Adds a workload status command #22

meyskens · 2024-11-15T08:54:41Z

cofidectl workload status foo --pod-name foo-pod --namespace bar --trust-zone foo

Initially, this command will take a workload name, with pod name, namespace and trust-zone as flags, and use Maartje's "attest-me" implementation via a debug container to return human-readable cert information with the CLI.

As a follow-up, I'd like to make it simpler to reference the workload (ideally a single argument) and for pod and cluster info be inferred, but that'll depend on how we handle 'workloads' and will need some additional thought.

mattbates · 2024-11-21T10:39:11Z

I've merged in main and also (force) pushed some updates.

FYI this PR depends on cofide/cofidectl-debug-container also being opened up. There are small improvements to be made to it (eg some simple docs and a build script), but in the meantime "Cofiders" can build it directly for testing.

markgoddard

Looking good

cmd/cofidectl/cmd/workload/workload.go

internal/pkg/workload/workload.go

mattbates · 2024-11-25T09:42:05Z

@nialdaly thanks for the approval, you've verified everything works for you?

nialdaly · 2024-11-25T10:28:31Z

It worked well for me:

./cofidectl workload status --namespace test --pod-name client-6c7f5bf7dc-mzkh4 --trust-zone test
✅ Complete: Successfully executed ephemeral debug container in client-6c7f5bf7dc-mzkh4

Trust bundles received
* spiffe://cofide-a.test
    Certificate "CD:11:C2:66:50:4C:A9:D6:9E:99:9B:DA:CB:CE:6A:0F:C1:44:54:53:D4:D8:70:A4:F0:37:D4:FB:40:24:7E:92"
    is a CA certificate
    valid from "2024-11-25T09:49:43Z" to "2024-11-25T21:49:53Z"
    Subject: SERIALNUMBER=326417798281054835965078118436728917784,CN=example.org,O=Example,C=ARPA
    DNS names: spiffe://cofide-a.test
    Signature algorithm: SHA256-RSA
    Issuer: SERIALNUMBER=326417798281054835965078118436728917784,CN=example.org,O=Example,C=ARPA

SVIDs received
* spiffe://cofide-a.test/ns/test/sa/default
    Certificate "80:1F:DA:62:A7:A7:A1:53:A5:D4:DC:08:36:AB:FF:DF:63:55:25:2F:11:4D:EA:99:84:FE:FF:9B:49:C2:6B:43"
    valid from "2024-11-25T10:26:33Z" to "2024-11-25T14:26:43Z"
    Subject: O=SPIRE,C=US
    DNS names: spiffe://cofide-a.test/ns/test/sa/default
    Signature algorithm: SHA256-RSA
    Issuer: SERIALNUMBER=326417798281054835965078118436728917784,CN=example.org,O=Example,C=ARPA
    SVID verified against trust bundle

jsnctl · 2024-11-28T11:27:18Z

Hold off until debug container image hosting story is finalised

meyskens · 2024-12-19T16:21:22Z

Now using the GHCR image. CI is passing again ready for a last re-read before merging

markgoddard

I think this change has gone back to an earlier version prior to addressing review feedback. The commit that was approved was e27f3f8.

cmd/cofidectl/cmd/workload/workload.go

markgoddard · 2024-12-20T09:52:56Z

I think a bit of git magic will help here:

git checkout e27f3f8
git merge-base origin/main HEAD
git reset --soft $(git merge-base origin/main HEAD)
git status
git diff --cached 
git commit -m "New commit message here"
git rebase origin/main

meyskens · 2024-12-20T13:17:13Z

@markgoddard git surgery should be done! hope it worked out well...

cmd/cofidectl/cmd/workload/workload.go

markgoddard · 2024-12-23T17:14:03Z

I reworked it to be closer to the last approved patch and to use the statusspinner.

