Fix spire agent restart

- Added spire agent k8s secret updation logic

Signed-off-by: Vishnu Soman <[email protected]>

Makefile

@@ -283,7 +283,7 @@ bin/static/%: cmd/% FORCE | go-check
 	@echo Building bin/static/k8s-sat…
 	$(E)$(go_build_static) bin/static/k8s-sat ./spire-k8s-sat-plugin/cmd/...
 	@echo Building bin/static/keymanager-k8s…
-	$(E)$(go_build) bin/static/keymanager-k8s ./spire-k8s-secret-plugin/
+	$(E)$(go_build_static) bin/static/keymanager-k8s ./spire-k8s-secret-plugin/
 
 bin/static/%: spire-k8s-sat-plugin/% FORCE
 	@echo Building $@…

go.work.sum

@@ -25,6 +25,7 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw
 github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs=
 github.com/googleapis/gax-go v2.0.2+incompatible h1:silFMLAnr330+NRuag/VjIGF7TLp/LBrV2CJKFLWEww=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 h1:LaH4JWe6Q7ICdxL5raxQjSRw7Pj8uTtAENrjejIYZIg=
 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=

pkg/agent/manager/manager.go

@@ -358,18 +358,24 @@ func (m *manager) runBundleObserver(ctx context.Context) error {
 }
 
 func (m *manager) storeSVID(svidChain []*x509.Certificate, reattestable bool) {
+	m.c.Log.Debugf("Updating expiring SVIDs in K8S Secrets")
 	if err := m.storage.StoreSVID(svidChain, reattestable); err != nil {
 		m.c.Log.WithError(err).Warn("Could not store SVID")
+	} else {
+		m.c.Log.Debugf("SVID updated in K8S Secrets")
 	}
 }
 
 func (m *manager) storeBundle(bundle *bundleutil.Bundle) {
+	m.c.Log.Debugf("Updating expiring Bundle in K8S Secrets")
 	var rootCAs []*x509.Certificate
 	if bundle != nil {
 		rootCAs = bundle.RootCAs()
 	}
 	if err := m.storage.StoreBundle(rootCAs); err != nil {
 		m.c.Log.WithError(err).Error("Could not store bundle")
+	} else {
+		m.c.Log.Debugf("Bundle updated in K8S Secrets")
 	}
 }
 

pkg/agent/storage/legacy.go

@@ -3,7 +3,6 @@ package storage
 import (
 	"bytes"
 	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -14,6 +13,7 @@ import (
 
 	"github.com/accuknox/spire/pkg/common/diskutil"
 	"github.com/accuknox/spire/pkg/common/util"
+	log "github.com/sirupsen/logrus"
 )
 
 func loadLegacyBundle(dir string) ([]*x509.Certificate, time.Time, error) {
@@ -28,15 +28,53 @@ func loadLegacyBundle(dir string) ([]*x509.Certificate, time.Time, error) {
 	}
 	return bundle, mtime, nil
 }
+
+func getLegacyDataFromK8SSecret(namespace, secretname, dataType string) ([]byte, []byte, error) {
+	secret, err := util.GetK8sSecrets(namespace, secretname)
+
+	var timeByte, bundleByte []byte
+
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return nil, nil, nil
+		}
+		return nil, nil, err
+	}
+	for key, value := range secret.Data {
+		if key == dataType+"-legacy" {
+			bundleByte = value
+		}
+		if key == dataType+"-legacy-time" {
+			timeByte = value
+		}
+	}
+
+	return bundleByte, timeByte, nil
+}
 func loadLegacyBundleFromK8S(namespace, secretname string) ([]*x509.Certificate, time.Time, error) {
-	store, tm, err := loadDataFromK8S(namespace, secretname)
+
+	bundleByte, timeByte, err := getLegacyDataFromK8SSecret(namespace, secretname, "bundle")
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			return nil, time.Time{}, nil
 		}
 		return nil, time.Time{}, err
 	}
-	return store.Bundle, tm, nil
+
+	bundle, err := x509.ParseCertificates(bundleByte)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("failed to parse legacy bundle: %w", err)
+	}
+
+	var td time.Time
+
+	err = td.UnmarshalBinary(timeByte)
+	if err != nil {
+		log.WithError(err).Info("Could not unmarshal time. Updating time as current time")
+		td = time.Now()
+	}
+
+	return bundle, td, nil
 }
 
