Skip to content

Commit

Permalink
Add direct tpm support for spire-server (#211)
Browse files Browse the repository at this point in the history 
* Add direct tpm support

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add agent support

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add missing condition

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add missing condition

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Remove agent bits from this pr

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Plugin needs to write to /tmp

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix tmp mount

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Make it possible to manage cas/hashes via values

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <fymemon@yahoo.com>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>

* Fix docs

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Update to the newest release

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

---------

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
  • Loading branch information
@kfox1111 @faisal-memon
kfox1111 and faisal-memon authored Feb 29, 2024
1 parent c570174 commit fcd0c11
Show file tree
Hide file tree
Showing 5 changed files with 126 additions and 2 deletions.
9 changes: 9 additions & 0 deletions charts/spire/charts/spire-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,15 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` |
| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` |
| `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` |
| `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` |
| `nodeAttestor.tpmDirect.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `nodeAttestor.tpmDirect.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-tpm-attestor-server` |
| `nodeAttestor.tpmDirect.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeAttestor.tpmDirect.image.tag` | Overrides the image tag | `v1.8.7` |
| `nodeAttestor.tpmDirect.checksum` | The sha256 checksum of the plugin binary | `f39ef9cdd2b3dd74112bfe827b79d6721c59215d0d5f4c2e34fa09bbc60d36d2` |
| `nodeAttestor.tpmDirect.pluginPath` | The filename in the container of the plugin | `/app/tpm_attestor_server` |
| `nodeAttestor.tpmDirect.cas` | A dictionary of TPM CA PEM or DER files that are allowed to connect. | `{}` |
| `nodeAttestor.tpmDirect.hashes` | A list of TPM hashes that are allowed to connect. | `[]` |

### Tornjak

Expand Down
20 changes: 19 additions & 1 deletion charts/spire/charts/spire-server/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ plugins:
plugin_data:
{{ include "spire-server.datastore-config" . | nindent 10 }}

{{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.joinToken.enabled }}
{{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.tpmDirect.enabled }}
NodeAttestor:
{{- with .Values.nodeAttestor.k8sPsat }}
{{- if eq (.enabled | toString) "true" }}
Expand All @@ -112,6 +112,24 @@ plugins:
plugin_data: {}
{{- end }}
{{- end }}
{{- with .Values.nodeAttestor.tpmDirect }}
{{- if eq (.enabled | toString) "true" }}
tpm:
plugin_cmd: "/tpm/tpm_attestor_server"
plugin_checksum: {{ .checksum }}
plugin_data:
{{- if ne (len .cas) 0 }}
ca_path: /tpm-direct-cas
{{- else }}
ca_path: /run/spire/data/tpm-direct/certs
{{- end }}
{{- if ne (len .hashes) 0 }}
hash_path: /tmp-direct-hashes
{{- else }}
hash_path: /run/spire/data/tpm-direct/hashes
{{- end }}
{{- end }}
{{- end }}
{{- end }}