This change adds a 'cofidectl workload status' command. The command accepts a trust zone, pod name and namespace, and deploys an ephemeral debug container to the pod. This container emits diagnostic information about the SVIDs provided to the workload. This requires us to set disableContainerSelectors=true in the SPIRE Helm configuration, to allow the debug container to obtain an ID. Fixes: #14 Co-Authored-By: Matt Bates <[email protected]> Co-Authored-By: Maartje Eyskens <[email protected]>

meyskens changed the title ~~[WIP adds workload status command~~ [WIP] adds workload status command Nov 15, 2024

markgoddard marked this pull request as draft November 15, 2024 09:02

meyskens force-pushed the workload-info-via-debug-container branch 2 times, most recently from 8059397 to a3612a6 Compare November 16, 2024 13:42

meyskens self-assigned this Nov 16, 2024

meyskens force-pushed the workload-info-via-debug-container branch 3 times, most recently from d70a56e to ae18958 Compare November 16, 2024 13:55

mattbates self-assigned this Nov 21, 2024

mattbates force-pushed the workload-info-via-debug-container branch from ae18958 to e27f3f8 Compare November 21, 2024 10:35

mattbates added this to the release-0.6.0 milestone Nov 21, 2024

mattbates changed the title ~~[WIP] adds workload status command~~ Adds a workload status command Nov 21, 2024

mattbates linked an issue Nov 21, 2024 that may be closed by this pull request

Workload status command #14

Closed

mattbates marked this pull request as ready for review November 21, 2024 10:37

mattbates mentioned this pull request Nov 22, 2024

Add a README and build script cofide/cofidectl-debug-container#2

Merged

markgoddard reviewed Nov 22, 2024

View reviewed changes

markgoddard approved these changes Nov 22, 2024

View reviewed changes

nialdaly approved these changes Nov 25, 2024

View reviewed changes

jsnctl added the do-not-merge label Nov 28, 2024

markgoddard modified the milestones: release-0.6.0, release-0.7.0 Nov 28, 2024

markgoddard modified the milestones: release-0.7.0, release-0.8.0 Dec 9, 2024

meyskens force-pushed the workload-info-via-debug-container branch 2 times, most recently from e8d1c72 to 991f0f5 Compare December 19, 2024 16:05

meyskens removed the do-not-merge label Dec 19, 2024

meyskens force-pushed the workload-info-via-debug-container branch 2 times, most recently from 8f5eccb to 185fb4d Compare December 19, 2024 16:14

meyskens requested review from nialdaly and markgoddard December 19, 2024 16:21

markgoddard requested changes Dec 20, 2024

View reviewed changes

cmd/cofidectl/cmd/workload/workload.go Outdated Show resolved Hide resolved

meyskens force-pushed the workload-info-via-debug-container branch 2 times, most recently from f911412 to e8c4a7a Compare December 20, 2024 13:12

markgoddard force-pushed the workload-info-via-debug-container branch from e8c4a7a to 332d67c Compare December 23, 2024 17:05

markgoddard reviewed Dec 23, 2024

View reviewed changes

cmd/cofidectl/cmd/workload/workload.go Outdated Show resolved Hide resolved

cmd/cofidectl/cmd/workload/workload.go Outdated Show resolved Hide resolved

markgoddard approved these changes Dec 23, 2024

View reviewed changes

markgoddard enabled auto-merge December 23, 2024 17:08

markgoddard force-pushed the workload-info-via-debug-container branch from 332d67c to 8287ec5 Compare December 23, 2024 17:16

markgoddard merged commit d327052 into main Dec 23, 2024
6 checks passed

markgoddard deleted the workload-info-via-debug-container branch December 23, 2024 17:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds a workload status command #22

Adds a workload status command #22

meyskens commented Nov 15, 2024 •

edited

Loading

mattbates commented Nov 21, 2024 •

edited

Loading

markgoddard left a comment

mattbates commented Nov 25, 2024

nialdaly commented Nov 25, 2024

jsnctl commented Nov 28, 2024

meyskens commented Dec 19, 2024

markgoddard left a comment

markgoddard commented Dec 20, 2024

meyskens commented Dec 20, 2024

markgoddard commented Dec 23, 2024

Adds a workload status command #22

Adds a workload status command #22

Conversation

meyskens commented Nov 15, 2024 • edited Loading

mattbates commented Nov 21, 2024 • edited Loading

markgoddard left a comment

Choose a reason for hiding this comment

mattbates commented Nov 25, 2024

nialdaly commented Nov 25, 2024

jsnctl commented Nov 28, 2024

meyskens commented Dec 19, 2024

markgoddard left a comment

Choose a reason for hiding this comment

markgoddard commented Dec 20, 2024

meyskens commented Dec 20, 2024

markgoddard commented Dec 23, 2024

meyskens commented Nov 15, 2024 •

edited

Loading

mattbates commented Nov 21, 2024 •

edited

Loading