Injector: Change daprd projected token audience to sentry SPIFFE ID (d…

…apr#7041) * Injector: Change daprd projected token audience to sentry SPIFFE ID Signed-off-by: joshvanl <me@joshvanl.dev> * Linting Signed-off-by: joshvanl <me@joshvanl.dev> * Change SidecarConfig to use string type for SentrySPIFFEID Signed-off-by: joshvanl <me@joshvanl.dev> --------- Signed-off-by: joshvanl <me@joshvanl.dev> Co-authored-by: Yaron Schneider <schneider.yaron@live.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Elena Kolevska <elena@kolevska.com>
elena-kolevska · Jan 25, 2024 · 8fe9c94 · 8fe9c94
1 parent fb757b5
commit 8fe9c94
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 13 deletions.
diff --git a/cmd/injector/app/app.go b/cmd/injector/app/app.go
@@ -83,15 +83,10 @@ func Run() {
 		log.Fatalf("Failed to get authentication uids from services accounts: %s", err)
 	}
 
-	namespace, err := security.CurrentNamespaceOrError()
-	if err != nil {
-		log.Fatalf("Failed to get current namespace: %s", err)
-	}
-
 	secProvider, err := security.New(ctx, security.Options{
 		SentryAddress:           cfg.SentryAddress,
 		ControlPlaneTrustDomain: cfg.ControlPlaneTrustDomain,
-		ControlPlaneNamespace:   namespace,
+		ControlPlaneNamespace:   security.CurrentNamespace(),
 		TrustAnchorsFile:        cfg.TrustAnchorsFile,
 		AppID:                   "dapr-injector",
 		MTLSEnabled:             true,
@@ -134,6 +129,7 @@ func Run() {
 			})
 			return inj.Run(ctx,
 				sec.TLSServerConfigNoClientAuth(),
+				sentryID,
 				requester.RequestCertificateFromSentry,
 				sec.CurrentTrustAnchors,
 			)

diff --git a/pkg/injector/patcher/sidecar.go b/pkg/injector/patcher/sidecar.go
@@ -53,6 +53,7 @@ type SidecarConfig struct {
 	ControlPlaneTrustDomain     string
 	ActorsService               string
 	RemindersService            string
+	SentrySPIFFEID              string
 	SidecarHTTPPort             int32 `default:"3500"`
 	SidecarAPIGRPCPort          int32 `default:"50001"`
 	SidecarInternalGRPCPort     int32 `default:"50002"`

diff --git a/pkg/injector/patcher/sidecar_patcher_test.go b/pkg/injector/patcher/sidecar_patcher_test.go
@@ -269,6 +269,7 @@ func TestPatching(t *testing.T) {
 			c.Identity = "pod:identity"
 			c.CertChain = "certchain"
 			c.CertKey = "certkey"
+			c.SentrySPIFFEID = "spiffe://foo.bar/ns/example/dapr-sentry"
 
 			if tc.sidecarConfigModifierFn != nil {
 				tc.sidecarConfigModifierFn(c)
@@ -317,6 +318,9 @@ func TestPatching(t *testing.T) {
 				tokenVolume := pod.Spec.Volumes[0]
 				assert.Equal(t, "dapr-identity-token", tokenVolume.Name)
 				assert.NotNil(t, tokenVolume.Projected)
+				require.Len(t, tokenVolume.Projected.Sources, 1)
+				require.NotNil(t, tokenVolume.Projected.Sources[0].ServiceAccountToken)
+				assert.Equal(t, "spiffe://foo.bar/ns/example/dapr-sentry", tokenVolume.Projected.Sources[0].ServiceAccountToken.Audience)
 
 				// Assertions on added labels
 				assert.Equal(t, "true", pod.Labels[injectorConsts.SidecarInjectedLabel])
@@ -351,6 +355,9 @@ func TestPatching(t *testing.T) {
 				tokenVolume := pod.Spec.Volumes[1]
 				assert.Equal(t, "dapr-identity-token", tokenVolume.Name)
 				assert.NotNil(t, tokenVolume.Projected)
+				require.Len(t, tokenVolume.Projected.Sources, 1)
+				require.NotNil(t, tokenVolume.Projected.Sources[0].ServiceAccountToken)
+				assert.Equal(t, "spiffe://foo.bar/ns/example/dapr-sentry", tokenVolume.Projected.Sources[0].ServiceAccountToken.Audience)
 
