documentation update + spiffe workshop files (#1140)

* doc update

Signed-off-by: Volkan Özçelik <[email protected]>

* add spiffe federation workshop

Signed-off-by: Volkan Özçelik <[email protected]>

---------

Signed-off-by: Volkan Özçelik <[email protected]>

app/safe/internal/server/route/fallback/fallback.go

@@ -17,6 +17,16 @@ import (
 	log "github.com/vmware-tanzu/secrets-manager/core/log/std"
 )
 
+// Fallback handles requests that don't match any defined routes.
+//
+// It logs the mismatched route, sets the HTTP status to BadRequest,
+// and writes an empty response. If there's an error writing the response,
+// it logs a warning.
+//
+// Parameters:
+//   - cid: A string representing the correlation ID for logging.
+//   - r: The HTTP request that didn't match any routes.
+//   - w: The HTTP response writer to send the response.
 func Fallback(
 	cid string, r *http.Request, w http.ResponseWriter,
 ) {

examples/workshop_spiffe_federation/README.md

@@ -0,0 +1,72 @@
+```text
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+```
+
+## Preparation
+
+Assuming `microk8s` on ubuntu.
+
+```bash
+./infra/enable-k8s.sh
+# ^ this will ask for IP ranges:
+# Diablo:   10.211.55.110-10.211.55.119
+# Mephisto: 10.211.55.120-10.211.55.129
+# Baal:     10.211.55.130-10.211.55.139
+# Azmodan:  10:211.55.140-10.211.55.149
+
+# Next run this:
+./infra/install-cluster-prerequisites.sh
+```
+
+## Bringing Up the Clusters
+
+In each cluster folder (i.e., `./clusters/diablo`, `./clusters/mephisto`, etc)
+execute the following.
+
+```bash
+cd <clusters/diablo|mephisto|baal|azmodan>
+./hack/install-spire.sh
+```
+
+## Federating Clusters
+
+After ensuring that SPIRE is up and running in all the clusters, execute
+the following in each cluster.
+
+```bash
+go run ./hack/federate.go
+./hack/set-initial-bundle.sh
+```
+
+## Deploy the Workloads
+
+```bash
+cd clusters/<diablo|mephsito|baal|azmodan>
+cd k8s/<control-plane-server|edge-store>
+microk8s kubectl apply -f .
+```
+Install `control-plane-server` to `diablo`; `edge-store` to 
+`mephisto`, `baal`, and `azmodan` (i.e., all edge stores).
+
+Then check the logs of the edge stores. If everything went well, you should see
+a new log line every ~10 seconds with an incremented sequence number.
+
+## Other Helper Scripts
+
+The `./infra` folder has the following scripts:
+
+* `./infra/diablo.sh`: Displays cert information for `diablo` bundle endpoint.
+* `./infra/mephisto.sh`: Displays cert information for `mephisto` bundle endpoint
+* `./infra/baal.sh`: Displays cert information for `baal` bundle endpoint.
+* `./infra/azmodan.sh`: Displays cert information for `azmodan` bundle endpoint.
+* `./infra/reset.sh`: Resets the cluster and deletes the WORKSPACE folder (make
+   sure to back up any important data before running this script; the script will
+   NOT ask for confirmation!).

examples/workshop_spiffe_federation/apps/control-plane-server/Dockerfile

@@ -0,0 +1,40 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+FROM golang:1.23 AS builder
+
+WORKDIR /app
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY server.go .
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o server server.go
+
+FROM ubuntu:22.04 AS server
+
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    curl \
+    net-tools \
+    netcat \
+    vim \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /root/
+
+COPY --from=builder /app/server .
+
+EXPOSE 443
+
+CMD ["./server"]

examples/workshop_spiffe_federation/apps/control-plane-server/go.mod

@@ -0,0 +1,18 @@
+module control-plane
+
+go 1.23.1
+
+require github.com/spiffe/go-spiffe/v2 v2.3.0
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+)

examples/workshop_spiffe_federation/apps/control-plane-server/go.sum

@@ -0,0 +1,32 @@
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8=
+github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
+github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

examples/workshop_spiffe_federation/apps/control-plane-server/push-to-registry.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash 
+
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+docker build -t control-plane-server .
+docker tag control-plane-server localhost:32000/control-plane-server:latest
+docker push localhost:32000/control-plane-server:latest

examples/workshop_spiffe_federation/apps/control-plane-server/server.go

@@ -0,0 +1,79 @@
+/*
+|    Protect your secrets, protect your sensitive data.
+:    Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/  keep your secrets... secret
+>/
+<>/' Copyright 2023-present VMware Secrets Manager contributors.
+>/'  SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
+	"net/http"
+	"sync"
+)
+
+func main() {
+	fmt.Println("In main...")
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	fmt.Println("Before querying the workload api")
+
+	source, err := workloadapi.NewX509Source(
+		ctx,
+		workloadapi.WithClientOptions(
+			workloadapi.WithAddr("unix:///spire-agent-socket/spire-agent.sock"),
+		),
+	)
+
+	fmt.Println("After querying the workload api")
+
+	if err != nil {
+		panic("Error acquiring X.509 source")
+	}
+	defer func(source *workloadapi.X509Source) {
+		_ = source.Close()
+	}(source)
+
+	authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
+		// In a real-world scenario, you'd implement proper authorization logic here
+		return nil
+	})
+
+	serverConfig := &tls.Config{
+		ClientAuth: tls.RequireAnyClientCert,
+		GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {
+			return tlsconfig.MTLSServerConfig(source, source, authorizer), nil
+		},
+	}
+
+	var counter = 0
+	var counterLock sync.Mutex
+
+	server := &http.Server{
+		Addr:      ":443",
+		TLSConfig: serverConfig,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			counterLock.Lock()
+			defer counterLock.Unlock()
+			counter = counter + 1
+			_, _ = fmt.Fprintf(w, "hello: %d", counter)
+		}),
+	}
+
+	fmt.Println("Starting server on https://0.0.0.0:443")
+	if err := server.ListenAndServeTLS("", ""); err != nil {
+		panic("Error starting server: " + err.Error())
+	}
+	fmt.Println("Server started.")
+}

examples/workshop_spiffe_federation/apps/edge-store/Dockerfile

@@ -0,0 +1,32 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+FROM golang:1.23 AS builder
+
+WORKDIR /app
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY client.go .
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o client client.go
+
+FROM alpine:latest AS client
+
+RUN apk --no-cache add ca-certificates
+
+WORKDIR /root/
+
+COPY --from=builder /app/client .
+
+CMD ["./client"]