deploy: add spire manifests in helm and kustomize

Signed-off-by: TessaIO <[email protected]>

deployment/components/master-config/nfd-master.conf.example

@@ -20,6 +20,7 @@
 #        operator: "In"
 #        values:
 #           - "node-feature-discovery"
+# enableSpiffe: true
 # klog:
 #    addDirHeader: false
 #    alsologtostderr: false

deployment/components/worker-config/nfd-worker.conf.example

@@ -3,6 +3,7 @@
 #  noPublish: false
 #  noOwnerRefs: false
 #  sleepInterval: 60s
+#  enableSpiffe: true
 #  featureSources: [all]
 #  labelSources: [all]
 #  klog:

deployment/helm/node-feature-discovery/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: spire
+  repository: https://spiffe.github.io/helm-charts-hardened/
+  version: 0.24.1
+digest: sha256:f3b4dc973a59682bf3aa5ca9b53322f57935dd093081e82a37b8082e00becbe9
+generated: "2024-12-20T16:52:40.180416+01:00"

deployment/helm/node-feature-discovery/Chart.yaml

@@ -13,3 +13,7 @@ keywords:
   - node-labels
 type: application
 version: 0.2.1
+dependencies:
+  - name: spire
+    version: 0.24.1
+    repository: https://spiffe.github.io/helm-charts-hardened/

deployment/helm/node-feature-discovery/templates/master.yaml

@@ -144,11 +144,29 @@ spec:
             {{- with .Values.master.extraArgs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            # Go over featureGates and add the feature-gate flag
+            {{- range $key, $value := .Values.featureGates }}
+            - "-feature-gates={{ $key }}={{ $value }}"
+            {{- end }}
+            {{- if .Values.spire.enabled }}
+            - "-enable-spiffe"
+            {{- end }}
           volumeMounts:
+            {{- if .Values.spire.enabled }}
+            - name: spire-agent-socket
+              mountPath: /run/spire/agent-sockets
+              readOnly: true
+            {{- end }}
             - name: nfd-master-conf
               mountPath: "/etc/kubernetes/node-feature-discovery"
               readOnly: true
       volumes:
+        {{- if .Values.spire.enabled }}
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/agent-sockets
+            type: Directory
+        {{- end }}
         - name: nfd-master-conf
           configMap:
             name: {{ include "node-feature-discovery.fullname" . }}-master-conf

deployment/helm/node-feature-discovery/templates/worker.yaml

@@ -109,12 +109,20 @@ spec:
         {{- with .Values.gc.extraArgs }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if .Values.spire.enabled }}
+        - "-enable-spiffe"
+        {{- end }}
         ports:
           - containerPort: {{ .Values.worker.metricsPort | default "8081"}}
             name: metrics
           - containerPort: {{ .Values.worker.healthPort | default "8082" }}
             name: health
         volumeMounts:
+        {{- if .Values.spire.enabled }}
+        - name: spire-agent-socket
+          mountPath: /run/spire/agent-sockets
+          readOnly: true
+        {{- end }}
         - name: host-boot
           mountPath: "/host-boot"
           readOnly: true
@@ -145,6 +153,12 @@ spec:
           mountPath: "/etc/kubernetes/node-feature-discovery"
           readOnly: true
       volumes:
+        {{- if .Values.spire.enabled }}
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/agent-sockets
+            type: Directory
+        {{- end }}
         - name: host-boot
           hostPath:
             path: "/boot"

deployment/helm/node-feature-discovery/values.yaml

@@ -1,9 +1,9 @@
 image:
-  repository: gcr.io/k8s-staging-nfd/node-feature-discovery
+  repository: ahmedgrati/node-feature-discovery
   # This should be set to 'IfNotPresent' for released version
   pullPolicy: Always
   # tag, if defined will use the given image tag, else Chart.AppVersion will be used
-  # tag
+  tag: spiffe
 imagePullSecrets: []
 
