Federation test

[drewwells]

The helm tests are very limited. This test will pull the federation keys and verify a minted jwt with them.

• Update test to use spire-agent pod mentioned here Federation test #423 (comment)

[kfox1111]

Generally looking pretty good now. Thanks for working on this. Some questions/issues inline.

[kfox1111]

Here's something that seems to work as a base. I've asked for the ability for spire-agent to write to a file directly, so we wouldn't need the busybox thing.

apiVersion: batch/v1
kind: Job
metadata:
  name: test
spec:
  template:
    metadata:
      name: test
    spec:
      restartPolicy: Never
      initContainers:
      - name: static-busybox
        image: busybox:uclibc
        command:
        - sh
        - -c
        - |
          cp /bin/busybox /workdir/busybox
          chmod +x /workdir/busybox
        volumeMounts:
        - name: workdir
          mountPath: /workdir
      - name: gettoken
        image: ghcr.io/spiffe/spire-agent:1.7.1
        command:
        - /workdir/busybox
        - sh
        - -c
        - |
          while true; do
            /opt/spire/bin/spire-agent api fetch jwt -audience foo -format json -socketPath /spire-agent/spire-agent.sock -timeout 5s > /workdir/jwt.json
            [ $? -eq 0 ] && break
            sleep 1
          done
        volumeMounts:
        - name: workdir
          mountPath: /workdir
        - name: spire-api
          mountPath: /spire-agent
          readOnly: true
      containers:
      - name: testtoken
        image: cgr.dev/chainguard/slim-toolkit-debug:5.2.15
        command:
        - /bin/bash
        - -c
        - |
          jq . /workdir/jwt.json
        volumeMounts:
        - name: workdir
          mountPath: /workdir
      volumes:
      - name: spire-api
        csi:
          driver: csi.spiffe.io
          readOnly: true
      - name: workdir
        emptyDir: {}

[kfox1111]

There a reason to run as root? I would think the pod's identity should work reguardless of which user its using? Thinking this will break on the production example.

[drewwells]

There a reason to run as root? I would think the pod's identity should work reguardless of which user its using? Thinking this will break on the production example.

hope not, using some big uids and giving the tests a whirl

[kfox1111]

Marking draft as there has been ongoing active development for a while. When your ready for more review, please hit the "Ready for review" button

[drewwells]

I’m not following how running these test pods as non root will break spire agent. These restrictive settings will indeed make them run in all environments included the production example. On August 15, 2023, Anthony Sottile ***@***.***> wrote: ***@***.**** commented on this pull request.

------------------------------ In charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml <#423 (comment)>:

+ allowPrivilegeEscalation: false

+ runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL The recommended production setup includes examples/production/values.yaml. You gotta use all those settings or it will break. Having the values here just gives a false sense that it will work without it, which it wont. the csi driver will break, the spire-agent will break, etc. Moving the settings there makes sure it either all works together or not at all. In another issue/pr, we can look at merging everything in examples/production/values.yaml into the chart proper. but thats a much bigger issue/pr then belongs here. — Reply to this email directly, view it on GitHub <#423 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAB2ME5JUYSHYBYVXDVBKS3XVQIFZANCNFSM6AAAAAA3DO6HCY> . You are receiving this because you commented.Message ID: ***@***.***>

[drewwells]

@kfox1111 Those sha tags are failing, where did you get those

resolve reference "cgr.dev/chainguard/slim-toolkit-debug@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4": cgr.dev/chainguard/slim-toolkit-debug@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4: not found

[kfox1111]

I was pretty sure I test pulled it. Sorry.

You can get the newest with:

crane digest cgr.dev/chainguard/slim-toolkit-debug:latest

so, this looks to be the newest:

cgr.dev/chainguard/slim-toolkit-debug:latest@sha256:d717d0a2c88518f8e36d9cfe1571639a40617e8c4291e34876d46bdeefb1ab5a

[marcofranssen]

Few nitpicks and suggestions, as well some questions.

[kfox1111]

I think I figured out why the tests are failing. Mentioned inline. Couple of files that don't need changing anymore left and then I'm good with approving this. Its working well :)

[kfox1111]

LGTM! Thanks! :)

[marcofranssen]

LGTM 🚀