From 71c089743733add8c6d36a3a15c12f1b16b9b21a Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Thu, 21 Nov 2024 09:00:47 -0800 Subject: [PATCH] Add support for SPIFFE_ENDPOINT_SOCKET, deprecate SPIRE_AGENT_ADDRESS (#214) * Add support for SPIFFE_ENDPOINT_SOCKET, deprecate SPIRE_AGENT_ADDRESS Signed-off-by: Faisal Memon * Error when both set Signed-off-by: Faisal Memon --------- Signed-off-by: Faisal Memon --- cmd/spiffe-helper/config/config.go | 16 +++++-- cmd/spiffe-helper/config/config_test.go | 58 +++++++++++++++++++------ cmd/spiffe-helper/main.go | 2 +- 3 files changed, 58 insertions(+), 18 deletions(-) diff --git a/cmd/spiffe-helper/config/config.go b/cmd/spiffe-helper/config/config.go index 16fd115..784e455 100644 --- a/cmd/spiffe-helper/config/config.go +++ b/cmd/spiffe-helper/config/config.go @@ -87,7 +87,7 @@ func (c *Config) ParseConfigFlagOverrides(daemonModeFlag bool, daemonModeFlagNam } } -func (c *Config) ValidateConfig() error { +func (c *Config) ValidateConfig(log logrus.FieldLogger) error { if err := c.checkForUnknownConfig(); err != nil { return err } @@ -106,8 +106,18 @@ func (c *Config) ValidateConfig() error { } if c.AgentAddress == "" { - c.AgentAddress = os.Getenv("SPIRE_AGENT_ADDRESS") - if c.AgentAddress == "" { + spireAgentAddress := os.Getenv("SPIRE_AGENT_ADDRESS") + spiffeEndpointSocket := os.Getenv("SPIFFE_ENDPOINT_SOCKET") + + switch { + case spireAgentAddress != "" && spiffeEndpointSocket == "": + log.Warn("SPIRE_AGENT_ADDRESS is deprecated and will be removed in 0.10.0. Use SPIFFE_ENDPOINT_SOCKET instead.") + c.AgentAddress = spireAgentAddress + case spireAgentAddress != "" && spiffeEndpointSocket != "": + return errors.New("both SPIRE_AGENT_ADDRESS and SPIFFE_ENDPOINT_SOCKET set. Use SPIFFE_ENDPOINT_SOCKET only. Support for SPIRE_AGENT_ADDRESS is deprecated and will be removed in 0.10.0") + case spireAgentAddress == "" && spiffeEndpointSocket != "": + c.AgentAddress = spiffeEndpointSocket + default: c.AgentAddress = defaultAgentAddress } } diff --git a/cmd/spiffe-helper/config/config_test.go b/cmd/spiffe-helper/config/config_test.go index 2564841..94e71ad 100644 --- a/cmd/spiffe-helper/config/config_test.go +++ b/cmd/spiffe-helper/config/config_test.go @@ -5,6 +5,7 @@ import ( "os" "testing" + "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -113,7 +114,8 @@ func TestValidateConfig(t *testing.T) { }, } { t.Run(tt.name, func(t *testing.T) { - err := tt.config.ValidateConfig() + log, _ := test.NewNullLogger() + err := tt.config.ValidateConfig(log) if tt.expectError != "" { require.EqualError(t, err, tt.expectError) @@ -186,7 +188,8 @@ func TestDetectsUnknownConfig(t *testing.T) { c, err := ParseConfig(configFile.Name()) require.NoError(t, err) - err = c.ValidateConfig() + log, _ := test.NewNullLogger() + err = c.ValidateConfig(log) require.EqualError(t, err, tt.expectError) }) } @@ -194,10 +197,12 @@ func TestDetectsUnknownConfig(t *testing.T) { func TestDefaultAgentAddress(t *testing.T) { for _, tt := range []struct { - name string - agentAddress string - envAgentAddress string - expectedAgentAddress string + name string + agentAddress string + envSPIREAgentAddress string + envSPIFFEEndpointSocket string + expectedAgentAddress string + expectError string }{ { name: "Agent Address not set in config or env", @@ -209,28 +214,53 @@ func TestDefaultAgentAddress(t *testing.T) { expectedAgentAddress: "MY_ADDRESS", }, { - name: "Agent Address not set in config but set in env", - envAgentAddress: "MY_ENV_ADDRESS", + name: "Agent Address not set in config but SPIRE_AGENT_ADDRESS is set in env", + envSPIREAgentAddress: "MY_ENV_ADDRESS", expectedAgentAddress: "MY_ENV_ADDRESS", }, { - name: "Agent Address set in config and set in env", - agentAddress: "MY_ADDRESS", - envAgentAddress: "MY_ENV_ADDRESS", - expectedAgentAddress: "MY_ADDRESS", + name: "Agent Address not set in config but SPIFFE_ENDPOINT_SOCKET is set in env", + envSPIFFEEndpointSocket: "MY_ENV_ADDRESS", + expectedAgentAddress: "MY_ENV_ADDRESS", + }, + { + name: "Both SPIRE_AGENT_ADDRESS and SPIFFE_ENDPOINT_SOCKET are set in env", + envSPIREAgentAddress: "MY_SPIRE_AGENT_ADDRESS", + envSPIFFEEndpointSocket: "MY_SPIFFE_ENDPOINT_SOCKET", + expectError: "both SPIRE_AGENT_ADDRESS and SPIFFE_ENDPOINT_SOCKET set. Use SPIFFE_ENDPOINT_SOCKET only. Support for SPIRE_AGENT_ADDRESS is deprecated and will be removed in 0.10.0", + }, + { + name: "Agent Address set in config and set in env", + agentAddress: "MY_ADDRESS", + envSPIFFEEndpointSocket: "MY_ENV_ADDRESS", + expectedAgentAddress: "MY_ADDRESS", }, } { t.Run(tt.name, func(t *testing.T) { - os.Setenv("SPIRE_AGENT_ADDRESS", tt.envAgentAddress) + os.Setenv("SPIRE_AGENT_ADDRESS", tt.envSPIREAgentAddress) + os.Setenv("SPIFFE_ENDPOINT_SOCKET", tt.envSPIFFEEndpointSocket) + config := &Config{ AgentAddress: tt.agentAddress, SVIDFileName: "cert.pem", SVIDKeyFileName: "key.pem", SVIDBundleFileName: "bundle.pem", } - err := config.ValidateConfig() + + log, hook := test.NewNullLogger() + err := config.ValidateConfig(log) + if tt.expectError != "" { + require.EqualError(t, err, tt.expectError) + return + } require.NoError(t, err) + assert.Equal(t, config.AgentAddress, tt.expectedAgentAddress) + + if tt.envSPIREAgentAddress != "" && tt.envSPIFFEEndpointSocket == "" { + require.NotNil(t, hook.LastEntry()) + assert.Equal(t, "SPIRE_AGENT_ADDRESS is deprecated and will be removed in 0.10.0. Use SPIFFE_ENDPOINT_SOCKET instead.", hook.LastEntry().Message) + } }) } } diff --git a/cmd/spiffe-helper/main.go b/cmd/spiffe-helper/main.go index 1491176..295b67b 100644 --- a/cmd/spiffe-helper/main.go +++ b/cmd/spiffe-helper/main.go @@ -43,7 +43,7 @@ func startSidecar(configFile string, daemonModeFlag bool, log logrus.FieldLogger } hclConfig.ParseConfigFlagOverrides(daemonModeFlag, daemonModeFlagName) - if err := hclConfig.ValidateConfig(); err != nil { + if err := hclConfig.ValidateConfig(log); err != nil { return fmt.Errorf("invalid configuration: %w", err) }