Skip to content

Commit

Permalink
chore: make spiffe optional
Browse files Browse the repository at this point in the history
Signed-off-by: AhmedGrati <[email protected]>
  • Loading branch information
TessaIO committed Oct 29, 2023
1 parent e8748c8 commit 34f56b0
Show file tree
Hide file tree
Showing 10 changed files with 79 additions and 40 deletions.
12 changes: 6 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -120,21 +120,21 @@ deploy: yamls
templates:
@# Need to prepend each line in the sample config with spaces in order to
@# fit correctly in the configmap spec.
@sed s'/^/ /' deployment/components/worker-config/nfd-worker.conf.example > nfd-worker.conf.tmp
@sed s'/^/ /' deployment/components/master-config/nfd-master.conf.example > nfd-master.conf.tmp
@sed s'/^/ /' deployment/components/topology-updater-config/nfd-topology-updater.conf.example > nfd-topology-updater.conf.tmp
@gsed s'/^/ /' deployment/components/worker-config/nfd-worker.conf.example > nfd-worker.conf.tmp
@gsed s'/^/ /' deployment/components/master-config/nfd-master.conf.example > nfd-master.conf.tmp
@gsed s'/^/ /' deployment/components/topology-updater-config/nfd-topology-updater.conf.example > nfd-topology-updater.conf.tmp
@# The sed magic below replaces the block of text between the lines with start and end markers
@start=NFD-MASTER-CONF-START-DO-NOT-REMOVE; \
end=NFD-MASTER-CONF-END-DO-NOT-REMOVE; \
sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-master.conf.tmp" \
gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-master.conf.tmp" \
-e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
@start=NFD-WORKER-CONF-START-DO-NOT-REMOVE; \
end=NFD-WORKER-CONF-END-DO-NOT-REMOVE; \
sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-worker.conf.tmp" \
gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-worker.conf.tmp" \
-e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
@start=NFD-TOPOLOGY-UPDATER-CONF-START-DO-NOT-REMOVE; \
end=NFD-TOPOLOGY-UPDATER-CONF-END-DO-NOT-REMOVE; \
sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-topology-updater.conf.tmp" \
gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-topology-updater.conf.tmp" \
-e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
@rm nfd-master.conf.tmp
@rm nfd-worker.conf.tmp
Expand Down
5 changes: 4 additions & 1 deletion cmd/nfd-master/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ func main() {
args.Overrides.ResyncPeriod = overrides.ResyncPeriod
case "nfd-api-parallelism":
args.Overrides.NfdApiParallelism = overrides.NfdApiParallelism
case "enable-spiffe":
args.Overrides.EnableSpiffe = overrides.EnableSpiffe
case "enable-nodefeature-api":
klog.InfoS("-enable-nodefeature-api is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "ca-file":
Expand Down Expand Up @@ -181,6 +183,7 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs)
"It has an effect when the NodeFeature API has been enabled (with -enable-nodefeature-api).")
overrides.NfdApiParallelism = flagset.Int("nfd-api-parallelism", 10, "Defines the maximum number of goroutines responsible of updating nodes. "+
"Can be used for the throttling mechanism. It has effect only when -enable-nodefeature-api has been set.")

overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")
return args, overrides
}
4 changes: 4 additions & 0 deletions cmd/nfd-worker/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,8 @@ func parseArgs(flags *flag.FlagSet, osArgs ...string) *worker.Args {
args.Overrides.FeatureSources = overrides.FeatureSources
case "label-sources":
args.Overrides.LabelSources = overrides.LabelSources
case "enable-spiffe":
args.Overrides.EnableSpiffe = overrides.EnableSpiffe
}
})

Expand Down Expand Up @@ -158,6 +160,8 @@ func initFlags(flagset *flag.FlagSet) (*worker.Args, *worker.ConfigOverrideArgs)
flagset.Var(overrides.LabelSources, "label-sources",
"Comma separated list of label sources. Special value 'all' enables all sources. "+
"Prefix the source name with '-' to disable it.")
overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")