{{- with .Values.keyManager.disk }}
Expand Down
54 changes: 53 additions & 1 deletion charts/spire/charts/spire-server/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,28 @@ spec:
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
{{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }}
{{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) }}
{{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) .Values.nodeAttestor.tpmDirect.enabled }}
initContainers:
{{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: init-tpm-direct
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.nodeAttestor.tpmDirect.image "global" .Values.global) }}
command:
- sh
- -ec
- |
# SPIRE must be able to fork the plugin directly within its container. Copy the plugin into a volume that can be mounted where SPIRE can execute it.
cp -a {{ .Values.nodeAttestor.tpmDirect.pluginPath }} /tpm/tpm_attestor_server
mkdir -p /run/spire/data/tpm-direct/certs
mkdir -p /run/spire/data/tpm-direct/hashes
volumeMounts:
- name: tpm-direct
mountPath: /tpm
- name: spire-data
mountPath: /run/spire/data
imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.image.pullPolicy }}
{{- end }}
{{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }}
- name: wait
securityContext:
Expand Down Expand Up @@ -158,6 +178,19 @@ spec:
- name: spire-data
mountPath: /run/spire/data
readOnly: false
{{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: tpm-direct
mountPath: /tpm
readOnly: true
{{- if ne (len .Values.nodeAttestor.tpmDirect.cas) 0 }}
- name: tpm-direct-cas
mountPath: /tpm-direct-cas
{{- end }}
{{- if ne (len .Values.nodeAttestor.tpmDirect.hashes) 0 }}
- name: tpm-direct-hashes
mountPath: /tmp-direct-hashes
{{- end }}
{{- end }}
{{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }}
- name: upstream-ca
mountPath: /run/spire/upstream_ca
Expand Down Expand Up @@ -191,6 +224,9 @@ spec:
{{- if gt (len .Values.extraVolumeMounts) 0 }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
- name: server-tmp
mountPath: /tmp
readOnly: false
{{- if eq (.Values.controllerManager.enabled | toString) "true" }}
- name: spire-controller-manager
securityContext:
Expand Down Expand Up @@ -314,13 +350,29 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: server-tmp
emptyDir: {}
- name: spire-config
configMap:
name: {{ include "spire-server.fullname" . }}
- name: spire-server-socket
emptyDir: {}
- name: spire-controller-manager-tmp
emptyDir: {}
{{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: tpm-direct
emptyDir: {}
{{- if ne (len .Values.nodeAttestor.tpmDirect.cas) 0 }}
- name: tpm-direct-cas
configMap:
name: {{ include "spire-server.fullname" . }}-tpm-direct-ca
{{- end }}
{{- if ne (len .Values.nodeAttestor.tpmDirect.hashes) 0 }}
- name: tpm-direct-hashes
configMap:
name: {{ include "spire-server.fullname" . }}-tpm-direct-hash
{{- end }}
{{- end }}
{{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }}
- name: server-cert
secret:
Expand Down
24 changes: 24 additions & 0 deletions charts/spire/charts/spire-server/templates/tpm-configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if ne (len .Values.nodeAttestor.tpmDirect.cas) 0 }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire-server.fullname" . }}-tpm-direct-ca
namespace: {{ include "spire-server.namespace" . }}
data:
{{- range $key, $value := .Values.nodeAttestor.tpmDirect.cas }}
{{ $key }}: |
{{ $value | nindent 4 }}
{{- end }}
{{- end }}
---
{{- if ne (len .Values.nodeAttestor.tpmDirect.hashes) 0 }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire-server.fullname" . }}-tpm-direct-hash
namespace: {{ include "spire-server.namespace" . }}
data:
{{- range .Values.nodeAttestor.tpmDirect.hashes }}
{{ . }}: ""
{{- end }}
{{- end }}
21 changes: 21 additions & 0 deletions charts/spire/charts/spire-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,27 @@ nodeAttestor:
joinToken:
## @param nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
enabled: false
tpmDirect:
## @param nodeAttestor.tpmDirect.enabled Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.
enabled: false
## @param nodeAttestor.tpmDirect.image.registry The OCI registry to pull the image from
## @param nodeAttestor.tpmDirect.image.repository The repository within the registry
## @param nodeAttestor.tpmDirect.image.pullPolicy The image pull policy
## @param nodeAttestor.tpmDirect.image.tag Overrides the image tag
##
image:
registry: docker.io
repository: boxboat/spire-tpm-plugin-tpm-attestor-server
pullPolicy: IfNotPresent
tag: "v1.8.7"
## @param nodeAttestor.tpmDirect.checksum The sha256 checksum of the plugin binary
checksum: f39ef9cdd2b3dd74112bfe827b79d6721c59215d0d5f4c2e34fa09bbc60d36d2
## @param nodeAttestor.tpmDirect.pluginPath The filename in the container of the plugin
pluginPath: /app/tpm_attestor_server
## @param nodeAttestor.tpmDirect.cas A dictionary of TPM CA PEM or DER files that are allowed to connect.
cas: {}
## @param nodeAttestor.tpmDirect.hashes A list of TPM hashes that are allowed to connect.
hashes: []

## @section Tornjak
tornjak:
Expand Down

0 comments on commit fcd0c11

Please sign in to comment.