec.CurrentTrustAnchors,
 			)
 		},

diff --git a/pkg/injector/patcher/sidecar.go b/pkg/injector/patcher/sidecar.go
@@ -36,8 +36,6 @@ type SidecarConfig struct {
 
 	Mode                        injectorConsts.DaprMode `default:"kubernetes"`
 	Namespace                   string
-	CertChain                   string
-	CertKey                     string
 	MTLSEnabled                 bool
 	Identity                    string
 	IgnoreEntrypointTolerations []corev1.Toleration

diff --git a/pkg/injector/patcher/sidecar_container.go b/pkg/injector/patcher/sidecar_container.go
@@ -291,24 +291,6 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core
 		},
 	}
 
-	// TODO: @joshvanl: included for backwards compatibility with v1.11 daprd's
-	// which request these environment variables to be present when running in
-	// Kubernetes. Should be removed in v1.13.
-	container.Env = append(container.Env,
-		corev1.EnvVar{
-			Name:  securityConsts.CertChainEnvVar,
-			Value: c.CertChain,
-		},
-		corev1.EnvVar{
-			Name:  securityConsts.CertKeyEnvVar,
-			Value: c.CertKey,
-		},
-		corev1.EnvVar{
-			Name:  "SENTRY_LOCAL_IDENTITY",
-			Value: c.Identity,
-		},
-	)
-
 	// If the pod contains any of the tolerations specified by the configuration,
 	// the Command and Args are passed as is. Otherwise, the Command is passed as a part of Args.
 	// This is to allow the Docker images to specify an ENTRYPOINT

diff --git a/pkg/injector/patcher/sidecar_container_test.go b/pkg/injector/patcher/sidecar_container_test.go
@@ -329,8 +329,6 @@ func TestGetSidecarContainer(t *testing.T) {
 		c.Identity = "pod_identity"
 		c.ControlPlaneNamespace = "my-namespace"
 		c.ControlPlaneTrustDomain = "test.example.com"
-		c.CertChain = "my-cert-chain"
-		c.CertKey = "my-cert-key"
 
 		c.SetFromPodAnnotations()
 
@@ -362,7 +360,7 @@ func TestGetSidecarContainer(t *testing.T) {
 
 		// Command should be empty, image's entrypoint to be used.
 		assert.Empty(t, container.Command)
-		assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_CERT_CHAIN","value":"my-cert-chain"},{"name":"DAPR_CERT_KEY","value":"my-cert-key"},{"name":"SENTRY_LOCAL_IDENTITY","value":"pod_identity"},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`)
+		assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`)
 		// default image
 		assert.Equal(t, "daprio/dapr", container.Image)
 		assert.EqualValues(t, expectedArgs, container.Args)
@@ -394,8 +392,6 @@ func TestGetSidecarContainer(t *testing.T) {
 		c.Identity = "pod_identity"
 		c.ControlPlaneNamespace = "my-namespace"
 		c.ControlPlaneTrustDomain = "test.example.com"
-		c.CertChain = "my-cert-chain"
-		c.CertKey = "my-cert-key"
 		c.EnableK8sDownwardAPIs = true
 
 		c.SetFromPodAnnotations()
@@ -436,7 +432,7 @@ func TestGetSidecarContainer(t *testing.T) {
 
 		// Command should be empty, image's entrypoint to be used.
 		assert.Empty(t, container.Command)
-		assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_HOST_IP","valueFrom":{"fieldRef":{"fieldPath":"status.podIP"}}},{"name":"DAPR_CERT_CHAIN","value":"my-cert-chain"},{"name":"DAPR_CERT_KEY","value":"my-cert-key"},{"name":"SENTRY_LOCAL_IDENTITY","value":"pod_identity"},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`)
+		assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_HOST_IP","valueFrom":{"fieldRef":{"fieldPath":"status.podIP"}}},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`)
 		// default image
 		assert.Equal(t, "daprio/dapr", container.Image)
 		assert.EqualValues(t, expectedArgs, container.Args)

diff --git a/pkg/injector/patcher/sidecar_patcher_test.go b/pkg/injector/patcher/sidecar_patcher_test.go
@@ -267,8 +267,6 @@ func TestPatching(t *testing.T) {
 			c := NewSidecarConfig(pod)
 			c.Namespace = "testns"
 			c.Identity = "pod:identity"
-			c.CertChain = "certchain"
-			c.CertKey = "certkey"
 			c.SentrySPIFFEID = "spiffe://foo.bar/ns/example/dapr-sentry"
 