return args, overrides
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
# denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
# resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
# enableTaints: false
# enableSpiffe: true
# labelWhiteList: "foo"
# resyncPeriod: "2h"
# klog:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# labelWhiteList:
# noPublish: false
# sleepInterval: 60s
# enableSpiffe: true
# featureSources: [all]
# labelSources: [all]
# klog:
Expand Down
3 changes: 3 additions & 0 deletions deployment/helm/node-feature-discovery/templates/master.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ spec:
- "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
{{- if .Values.spiffe.enable }}
- "-enable-spiffe"
{{- end }}
- "-metrics={{ .Values.master.metricsPort | default "8081" }}"
volumeMounts:
{{- if .Values.tls.enable }}
Expand Down
3 changes: 3 additions & 0 deletions deployment/helm/node-feature-discovery/templates/worker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ spec:
- "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
{{- if .Values.spiffe.enable }}
- "-enable-spiffe"
{{- end }}
- "-metrics={{ .Values.worker.metricsPort | default "8081"}}"
ports:
- name: metrics
Expand Down
6 changes: 3 additions & 3 deletions deployment/helm/node-feature-discovery/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ namespaceOverride: ""
enableNodeFeatureApi: true

spiffe:
enable: true
enable: false

master:
enable: true
Expand All @@ -24,8 +24,8 @@ master:
# denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
# resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
# enableTaints: false
# labelWhiteList: "foo"
# enableSpiffe: true
# labelWhiteList: "foo"
# resyncPeriod: "2h"
# klog:
# addDirHeader: false
Expand Down Expand Up @@ -144,9 +144,9 @@ worker:
# labelWhiteList:
# noPublish: false
# sleepInterval: 60s
# enableSpiffe: true
# featureSources: [all]
# labelSources: [all]
# enableSpiffe: true
# klog:
# addDirHeader: false
# alsologtostderr: false
Expand Down
47 changes: 32 additions & 15 deletions pkg/nfd-master/nfd-master.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ type NFDConfig struct {
LeaderElection LeaderElectionConfig
NfdApiParallelism int
Klog klogutils.KlogConfigOpts
EnableSpiffe bool
}

// LeaderElectionConfig contains the configuration for leader election
Expand All @@ -105,6 +106,7 @@ type ConfigOverrideArgs struct {
NoPublish *bool
ResyncPeriod *utils.DurationVal
NfdApiParallelism *int
EnableSpiffe *bool
}

// Args holds command line arguments
Expand Down Expand Up @@ -211,6 +213,7 @@ func newDefaultConfig() *NFDConfig {
NfdApiParallelism: 10,
ResourceLabels: utils.StringSetVal{},
EnableTaints: false,
EnableSpiffe: false,
ResyncPeriod: utils.DurationVal{Duration: time.Duration(1) * time.Hour},
LeaderElection: LeaderElectionConfig{
LeaseDuration: utils.DurationVal{Duration: time.Duration(15) * time.Second},
Expand Down Expand Up @@ -764,19 +767,11 @@ func (m *nfdMaster) nfdAPIUpdateOneNode(nodeName string) error {
return objs[i].Namespace < objs[j].Namespace
})

verifiedObjects := []*v1alpha1.NodeFeature{}
// Verify nfd objects signature
for _, obj := range objs {
isSignatureVerified, err := m.spiffeClient.VerifyDataSignature(obj.Spec, spiffe.GetSpiffeId(utils.NodeName()), obj.Annotations["signature"])
// If spiffe is enabled, we should filter out the non verified NFD objects
if m.config.EnableSpiffe {
objs, err = m.getVerifiedNFDObjects(objs)
if err != nil {
klog.ErrorS(err, "error while getting data signature")
return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
}
if isSignatureVerified {
klog.InfoS("data verified", "nfd name", obj.Name)
verifiedObjects = append(verifiedObjects, obj)
} else {
klog.InfoS("data not verified", "nfd name", obj.Name)
return err
}
}

Expand All @@ -790,13 +785,13 @@ func (m *nfdMaster) nfdAPIUpdateOneNode(nodeName string) error {

annotations := Annotations{}

if len(verifiedObjects) > 0 {
if len(objs) > 0 {
// Merge in features
//
// NOTE: changing the rule api to support handle multiple objects instead
// of merging would probably perform better with lot less data to copy.
features = verifiedObjects[0].Spec.DeepCopy()
for _, o := range verifiedObjects[1:] {
features = objs[0].Spec.DeepCopy()
for _, o := range objs[1:] {
o.Spec.MergeInto(features)
}

