Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test secretless authentication on GKE #562

Merged
merged 1 commit into from
Sep 3, 2024
Merged

Test secretless authentication on GKE #562

merged 1 commit into from
Sep 3, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Aug 23, 2024
edited
Loading

This modified script will create a GKE cluster and set up: venafi-enhanced-issuer, approver-policy-enterprise, and venafi-kubernetes-agent to authenticate to Venafi Control Plane using a Kubernetes ServiceAccount Token.

$ ./hack/e2e/test.sh
...
2024/08/23 16:35:02 Venafi Connection mode was specified, using Venafi Connection authentication.
2024/08/23 16:35:02 ignoring venafi-cloud.upload_path. In Venafi Connection mode, this field is not needed.
2024/08/23 16:35:02 ignoring venafi-cloud.uploader_id. In Venafi Connection mode, this field is not needed.
2024/08/23 16:35:02 Prometheus was enabled.
Running prometheus server on port :8081
2024/08/23 16:36:13 Posting data to: https://api.venafi.cloud/
2024/08/23 16:36:13 retrying in 20.592925933s after error: post to server failed: while loading the VenafiConnection venafi/venafi-components: VenafiConnection.jetstack.io "venafi-components" not found
2024/08/23 16:36:34 Posting data to: https://api.venafi.cloud/
2024/08/23 16:36:34 retrying in 55.382780171s after error: post to server failed: while loading the VenafiConnection venafi/venafi-components: VenafiConnection.jetstack.io "venafi-components" not found
2024/08/23 16:37:29 Posting data to: https://api.venafi.cloud/
2024/08/23 16:37:31 Data sent successfully.
$ kubectl get venaficonnection -n venafi -o yaml
...
  status:
    conditions:
    - lastTransitionTime: "2024-08-27T16:52:14Z"
      lastUpdateTime: "2024-08-28T16:28:22Z"
      message: d97b3a02ea4dbd895aa730df409d9a15011aab855d710d59822e852cb84fae64
      observedGeneration: 3
      reason: Generated a token
      status: "True"
      tokenValidUntil: "2024-08-28T16:43:22Z"
      type: VenafiKubernetesAgentReady
    - lastTransitionTime: "2024-08-28T11:14:55Z"
      lastUpdateTime: "2024-08-28T16:41:11Z"
      message: 9822840ae10e13e9a0a7f6a0d74c8e70a201892a0e1aef8268f4e9527945eb2e
      observedGeneration: 3
      reason: Generated a token
      status: "True"
      tokenValidUntil: "2024-08-28T16:56:11Z"
      type: VenafiEnhancedIssuerReady
    - lastTransitionTime: "2024-08-28T14:36:22Z"
      lastUpdateTime: "2024-08-28T16:27:34Z"
      message: 51f7b1e16e7a5ac9255d019e1cf50857ebe04f2eb78892d45e1cdc96e01aa87c
      observedGeneration: 3
      reason: Generated a token
      status: "True"
      tokenValidUntil: "2024-08-28T16:42:34Z"
      type: ApproverPolicyVenafiReady

Here are the corresponding events from the Venafi Control Plane event log
image

Ref: VC-35374

@wallrj wallrj force-pushed the gke-workload-federation-test branch 10 times, most recently from d1974ec to a38ddd3 Compare August 29, 2024 17:04
@wallrj
Test secretless authentication on GKE
f767ff6 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj wallrj force-pushed the gke-workload-federation-test branch from a38ddd3 to f767ff6 Compare September 3, 2024 08:23
@wallrj wallrj changed the base branch from master to disable-config-server-field September 3, 2024 08:23
@wallrj wallrj mentioned this pull request Sep 3, 2024
Merged
@maelvls
Copy link
Member

maelvls commented Sep 3, 2024
edited
Loading

I've run the script with the US https://ven-tlspk.venafi.cloud/ using the following settings:

export VEN_API_KEY=$(lpass show -p ven-tlspk.venafi.cloud)
export \
 VEN_OWNING_TEAM=$(curl --fail-with-body -sS https://api.venafi.cloud/v1/teams -H "tppl-api-key: $VEN_API_KEY" | jq '.teams[0].id' -r) \
 OCI_BASE=ttl.sh/maelvls \
 VEN_API_KEY_PULL=$(lpass show -p glow-in-the-dark.venafi.cloud) \
 VEN_API_HOST=api.venafi.cloud \
 VEN_ZONE='tlspk-bench\Default' \
 CLOUDSDK_CORE_PROJECT=jetstack-mael-valais \
 CLOUDSDK_COMPUTE_ZONE=europe-west1-b \
 CLUSTER_NAME=test-secretless

