From f8172efe486bbf5774564d194e8459149580ab5f Mon Sep 17 00:00:00 2001 From: JU4N98 Date: Tue, 7 Nov 2023 14:36:16 -0300 Subject: [PATCH] Fixes bug in config.go validations, changes JWT files structure, updates README.md. Signed-off-by: JU4N98 --- README.md | 2 +- pkg/sidecar/config.go | 13 ++----------- pkg/sidecar/config_test.go | 28 ---------------------------- pkg/sidecar/sidecar.go | 31 ++++++++----------------------- pkg/sidecar/util_windows.go | 1 - 5 files changed, 11 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index 7d31e112..fb2a3fdb 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f |`svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` | |`svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` | |`audience` | JWT SVID audience. | `"example.org"`| - |`jwt_file_name` | File name to be used to store JWT SVID certificate in JSON format. | `"jwt.json"` | + |`jwt_file_name` | File name to be used to store JWT SVID in JSON format. | `"jwt.json"` | |`jwk_file_name` | File name to be used to store JWT SVID Bundle in JSON format. | `"jwk.json"` | ### Configuration example diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go index b95b8fbf..0057a60f 100644 --- a/pkg/sidecar/config.go +++ b/pkg/sidecar/config.go @@ -32,7 +32,7 @@ type Config struct { RenewSignalDeprecated string `hcl:"renewSignal"` // JWT configuration - JWTAudience string `hcl:"audience"` + JWTAudience string `hcl:"jwt_audience"` JWTFilename string `hcl:"jwt_file_name"` JWKFilename string `hcl:"jwk_file_name"` @@ -120,16 +120,7 @@ func ValidateConfig(c *Config) error { c.RenewSignal = c.RenewSignalDeprecated } - switch { - case c.SvidFileName == "": - return errors.New("svid_file_name is required") - case c.SvidKeyFileName == "": - return errors.New("svid_key_file_name is required") - case c.SvidBundleFileName == "": - return errors.New("svid_bundle_file_name is required") - default: - return nil - } + return nil } func getWarning(s1 string, s2 string) string { diff --git a/pkg/sidecar/config_test.go b/pkg/sidecar/config_test.go index 1a225052..3ac8a2e6 100644 --- a/pkg/sidecar/config_test.go +++ b/pkg/sidecar/config_test.go @@ -50,34 +50,6 @@ func TestValidateConfig(t *testing.T) { SvidBundleFileName: "bundle.pem", }, }, - { - name: "no SVID file", - config: &Config{ - AgentAddress: "path", - SvidKeyFileName: "key.pem", - SvidBundleFileName: "bundle.pem", - }, - expectError: "svid_file_name is required", - }, - { - name: "no key file", - config: &Config{ - AgentAddress: "path", - SvidFileName: "cert.pem", - SvidBundleFileName: "bundle.pem", - }, - expectError: "svid_key_file_name is required", - }, - { - name: "no bundle file", - config: &Config{ - AgentAddress: "path", - SvidFileName: "cert.pem", - SvidKeyFileName: "key.pem", - }, - expectError: "svid_bundle_file_name is required", - }, - // Duplicated field error: { name: "Both agent_address & agentAddress in use", diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go index 2667c4a1..53bdb84d 100644 --- a/pkg/sidecar/sidecar.go +++ b/pkg/sidecar/sidecar.go @@ -189,22 +189,6 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error { return nil } -func (s *Sidecar) readJSON(fileName string) map[string]interface{} { - jsonPath := path.Join(s.config.CertDir, fileName) - file, err := os.ReadFile(jsonPath) - if err != nil { - s.config.Log.Warnf("Unable to read json file: %v", err) - } - - certs := make(map[string]interface{}) - err = json.Unmarshal(file, &certs) - if err != nil { - s.config.Log.Warnf("Unable to parse json: %v", err) - } - - return certs -} - func (s *Sidecar) writeJSON(fileName string, certs map[string]interface{}) { file, err := json.Marshal(certs) if err != nil { @@ -221,7 +205,7 @@ func (s *Sidecar) writeJSON(fileName string, certs map[string]interface{}) { func (s *Sidecar) updateJWTBundle(jwkSet *jwtbundle.Set) { s.config.Log.Info("Updating JWK bundles") - bundles := make(map[string]string) + bundles := make(map[string]interface{}) for _, bundle := range jwkSet.Bundles() { bytes, err := bundle.Marshal() if err != nil { @@ -231,9 +215,7 @@ func (s *Sidecar) updateJWTBundle(jwkSet *jwtbundle.Set) { bundles[bundle.TrustDomain().Name()] = base64.StdEncoding.EncodeToString(bytes) } - certs := s.readJSON(s.config.JWKFilename) - certs["bundles"] = bundles - s.writeJSON(s.config.JWKFilename, certs) + s.writeJSON(s.config.JWKFilename, bundles) } func (s *Sidecar) fetchJWTSVID(options ...workloadapi.ClientOption) (*jwtsvid.SVID, error) { @@ -274,9 +256,12 @@ func (s *Sidecar) updateJWTSVID(ctx context.Context, options ...workloadapi.Clie continue } - certs := s.readJSON(s.config.JWTFilename) - certs["svid"] = jwtSVID.Marshal() - s.writeJSON(s.config.JWTFilename, certs) + filePath := path.Join(s.config.CertDir, s.config.JWTFilename) + err = os.WriteFile(filePath, []byte(jwtSVID.Marshal()), os.ModePerm) + if err != nil { + s.config.Log.Warnf("Unable to write JWT SVID to a file: %v", err) + continue + } s.config.Log.Infof("JWT SVID updated") time.Sleep(time.Until(jwtSVID.Expiry)/2 + 1*time.Second) diff --git a/pkg/sidecar/util_windows.go b/pkg/sidecar/util_windows.go index 56c0c789..7bed85a0 100644 --- a/pkg/sidecar/util_windows.go +++ b/pkg/sidecar/util_windows.go @@ -47,7 +47,6 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error { go func() { defer wg.Done() s.updateJWTSVID(ctx, workloadapi.WithNamedPipeName(s.config.AgentAddress)) - errch <- nil }() }