consul/agent/connect/uri_workload_identity.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connect

import (
	"fmt"
	"net/url"
)

// SpiffeIDWorkloadIdentity is the structure to represent the SPIFFE ID for a workload.
type SpiffeIDWorkloadIdentity struct {
	TrustDomain      string
	Partition        string
	Namespace        string
	WorkloadIdentity string
}

// URI returns the *url.URL for this SPIFFE ID.
func (id SpiffeIDWorkloadIdentity) URI() *url.URL {
	var result url.URL
	result.Scheme = "spiffe"
	result.Host = id.TrustDomain
	result.Path = id.uriPath()
	return &result
}

func (id SpiffeIDWorkloadIdentity) uriPath() string {
	// Although CE has no support for partitions, it still needs to be able to
	// handle exportedPartition from peered Consul Enterprise clusters in order
	// to generate the correct SpiffeID.
	// We intentionally avoid using pbpartition.DefaultName here to be CE friendly.
	path := fmt.Sprintf("/ap/%s/ns/%s/identity/%s",
		id.Partition,
		id.Namespace,
		id.WorkloadIdentity,
	)

	return path
}
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) * Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> 2023-09-12 19:56:43 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: BUSL-1.1`

			`package connect`

			`import (`
			`"fmt"`
			`"net/url"`
			`)`

			`// SpiffeIDWorkloadIdentity is the structure to represent the SPIFFE ID for a workload.`
			`type SpiffeIDWorkloadIdentity struct {`
			`TrustDomain string`
			`Partition string`
			`Namespace string`
			`WorkloadIdentity string`
			`}`

			`// URI returns the *url.URL for this SPIFFE ID.`
			`func (id SpiffeIDWorkloadIdentity) URI() *url.URL {`
			`var result url.URL`
			`result.Scheme = "spiffe"`
			`result.Host = id.TrustDomain`
			`result.Path = id.uriPath()`
			`return &result`
			`}`

			`func (id SpiffeIDWorkloadIdentity) uriPath() string {`
			`// Although CE has no support for partitions, it still needs to be able to`
			`// handle exportedPartition from peered Consul Enterprise clusters in order`
			`// to generate the correct SpiffeID.`
			`// We intentionally avoid using pbpartition.DefaultName here to be CE friendly.`
			`path := fmt.Sprintf("/ap/%s/ns/%s/identity/%s",`
added tenancy to TestBuildL4TrafficPermissions (#19932) 2023-12-14 05:11:24 +00:00			`id.Partition,`
			`id.Namespace,`
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) * Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> 2023-09-12 19:56:43 +00:00			`id.WorkloadIdentity,`
			`)`

			`return path`
			`}`