diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go index 08138ce1..2f88bb8d 100644 --- a/pkg/sidecar/config.go +++ b/pkg/sidecar/config.go @@ -32,10 +32,8 @@ type Config struct { RenewSignalDeprecated string `hcl:"renewSignal"` // JWT configuration - JwtSvids []JwtConfig `hcl:"jwt_svids"` - JWTAudienceDeprecated string `hcl:"jwt_audience"` - JWTSvidFilenameDeprecated string `hcl:"jwt_svid_file_name"` - JWTBundleFilename string `hcl:"jwt_bundle_file_name"` + JwtSvids []JwtConfig `hcl:"jwt_svids"` + JWTBundleFilename string `hcl:"jwt_bundle_file_name"` // TODO: is there a reason for this to be exposed? and inside of config? ReloadExternalProcess func() error @@ -133,9 +131,8 @@ func ValidateConfig(c *Config) error { } x509EmptyCount := countEmpty(c.SvidFileName, c.SvidBundleFileName, c.SvidKeyFileName) - jwtSVIDEmptyCount := countEmpty(c.JWTSvidFilenameDeprecated, c.JWTAudienceDeprecated) jwtBundleEmptyCount := countEmpty(c.SvidBundleFileName) - if x509EmptyCount == 3 && jwtSVIDEmptyCount == 2 && c.JwtSvids == nil && jwtBundleEmptyCount == 1 { + if x509EmptyCount == 3 && c.JwtSvids == nil && jwtBundleEmptyCount == 1 { return errors.New("at least one of the sets ('svid_file_name', 'svid_key_file_name', 'svid_bundle_file_name'), ('jwt_file_name', 'jwt_audience'), 'jwt_svids', or ('jwt_bundle_file_name') must be fully specified") } @@ -143,18 +140,6 @@ func ValidateConfig(c *Config) error { return errors.New("all or none of 'svid_file_name', 'svid_key_file_name', 'svid_bundle_file_name' must be specified") } - if jwtSVIDEmptyCount != 0 && jwtSVIDEmptyCount != 2 { - return errors.New("all or none of 'jwt_file_name', 'jwt_audience' must be specified") - } - - if jwtSVIDEmptyCount == 0 { - c.Log.Warn(getWarning("jwt_file_name and jwt_audience", "jwt_svids")) - } - - if jwtSVIDEmptyCount != 0 && c.JwtSvids == nil { - return errors.New("must not specify deprecated JWT configs ('jwt_file_name' and 'jwt_audience') and new JWT config ('jwt_svids')") - } - return nil } diff --git a/pkg/sidecar/config_test.go b/pkg/sidecar/config_test.go index 400e4103..cd1968d4 100644 --- a/pkg/sidecar/config_test.go +++ b/pkg/sidecar/config_test.go @@ -34,9 +34,9 @@ func TestParseConfig(t *testing.T) { assert.Equal(t, expectedSvidFileName, c.SvidFileName) assert.Equal(t, expectedKeyFileName, c.SvidKeyFileName) assert.Equal(t, expectedSvidBundleFileName, c.SvidBundleFileName) - assert.Equal(t, expectedJWTSVIDFileName, c.JWTSvidFilenameDeprecated) + assert.Equal(t, expectedJWTSVIDFileName, c.JwtSvids[0].JWTSvidFilename) assert.Equal(t, expectedJWTBundleFileName, c.JWTBundleFilename) - assert.Equal(t, expectedJWTAudience, c.JWTAudienceDeprecated) + assert.Equal(t, expectedJWTAudience, c.JwtSvids[0].JWTAudience) assert.True(t, c.AddIntermediatesToBundle) } @@ -56,21 +56,6 @@ func TestValidateConfig(t *testing.T) { SvidBundleFileName: "bundle.pem", }, }, - { - name: "warns on deprecated jwt configs", - config: &Config{ - AgentAddress: "path", - JWTAudienceDeprecated: "your-audience", - JWTSvidFilenameDeprecated: "jwt.token", - JWTBundleFilename: "bundle.json", - }, - expectLogs: []shortEntry{ - { - Level: logrus.WarnLevel, - Message: "jwt_file_name and jwt_audience will be deprecated, should be used as jwt_svids", - }, - }, - }, { name: "no error", config: &Config{ @@ -100,8 +85,10 @@ func TestValidateConfig(t *testing.T) { { name: "missing jwt config", config: &Config{ - AgentAddress: "path", - JWTSvidFilenameDeprecated: "cert.pem", + AgentAddress: "path", + JwtSvids: []JwtConfig{{ + JWTSvidFilename: "jwt.token", + }}, }, expectError: "all or none of 'jwt_file_name', 'jwt_audience' must be specified", }, diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go index 1370bddc..a59f8f8d 100644 --- a/pkg/sidecar/sidecar.go +++ b/pkg/sidecar/sidecar.go @@ -103,7 +103,7 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error { }() } - if s.config.JWTSvidFilenameDeprecated != "" && s.config.JWTAudienceDeprecated != "" { + if s.config.JwtSvids != nil { jwtSource, err := workloadapi.NewJWTSource(ctx, workloadapi.WithClientOptions(s.getWorkloadAPIAdress())) if err != nil { s.config.Log.Fatalf("Error watching JWT svid updates: %v", err) @@ -111,20 +111,12 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error { s.jwtSource = jwtSource defer s.jwtSource.Close() - if s.config.JwtSvids != nil { - for _, jwtConfig := range s.config.JwtSvids { - jwtConfig := jwtConfig - wg.Add(1) - go func() { - defer wg.Done() - s.updateJWTSVID(ctx, jwtConfig.JWTAudience, jwtConfig.JWTSvidFilename) - }() - } - } else { + for _, jwtConfig := range s.config.JwtSvids { + jwtConfig := jwtConfig wg.Add(1) go func() { defer wg.Done() - s.updateJWTSVID(ctx, s.config.JWTAudienceDeprecated, s.config.JWTSvidFilenameDeprecated) + s.updateJWTSVID(ctx, jwtConfig.JWTAudience, jwtConfig.JWTSvidFilename) }() } } diff --git a/test/fixture/config/helper.conf b/test/fixture/config/helper.conf index 0ab57b78..7e637aec 100644 --- a/test/fixture/config/helper.conf +++ b/test/fixture/config/helper.conf @@ -6,8 +6,12 @@ renew_signal = "SIGHUP" svid_file_name = "svid.pem" svid_key_file_name = "svid_key.pem" svid_bundle_file_name = "svid_bundle.pem" -jwt_svid_file_name = "jwt_svid.token" jwt_bundle_file_name = "jwt_bundle.json" -jwt_audience = "your-audience" +jwt_svids = [ + { + jwt_svid_file_name = "jwt_svid.token" + jwt_audience = "your-audience" + } +] timeout = "10s" add_intermediates_to_bundle = true