 func storeLegacyBundle(dir string, bundle []*x509.Certificate) error {
@@ -51,16 +89,21 @@ func storeLegacyBundle(dir string, bundle []*x509.Certificate) error {
 }
 func storeLegacyBundleToK8S(namespace, secret string, bundle []*x509.Certificate) error {
 	mapData := make(map[string][]byte)
+	data := new(bytes.Buffer)
+	for _, cert := range bundle {
+		data.Write(cert.Raw)
+	}
 
-	for i, cert := range bundle {
-		block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-		pemBytes := pem.EncodeToMemory(&block)
-		if isUnique(mapData, pemBytes) {
-			key := fmt.Sprintf("bundle-legacy-%d", i)
-			mapData[key] = pemBytes
-		}
+	now := time.Now()
+
+	td, err := now.MarshalBinary()
+	if err != nil {
+		log.WithError(err).Info("Could not marshal time.")
 	}
 
+	mapData["bundle-legacy"] = data.Bytes()
+	mapData["bundle-legacy-time"] = td
+
 	return util.CreateK8sSecrets(namespace, secret, mapData)
 
 }
@@ -79,14 +122,29 @@ func loadLegacySVID(dir string) ([]*x509.Certificate, time.Time, error) {
 }
 
 func loadLegacySVIDFromK8S(namespace, secretname string) ([]*x509.Certificate, time.Time, error) {
-	store, tm, err := loadDataFromK8S(namespace, secretname)
+
+	svidByte, timeByte, err := getLegacyDataFromK8SSecret(namespace, secretname, "svid")
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			return nil, time.Time{}, nil
 		}
 		return nil, time.Time{}, err
 	}
-	return store.SVID, tm, nil
+
+	svids, err := x509.ParseCertificates(svidByte)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("failed to parse legacy SVIDs: %w", err)
+	}
+
+	var td time.Time
+
+	err = td.UnmarshalBinary(timeByte)
+	if err != nil {
+		log.WithError(err).Info("Could not unmarshal time. Updating time as current time")
+		td = time.Now()
+	}
+
+	return svids, td, nil
 }
 
 func storeLegacySVID(dir string, svidChain []*x509.Certificate) error {
@@ -100,32 +158,24 @@ func storeLegacySVID(dir string, svidChain []*x509.Certificate) error {
 	return nil
 }
 
-func isUnique(mapData map[string][]byte, byteData []byte) bool {
-
-	isUnique := true
+func storeLegacySVIDToK8S(namespace, secret string, svidChain []*x509.Certificate) error {
+	mapData := make(map[string][]byte)
+	data := new(bytes.Buffer)
 
-	for _, v := range mapData {
-		if bytes.Equal(v, byteData) {
-			// if the value already exists, set isUnique to false and break the loop
-			isUnique = false
-			break
-		}
+	for _, cert := range svidChain {
+		data.Write(cert.Raw)
 	}
 
-	return isUnique
-}
+	now := time.Now()
 
-func storeLegacySVIDToK8S(namespace, secret string, svidChain []*x509.Certificate) error {
-	mapData := make(map[string][]byte)
+	td, err := now.MarshalBinary()
+	if err != nil {
+		log.WithError(err).Info("Could not marshal time. ")
 
-	for i, cert := range svidChain {
-		block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-		pemBytes := pem.EncodeToMemory(&block)
-		if isUnique(mapData, pemBytes) {
-			key := fmt.Sprintf("svid-legacy-%d", i)
-			mapData[key] = pemBytes
-		}
 	}
+	mapData["svid-legacy-time"] = td
+
+	mapData["svid-legacy"] = data.Bytes()
 
 	return util.CreateK8sSecrets(namespace, secret, mapData)