 nameOverride: ""
@@ -43,6 +43,7 @@ master:
     #        operator: "In"
     #        values:
     #           - "node-feature-discovery"
+    # enableSpiffe: true
     # klog:
     #    addDirHeader: false
     #    alsologtostderr: false
@@ -179,6 +180,7 @@ worker:
     #  noPublish: false
     #  noOwnerRefs: false
     #  sleepInterval: 60s
+    #  enableSpiffe: true
     #  featureSources: [all]
     #  labelSources: [all]
     #  klog:
@@ -597,3 +599,47 @@ prometheus:
   enable: false
   scrapeInterval: 10s
   labels: {}
+
+spire:
+  enabled: true
+  global:
+    spire:
+      clusterName: "nfd"
+      trustDomain: "nfd.io"
+  spire-agent:
+    kubeletConnectByHostname: "true"
+    workloadAttestors:
+      unix:
+        enabled: true
+  spire-server:
+    controllerManager:
+      enabled: true
+      identities:
+        clusterStaticEntries:
+          node:
+            parentID: spiffe://nfd.io/spire/server
+            spiffeID: spiffe://nfd.io/root
+            selectors:
+              - k8s_psat:agent_ns:nfd
+              - k8s_psat:agent_sa:nfd-agent
+              - k8s_psat:cluster:nfd
+          nfd:
+            parentID: spiffe://nfd.io/root
+            spiffeID: spiffe://nfd.io/worker
+            selectors:
+            - k8s:pod-label:app.kubernetes.io/name:node-feature-discovery
+
+
+    caSubject:
+      commonName: "nfd.io"
+      country: "US"
+      organization: "SPIFFE"
+
+  upstream:
+    enabled: false
+  spiffe-csi-driver:
+    enabled: false
+  spiffe-oidc-discovery-provider:
+    enabled: false
+  tornjak-frontend:
+    enabled: false

go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/prometheus/client_golang v1.19.1
 	github.com/smartystreets/goconvey v1.8.1
 	github.com/spf13/cobra v1.8.1
+	github.com/spiffe/go-spiffe/v2 v2.4.0
 	github.com/stretchr/testify v1.10.0
 	github.com/vektra/errors v0.0.0-20140903201135-c64d83aba85a
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
@@ -68,6 +69,7 @@ require (
 	github.com/euank/go-kmsg-parser v2.0.0+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
@@ -120,6 +122,7 @@ require (
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.16 // indirect

go.sum

@@ -66,6 +66,8 @@ github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -113,27 +115,6 @@ github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgY
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
-github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
-github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
-github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
-github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw=
-github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g=
 github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
@@ -249,14 +230,15 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spiffe/go-spiffe/v2 v2.4.0 h1:j/FynG7hi2azrBG5cvjRcnQ4sux/VNj8FAVc99Fl66c=
+github.com/spiffe/go-spiffe/v2 v2.4.0/go.mod h1:m5qJ1hGzjxjtrkGHZupoXHo/FDWwCB1MdSyBzfHugx0=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -274,6 +256,8 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chq
 github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
+github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
 go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
 go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0=

pkg/nfd-master/nfd-master.go

@@ -52,24 +52,19 @@ import (
 	"sigs.k8s.io/yaml"
 
 	nfdclientset "sigs.k8s.io/node-feature-discovery/api/generated/clientset/versioned"
-	klogutils "sigs.k8s.io/node-feature-discovery/pkg/utils/klog"
-	spiffe "sigs.k8s.io/node-feature-discovery/pkg/utils/spiffe"
-
-	taintutils "k8s.io/kubernetes/pkg/util/taints"
-	"sigs.k8s.io/yaml"
-
 	"sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	"sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/nodefeaturerule"
 	"sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/validate"
 	nfdfeatures "sigs.k8s.io/node-feature-discovery/pkg/features"
 	"sigs.k8s.io/node-feature-discovery/pkg/utils"
 	klogutils "sigs.k8s.io/node-feature-discovery/pkg/utils/klog"
+	spiffe "sigs.k8s.io/node-feature-discovery/pkg/utils/spiffe"
 	"sigs.k8s.io/node-feature-discovery/pkg/version"
 )
 