Unfortunately, it stopped with some 400:

jq -n '{
      "name": "venafi-kubernetes-agent-e2e-agent-\($random)",
      "authenticationType": "rsaKeyFederated",
      "scopes": ["kubernetes-discovery-federated", "certificate-issuance"],
      "subject": $subject,
      "audience": $audience,
      "issuerURL": $issuerURL,
      "jwksURI": $jwksURI,
      "applications": [$applications.applications[].id],
      "owner": $teams.teams[] | select(.name==$teamName) | .id
    }' --arg random 21821 --arg teamName 8c8f7450-6159-11ef-80cf-cb480ca9e3bf --arg subject system:serviceaccount:venafi:venafi-components --arg audience https://api.venafi.cloud --arg issuerURL https://container.googleapis.com/v1/projects/jetstack-mael-valais/locations/europe-west1-b/clusters/test-secretless --arg jwksURI https://container.googleapis.com/v1/projects/jetstack-mael-valais/locations/europe-west1-b/clusters/test-secretless/jwks --argjson teams '{"teams":[{"id":"8c8f7450-6159-11ef-80cf-cb480ca9e3bf","name":"RichardW","systemRoles":["SYSTEM_ADMIN"],"productRoles":{},"role":"SYSTEM_ADMIN","members":["d6175270-6526-11ef-a333-43042b807b68","a643a0e0-6525-11ef-a333-43042b807b68"],"owners":["76a126f0-280e-11ee-84fb-991f3177e2d0"],"companyId":"756db001-280e-11ee-84fb-991f3177e2d0","userMatchingRules":[],"modificationDate":"2024-08-28T11:18:01.932+00:00"},{"id":"d2508300-3705-11ee-a17b-69a77fb429d7","name":"test team anuar","systemRoles":["SYSTEM_ADMIN"],"productRoles":{},"role":"SYSTEM_ADMIN","members":[],"owners":["8833bf90-280e-11ee-84fb-991f3177e2d0","85836ca0-280e-11ee-8261-4748584228c9","7820e920-280e-11ee-84fb-991f3177e2d0","8034ef30-280e-11ee-8261-4748584228c9","7ac07330-280e-11ee-850d-2d2b2126b237","7ec559a0-280e-11ee-8261-4748584228c9","82d93430-280e-11ee-84fb-991f3177e2d0","843d3100-280e-11ee-850d-2d2b2126b237","7977c690-280e-11ee-850d-2d2b2126b237","76a126f0-280e-11ee-84fb-991f3177e2d0","7d6ad2b0-280e-11ee-8261-4748584228c9","86e98c50-280e-11ee-84fb-991f3177e2d0","7c0eec30-280e-11ee-84fb-991f3177e2d0","817d26a0-280e-11ee-8261-4748584228c9"],"companyId":"756db001-280e-11ee-84fb-991f3177e2d0","userMatchingRules":[],"modificationDate":"2023-08-09T22:41:03.910+00:00"}]}' --argjson applications '{"applications":[{"id":"d4eed080-0c5c-11ef-bb93-97de0c09752f","companyId":"756db001-280e-11ee-84fb-991f3177e2d0","name":"admin","description":"","ownerIdsAndTypes":[{"ownerId":"85836ca0-280e-11ee-8261-4748584228c9","ownerType":"USER"},{"ownerId":"817d26a0-280e-11ee-8261-4748584228c9","ownerType":"USER"}],"fullyQualifiedDomainNames":[],"ipRanges":[],"ports":[],"certificateIssuingTemplateAliasIdMap":{"Default":"7665cba2-280e-11ee-abfe-69743765b4a4"},"modificationDate":"2024-05-07T10:30:32.072+00:00","creationDate":"2024-05-07T10:30:32.072+00:00","ownership":{"owningUsers":["85836ca0-280e-11ee-8261-4748584228c9","817d26a0-280e-11ee-8261-4748584