Comprehensive overhaul of Harvester and Server enhancements

[maxlambrecht]

Pull request check list

• Proper tests/regressions included?
• Documentation updated?

Summary of Changes

This Pull Request presents a comprehensive overhaul of the Harvester and several improvements to the Server. The enhancements presented in this PR mainly concern:

1. Improved synchronization of federation bundles: Enhancements in its relationship configuration and consent status.
2. Bundle signing and verification functionality: Configurable signing and verification through Providers.
3. Newly introduced Endpoint: Serving th Harvester admin API via a Unix Domain Socket (UDS).
4. Introduction of two Harvester Syncers:
   • The first Syncer focuses on SPIRE bundle synchronization and server upload.
   • The second Syncer orchestrates the synchronization of federated bundles from the server.
5. Streamlining of the data model: Elimination of unused fields, namely 'onboarding_bundle' and 'harvester_spiffe_if'.
6. Upgrades to the Server harvester and admin APIs: Improving naming of components to better align with REST operations. Adding consistency to the specs.
7. Enhancements in logging: More efficient debugging and system tracking.
8. Improvements in naming conventions: Fostering better code readability and maintainability.
9. Revisions in package organization and distribution of responsibilities: Enhancing modular design.

Additional Improvements

The Harvester now requests a new JWT token every half an hour and stores it on disk. This resilience-improving measure enables the Harvester to be restarted without needing to re-onboard it with a join token.

Additional Notes

Noteworthy changes to the CLI and configuration files are planned to be covered in a subsequent PR. There's also an acknowledgment of certain packages lacking comprehensive tests - this will be addressed in upcoming follow-up PRs.

Looking Ahead

The aforementioned enhancements in this PR reflect our ongoing commitment to evolve and refine the Harvester.

Which issue this pull requests fixes

[maxlambrecht]

The error message is sanitized.

[mgbcaio]

Left a few comments/questions, Max

[mgbcaio]

leftover ?

[maxlambrecht]

Yep

[mgbcaio]

Suggested change

	ConsentStatusAccepted ConsentStatus = "approved"
	ConsentStatusApproved ConsentStatus = "approved"

[maxlambrecht]

🙏

[mgbcaio]

Curiosity question, having 2 defer cancel which would trigger first, does that cancel the whole context ?

[maxlambrecht]

good catch, reusing the same variable for the cancel is a mistake.

[mgbcaio]

what you think about putting a log here to indicate that there is no new bundle?

[maxlambrecht]

That specific log line might be redundant, as we have a Debug log statement that says "Checking..." before the action takes place, and another one that states "New bundle..." when it fetches a new bundle, and an Info log statement indicating "Uploaded...". I think these log lines provide sufficient visibility into the process.

[mgbcaio]

okay, sounds good

[mgbcaio]

why not p.mu.RLock in here ?

[maxlambrecht]

The setToken function modifies the shared jwt token. Therefore, we need to ensure that no other goroutines are reading or writing the jwt token at the same time. A full lock, i.e, Lock(), accomplishes this by blocking both reads and writes to the shared resource. On the other hand, RLock only blocks write operations but allows multiple concurrent read operations.

[mgbcaio]

thanks for clarifying!

[wibarre]

hats off!!! @maxlambrecht

[wibarre]

Was this for debugging?

[maxlambrecht]

it was a leftover, already removed.

[wibarre]

//TODO?

[wibarre]

I wonder if this would be better to have them as a configuration. It could give the users of Galadriel the opportunity to align with internal policies they may have for their JWTs.

[maxlambrecht]

I'll take a note to address this later on.

[wibarre]

Do we need to check if the JWT has not expired as well? If there is no token or if the token is expired, we need new onboarding, correct?

[maxlambrecht]

I have enhanced the client's constructor function such that it now attempts to renew the token during initialization. This way, if it fails to procure a renewed token from the server, the creation process will fail, preventing the Harvester from starting. In case of such a failure, the Harvester will log stating that the Harvester was unable to establish a connection with the server using the stored token. The error message will suggest the need for re-onboarding the Harvester using a fresh join token.

[wibarre]

TPC Listener stopped

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
16 Code Smells

No Coverage information
0.1% Duplication

[mgbcaio]

Finished my second round of the review. Amazing work, thanks Max!