 				// Check the presence of the volume mount in the app container
 				appContainer := pod.Spec.Containers[0]

diff --git a/pkg/injector/patcher/sidecar_volumes.go b/pkg/injector/patcher/sidecar_volumes.go
@@ -20,7 +20,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	injectorConsts "github.com/dapr/dapr/pkg/injector/consts"
-	securityConsts "github.com/dapr/dapr/pkg/security/consts"
 	"github.com/dapr/kit/ptr"
 )
 
@@ -78,7 +77,7 @@ func (c *SidecarConfig) getTokenVolume() corev1.Volume {
 				DefaultMode: ptr.Of(int32(420)),
 				Sources: []corev1.VolumeProjection{{
 					ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
-						Audience:          securityConsts.ServiceAccountTokenAudience,
+						Audience:          c.SentrySPIFFEID,
 						ExpirationSeconds: ptr.Of(int64(7200)),
 						Path:              "token",
 					},

diff --git a/pkg/injector/service/injector.go b/pkg/injector/service/injector.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -62,7 +63,7 @@ type (
 
 // Injector is the interface for the Dapr runtime sidecar injection component.
 type Injector interface {
-	Run(context.Context, *tls.Config, signDaprdCertificateFn, currentTrustAnchorsFn) error
+	Run(context.Context, *tls.Config, spiffeid.ID, signDaprdCertificateFn, currentTrustAnchorsFn) error
 	Ready(context.Context) error
 }
 
@@ -87,6 +88,7 @@ type injector struct {
 	controlPlaneNamespace   string
 	controlPlaneTrustDomain string
 	currentTrustAnchors     currentTrustAnchorsFn
+	sentrySPIFFEID          spiffeid.ID
 	signDaprdCertificate    signDaprdCertificateFn
 
 	namespaceNameMatcher *namespacednamematcher.EqualPrefixNameNamespaceMatcher
@@ -213,7 +215,7 @@ func getServiceAccount(ctx context.Context, kubeClient kubernetes.Interface, all
 	return allowedUids, nil
 }
 
-func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, signDaprdFn signDaprdCertificateFn, currentTrustAnchors currentTrustAnchorsFn) error {
+func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, sentryID spiffeid.ID, signDaprdFn signDaprdCertificateFn, currentTrustAnchors currentTrustAnchorsFn) error {
 	select {
 	case <-i.ready:
 		return errors.New("injector already running")
@@ -225,6 +227,7 @@ func (i *injector) Run(ctx context.Context, tlsConfig *tls.Config, signDaprdFn s
 
 	i.currentTrustAnchors = currentTrustAnchors
 	i.signDaprdCertificate = signDaprdFn
+	i.sentrySPIFFEID = sentryID
 	i.server.TLSConfig = tlsConfig
 
 	errCh := make(chan error, 1)

diff --git a/pkg/injector/service/pod_patch.go b/pkg/injector/service/pod_patch.go
@@ -76,6 +76,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sidecar.SidecarDropALLCapabilities = i.config.GetDropCapabilities()
 	sidecar.ControlPlaneNamespace = i.controlPlaneNamespace
 	sidecar.ControlPlaneTrustDomain = i.controlPlaneTrustDomain
+	sidecar.SentrySPIFFEID = i.sentrySPIFFEID.String()
 	sidecar.CurrentTrustAnchors = trustAnchors
 	sidecar.CertChain = string(daprdCert)
 	sidecar.CertKey = string(daprdPrivateKey)

diff --git a/pkg/security/consts/consts.go b/pkg/security/consts/consts.go
@@ -27,9 +27,6 @@ const (
 	// TrustBundleK8sSecretName is the name of the kubernetes secret that holds the trust bundle.
 	TrustBundleK8sSecretName = "dapr-trust-bundle" /* #nosec */
 
-	// ServiceAccountTokenAudience is the audience for the service account token.
-	ServiceAccountTokenAudience = "dapr.io/sentry" /* #nosec */
-
 	// TrustAnchorsEnvVar is the environment variable name for the trust anchors in the sidecar.
 	TrustAnchorsEnvVar = "DAPR_TRUST_ANCHORS"
 	// CertChainEnvVar is the environment variable name for the cert chain in the sidecar.