Expand Down Expand Up @@ -1261,6 +1256,9 @@ func (m *nfdMaster) configure(filepath string, overrides string) error {
if m.args.Overrides.NfdApiParallelism != nil {
c.NfdApiParallelism = *m.args.Overrides.NfdApiParallelism
}
if m.args.Overrides.EnableSpiffe != nil {
c.EnableSpiffe = *m.args.Overrides.EnableSpiffe
}

if c.NfdApiParallelism <= 0 {
return fmt.Errorf("the maximum number of concurrent labelers should be a non-zero positive number")
Expand Down Expand Up @@ -1407,3 +1405,22 @@ func (m *nfdMaster) nfdAPIUpdateHandlerWithLeaderElection() {

leaderElector.Run(ctx)
}

func (m *nfdMaster) getVerifiedNFDObjects(objs []*v1alpha1.NodeFeature) ([]*v1alpha1.NodeFeature, error) {
verifiedObjects := []*v1alpha1.NodeFeature{}

for _, obj := range objs {
isSignatureVerified, err := m.spiffeClient.VerifyDataSignature(obj.Spec, spiffe.GetSpiffeId(utils.NodeName()), obj.Annotations["signature"])
if err != nil {
return nil, fmt.Errorf("failed to verify NodeFeature signature: %w", err)
}

if isSignatureVerified {
klog.InfoS("NodeFeature verified", "NodeFeature name", obj.Name)
verifiedObjects = append(verifiedObjects, obj)
} else {
klog.InfoS("NodeFeature not verified, skipping...", "NodeFeature name", obj.Name)
}
}
return verifiedObjects, nil
}
37 changes: 22 additions & 15 deletions pkg/nfd-worker/nfd-worker.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ type coreConfig struct {
Sources *[]string
LabelSources []string
SleepInterval utils.DurationVal
EnableSpiffe bool
}

type sourcesConfig map[string]source.Config
Expand Down Expand Up @@ -118,6 +119,7 @@ type ConfigOverrideArgs struct {

FeatureSources *utils.StringSliceVal
LabelSources *utils.StringSliceVal
EnableSpiffe *bool
}

type nfdWorker struct {
Expand Down Expand Up @@ -539,6 +541,9 @@ func (w *nfdWorker) configure(filepath string, overrides string) error {
if w.args.Overrides.LabelSources != nil {
c.Core.LabelSources = *w.args.Overrides.LabelSources
}
if w.args.Overrides.EnableSpiffe != nil {
c.Core.EnableSpiffe = *w.args.Overrides.EnableSpiffe
}

c.Core.sanitize()

Expand Down Expand Up @@ -712,14 +717,15 @@ func (m *nfdWorker) updateNodeFeatureObject(labels Labels) error {
},
}

signature, err := m.spiffeClient.SignData(nfr.Spec, spiffe.GetSpiffeId(utils.NodeName()))
klog.InfoS("data signature", "signature", string(signature))
if err != nil {
klog.ErrorS(err, "error while getting data signature")
return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
// If Spiffe is enabled, we add the signature to the annotations section
if m.config.Core.EnableSpiffe {
signature, err := m.spiffeClient.SignData(nfr.Spec, spiffe.GetSpiffeId(utils.NodeName()))
if err != nil {
return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
}
encodedSignature := b64.StdEncoding.EncodeToString(signature)
nfr.ObjectMeta.Annotations["signature"] = encodedSignature
}
encodedSignature := b64.StdEncoding.EncodeToString(signature)
nfr.ObjectMeta.Annotations["signature"] = encodedSignature

nfrCreated, err := cli.NfdV1alpha1().NodeFeatures(namespace).Create(context.TODO(), nfr, metav1.CreateOptions{})
if err != nil {
Expand All @@ -738,15 +744,16 @@ func (m *nfdWorker) updateNodeFeatureObject(labels Labels) error {
Labels: labels,
}

signature, err := m.spiffeClient.SignData(nfrUpdated.Spec, spiffe.GetSpiffeId(utils.NodeName()))
encodedSignature := b64.StdEncoding.EncodeToString(signature)
klog.InfoS("data signature", "signature", encodedSignature)
if err != nil {
klog.ErrorS(err, "error while getting data signature")
return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
}
if m.config.Core.EnableSpiffe {
signature, err := m.spiffeClient.SignData(nfrUpdated.Spec, spiffe.GetSpiffeId(utils.NodeName()))

nfrUpdated.ObjectMeta.Annotations["signature"] = encodedSignature
if err != nil {
return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
}

encodedSignature := b64.StdEncoding.EncodeToString(signature)
nfrUpdated.ObjectMeta.Annotations["signature"] = encodedSignature
}

if !apiequality.Semantic.DeepEqual(nfr, nfrUpdated) {
klog.InfoS("updating NodeFeature object", "nodefeature", klog.KObj(nfr))
Expand Down

0 comments on commit 34f56b0

Please sign in to comment.