228c9"]}},{"id":"7eaf1c90-0c5a-11ef-8710-4f78e0e5228b","companyId":"756db001-280e-11ee-84fb-991f3177e2d0","name":"test","description":"","ownerIdsAndTypes":[{"ownerId":"7d6ad2b0-280e-11ee-8261-4748584228c9","ownerType":"USER"},{"ownerId":"7c0eec30-280e-11ee-84fb-991f3177e2d0","ownerType":"USER"}],"fullyQualifiedDomainNames":[],"ipRanges":[],"ports":[],"certificateIssuingTemplateAliasIdMap":{"Default":"7665cba2-280e-11ee-abfe-69743765b4a4"},"modificationDate":"2024-05-07T10:13:48.377+00:00","creationDate":"2024-05-07T10:13:48.377+00:00","ownership":{"owningUsers":["7d6ad2b0-280e-11ee-8261-4748584228c9","7c0eec30-280e-11ee-84fb-991f3177e2d0"]}},{"id":"b2d36e20-0c5c-11ef-aa2e-f3a8a6dc81e8","companyId":"756db001-280e-11ee-84fb-991f3177e2d0","name":"test1","description":"","ownerIdsAndTypes":[{"ownerId":"843d3100-280e-11ee-850d-2d2b2126b237","ownerType":"USER"},{"ownerId":"7d6ad2b0-280e-11ee-8261-4748584228c9","ownerType":"USER"}],"fullyQualifiedDomainNames":[],"ipRanges":[],"ports":[],"certificateIssuingTemplateAliasIdMap":{},"modificationDate":"2024-05-07T10:29:34.850+00:00","creationDate":"2024-05-07T10:29:34.850+00:00","ownership":{"owningUsers":["7d6ad2b0-280e-11ee-8261-4748584228c9","843d3100-280e-11ee-850d-2d2b2126b237"]}},{"id":"303ce460-652f-11ef-a63d-e32bbc0dac9e","companyId":"756db001-280e-11ee-84fb-991f3177e2d0","name":"tlspk-bench","description":"For benchmarking with tlspk-bench","ownerIdsAndTypes":[{"ownerId":"8c8f7450-6159-11ef-80cf-cb480ca9e3bf","ownerType":"TEAM"}],"fullyQualifiedDomainNames":[],"ipRanges":[],"ports":[],"certificateIssuingTemplateAliasIdMap":{"Default":"7665cba2-280e-11ee-abfe-69743765b4a4"},"modificationDate":"2024-08-28T11:18:01.894+00:00","creationDate":"2024-08-28T11:18:01.894+00:00","ownership":{"owningTeams":["8c8f7450-6159-11ef-80cf-cb480ca9e3bf"]}}]}' \
    | curl https://api.venafi.cloud/v1/serviceaccounts -H "tppl-api-key: $VEN_API_KEY" -fsSL --json @-

curl: (56) The requested URL returned error: 400

I admit I wasn't able to debug the issue... I trust that you have tested the script.

Thanks for testing with an EU tenant too!

Base automatically changed from disable-config-server-field to master September 3, 2024 09:03
@wallrj
Copy link
Member Author

wallrj commented Sep 3, 2024

@maelvls Thanks for reviewing. The script does indeed work for me, but I know there are some rough edges. Since you've approved it now, I'll make it better in followup PRs.

@wallrj wallrj changed the title WIP: Test secretless authentication on GKE Test secretless authentication on GKE Sep 3, 2024
@wallrj wallrj merged commit 02fea91 into master Sep 3, 2024
8 checks passed
@wallrj wallrj deleted the gke-workload-federation-test branch September 3, 2024 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls maelvls approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wallrj @maelvls