 // SocketPath specifies Spiffe Socket Path
-const SocketPath = "unix:///run/spire/sockets/agent.sock"
+const SocketPath = "unix:///run/spire/agent-sockets/api.sock"
 
 // Labels are a Kubernetes representation of discovered features.
 type Labels map[string]string
@@ -700,6 +695,14 @@ func (m *nfdMaster) getAndMergeNodeFeatures(nodeName string) (*nfdv1alpha1.NodeF
 		return filteredObjs[i].Namespace < filteredObjs[j].Namespace
 	})
 
+	// If spiffe is enabled, we should filter out the non verified NFD objects
+	if m.config.EnableSpiffe {
+		filteredObjs, err = m.getVerifiedNFDObjects(filteredObjs)
+		if err != nil {
+			return &nfdv1alpha1.NodeFeature{}, err
+		}
+	}
+
 	if len(filteredObjs) > 0 {
 		// Merge in features
 		//
@@ -755,55 +758,6 @@ func (m *nfdMaster) nfdAPIUpdateOneNode(cli k8sclient.Interface, node *corev1.No
 		return fmt.Errorf("failed to merge NodeFeature objects for node %q: %w", node.Name, err)
 	}
 
-	// Sort our objects
-	sort.Slice(objs, func(i, j int) bool {
-		// Objects in our nfd namespace gets into the beginning of the list
-		if objs[i].Namespace == m.namespace && objs[j].Namespace != m.namespace {
-			return true
-		}
-		if objs[i].Namespace != m.namespace && objs[j].Namespace == m.namespace {
-			return false
-		}
-		// After the nfd namespace, sort objects by their name
-		if objs[i].Name != objs[j].Name {
-			return objs[i].Name < objs[j].Name
-		}
-		// Objects with the same name are sorted by their namespace
-		return objs[i].Namespace < objs[j].Namespace
-	})
-
-	// If spiffe is enabled, we should filter out the non verified NFD objects
-	if m.config.EnableSpiffe {
-		objs, err = m.getVerifiedNFDObjects(objs)
-		if err != nil {
-			return err
-		}
-	}
-
-	klog.V(1).InfoS("processing of node initiated by NodeFeature API", "nodeName", node.Name)
-
-	features := nfdv1alpha1.NewNodeFeatureSpec()
-
-	if len(objs) > 0 {
-		// Merge in features
-		//
-		// NOTE: changing the rule api to support handle multiple objects instead
-		// of merging would probably perform better with lot less data to copy.
-		features = objs[0].Spec.DeepCopy()
-		if m.config.AutoDefaultNs {
-			features.Labels = addNsToMapKeys(features.Labels, nfdv1alpha1.FeatureLabelNs)
-		}
-		for _, o := range objs[1:] {
-			s := o.Spec.DeepCopy()
-			if m.config.AutoDefaultNs {
-				s.Labels = addNsToMapKeys(s.Labels, nfdv1alpha1.FeatureLabelNs)
-			}
-			s.MergeInto(features)
-		}
-
-		klog.V(4).InfoS("merged nodeFeatureSpecs", "newNodeFeatureSpec", utils.DelayedDumper(features))
-	}
-
 	// Update node labels et al. This may also mean removing all NFD-owned
 	// labels (et al.), for example  in the case no NodeFeature objects are
 	// present.
@@ -1528,7 +1482,13 @@ func (m *nfdMaster) getVerifiedNFDObjects(objs []*v1alpha1.NodeFeature) ([]*v1al
 	}
 
 	for _, obj := range objs {
-		isSignatureVerified, err := spiffe.VerifyDataSignature(obj.Spec, obj.Annotations["signature"], workerPrivateKey, workerPublicKey)
+		spiffeObj := spiffe.SpiffeObject{
+			Spec:      obj.Spec,
+			Name:      obj.Name,
+			Namespace: obj.Namespace,
+			Labels:    obj.Labels,
+		}
+		isSignatureVerified, err := spiffe.VerifyDataSignature(spiffeObj, obj.Annotations["signature"], workerPrivateKey, workerPublicKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to verify NodeFeature signature: %w", err)
 		}