 			if tc.sidecarConfigModifierFn != nil {
@@ -302,7 +300,6 @@ func TestPatching(t *testing.T) {
 					daprdEnvVars[env.Name] = env.Value
 				}
 				assert.Equal(t, "testns", daprdEnvVars["NAMESPACE"])
-				assert.Equal(t, "pod:identity", daprdEnvVars["SENTRY_LOCAL_IDENTITY"])
 
 				assert.Len(t, daprdContainer.VolumeMounts, 1)
 				assert.Equal(t, "dapr-identity-token", daprdContainer.VolumeMounts[0].Name)

diff --git a/pkg/injector/sentry/sentry.go b/pkg/injector/sentry/sentry.go
diff --git a/pkg/injector/service/handler_test.go b/pkg/injector/service/handler_test.go
@@ -15,7 +15,6 @@ package service
 
 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -56,9 +55,6 @@ func TestHandleRequest(t *testing.T) {
 	injector.currentTrustAnchors = func() ([]byte, error) {
 		return nil, nil
 	}
-	injector.signDaprdCertificate = func(context.Context, string) ([]byte, []byte, error) {
-		return []byte("test-cert"), []byte("test-key"), nil
-	}
 
 	podBytes, _ := json.Marshal(corev1.Pod{
 		TypeMeta: metav1.TypeMeta{

diff --git a/pkg/injector/service/injector.go b/pkg/injector/service/injector.go
@@ -56,13 +56,12 @@ var AllowedServiceAccountInfos = []string{
 }
 
 type (
-	signDaprdCertificateFn func(ctx context.Context, namespace string) (cert []byte, key []byte, err error)
-	currentTrustAnchorsFn  func() (ca []byte, err error)
+	currentTrustAnchorsFn func() (ca []byte, err error)
 )
 
 // Injector is the interface for the Dapr runtime sidecar injection component.
 type Injector interface {
-	Run(context.Context, *tls.Config, spiffeid.ID, signDaprdCertificateFn, currentTrustAnchorsFn) error
+	Run(context.Context, *tls.Config, spiffeid.ID, currentTrustAnchorsFn) error
 	Ready(context.Context) error
 }
 
@@ -89,7 +88,6 @@ type injector struct {
 	controlPlaneTrustDomain string
 	currentTrustAnchors     currentTrustAnchorsFn
 	sentrySPIFFEID          spiffeid.ID
-	signDaprdCertificate    signDaprdCertificateFn
 
 	namespaceNameMatcher *namespacednamematcher.EqualPrefixNameNamespaceMatcher
 	ready                chan struct{}
@@ -215,7 +213,7 @@ func getServiceAccount(ctx context.Context, kubeClient kubernetes.Interface, all
 	return allowedUids, nil
 }
 
-func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, sentryID spiffeid.ID, signDaprdFn signDaprdCertificateFn, currentTrustAnchors currentTrustAnchorsFn) error {
+func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, sentryID spiffeid.ID, currentTrustAnchors currentTrustAnchorsFn) error {
 	select {
 	case <-i.ready:
 		return errors.New("injector already running")
@@ -226,7 +224,6 @@ func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, sentryID spif
 	log.Infof("Sidecar injector is listening on %s, patching Dapr-enabled pods", i.server.Addr)
 
 	i.currentTrustAnchors = currentTrustAnchors
-	i.signDaprdCertificate = signDaprdFn
 	i.sentrySPIFFEID = sentryID
 	i.server.TLSConfig = tlsConfig
 

diff --git a/pkg/injector/service/pod_patch.go b/pkg/injector/service/pod_patch.go
@@ -55,10 +55,6 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	if err != nil {
 		return nil, err
 	}
-	daprdCert, daprdPrivateKey, err := i.signDaprdCertificate(ctx, ar.Request.Namespace)
-	if err != nil {
-		return nil, err
-	}
 
 	// Create the sidecar configuration object from the pod
 	sidecar := patcher.NewSidecarConfig(pod)
@@ -79,8 +75,6 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sidecar.ControlPlaneTrustDomain = i.controlPlaneTrustDomain
 	sidecar.SentrySPIFFEID = i.sentrySPIFFEID.String()
 	sidecar.CurrentTrustAnchors = trustAnchors
-	sidecar.CertChain = string(daprdCert)
-	sidecar.CertKey = string(daprdPrivateKey)
 	sidecar.DisableTokenVolume = !token.HasKubernetesToken()
 
 	// Set addresses for actor services