arthurquites · joaoguazzelli · Oct 24, 2022 · Oct 24, 2022 · Oct 26, 2022 · Oct 27, 2022
diff --git a/.github/workflows/hybrid-pr-build.yaml b/.github/workflows/hybrid-pr-build.yaml
@@ -0,0 +1,22 @@
+name: Hybrid PR Build
+
+on:
+  pull_request:
+    paths:
+    - 'hybrid/**'
+
+defaults:
+  run:
+    working-directory: hybrid
+
+env:
+  GO_VERSION: 1.19
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+    - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
diff --git a/.github/workflows/scripts/split.sh b/.github/workflows/scripts/split.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+if [ -z "$NUM_RUNNERS" ]; then
+        echo "split.sh: NUM_RUNNERS environment variable must be set"
+        exit 1
+fi
+
+if [ -z "$THIS_RUNNER" ]; then
+        echo "split.sh: THIS_RUNNER environment variable must be set"
+        exit 1
+fi
+
+declare -a job_set
+current_runner=1
+for FILE in test/integration/suites/*; do
+        job_set[$current_runner]+="${FILE##test/integration/} "
+
+        ((current_runner++))
+        if [ $current_runner -gt "$NUM_RUNNERS" ]; then
+                current_runner=1
+        fi
+done
+
+echo "${job_set[$THIS_RUNNER]}"
diff --git a/hybrid/Makefile b/hybrid/Makefile
@@ -0,0 +1,55 @@
+.ONESHELL:
+
+EKS_DIR ?= ./dev/kubernetes
+BINARIES ?= hybrid_server hybrid_agent
+OSES ?= linux
+ARCHITECTURES ?= amd64 arm64
+VERSION ?= latest
+DOCKER_HUB ?= ${DOCKER_HUB}
+DOCKER_TAG_AGENT ?= hybrid-attestor-server:latest hybrid-attestor-agent:latest 
+BUILD_DIR ?= ./build
+PLATFORMS ?= $(foreach os, $(OSES), $(foreach architecture, $(ARCHITECTURES), --platform $(os)/$(architecture)))
+
+BUILD_TARGETS := $(foreach binary, $(BINARIES), $(foreach os, $(OSES), $(foreach architecture, $(ARCHITECTURES), $(binary)-$(os)-$(architecture))))
+DOCKER_TARGETS := $(foreach binary, $(BINARIES), $(binary)-docker)
+
+target_words = $(subst -, ,$@)
+target_binary = $(word 1, $(target_words))
+target_os = $(word 2, $(target_words))
+target_architecture = $(word 3, $(target_words))
+target_software_type = $(word 2, $(subst _, ,$(target_binary)))
+
+target_binary_hyphens = $(subst _,-attestor-,$(target_binary))
+
+build: $(BUILD_TARGETS)
+$(BUILD_TARGETS):
+	CGO_ENABLED=0 GOOS=$(target_os) GOARCH=$(target_architecture) go build -ldflags="-s -w -extldflags -static" -o $(BUILD_DIR)/$(target_os)/$(target_architecture)/$(target_binary) cmd/$(target_binary)/main.go
+
+test: test-unit test-integration
+	go test ./...
+
+test-unit:
+	go test ./...
+
+test-integration:
+	bash ./test/integration/run.sh
+
+docker: $(DOCKER_TARGETS)
+$(DOCKER_TARGETS):
+	docker build -f ./dev/docker/$(target_software_type).Dockerfile $(PLATFORMS) --build-arg BINARY=$(target_binary) -t $(DOCKER_HUB)/$(target_binary_hyphens):$(VERSION) .
+	docker push $(DOCKER_HUB)/$(target_binary_hyphens):$(VERSION)
+
+docker-build:
+	CGO_ENABLED=0 GOOS=$(TARGETOS) GOARCH=$(TARGETARCH) go build -ldflags="-s -w -extldflags -static" -o ${BINARY} cmd/${BINARY}/main.go
+
+deploy-spire-eks:
+	kubectl delete --all daemonsets.app --namespace=spire
+	kubectl delete --all statefulset.app --namespace=spire
+	kubectl delete --ignore-not-found namespace spire
+	envsubst < $(EKS_DIR)/server.yaml | kubectl apply -f -
+	envsubst < $(EKS_DIR)/agent.yaml | kubectl apply -f -
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+.PHONY: $(BUILD_TARGETS) $(DOCKER_TARGETS) build test docker clean
diff --git a/hybrid/README.md b/hybrid/README.md
@@ -0,0 +1,80 @@
+[![PR Build](https://github.com/HewlettPackard/roven/actions/workflows/hybrid-pr-build.yaml/badge.svg)](https://github.com/HewlettPackard/roven/actions/workflows/hybrid-pr-build.yaml)
+
+# Hybrid Node Attestor
+The `hybrid` node attestor plugin for SPIRE is an external plugin, that combines the power of any built-in plugin supported by spire. With this approach you can use any combination of the built-in plugins in order to attest the node. For example, you can mix the k8s_psat and the aws_iid plugins to attest that the agent node is running on an AWS EKS or an EC2 instance with a self managed k8s cluster.
+
+## SpiffeID
+The hybrid plugin will always return the SpiffeID generated by the first plugin of the list supplied to the server. The order of the plugins supplied for both server and agent does not matter.
+
+## Basic deployment
+The hybrid plugin works as any external plugin would. It is designed to work as an external plugin, acting as a plugin aggregator.
+To deploy it, first build and update the configuration for both SPIRE Server and Agent passing the list of built-in plugins that will be used in combination ir order to attest the node.
+
+## Building
+Start by building the binaries
+
+`make build`
+
+## Configuring
+In order to use the hybrid plugin with the SPIRE instance, add in the SPIRE configuration file as an external plugin, informing the name, `plugin_cmd` and in the section plugins, inside `plugin_data`, add the built-in plugins configuration. Here's an example:
+
+ **Server**
+ ```
+    plugins{
+      NodeAttestor "hybrid" {
+        plugin_cmd = "path/to/builded/file"
+        plugin_data {
+          plugins {
+            first_selected_plugin {
+                [plugin_config]
+            }
+            second_selected_plugin {
+                [plugin_config]
+            }
+            [...]
+          }
+        }
+      }
+    }
+```
+
+**Agent**
+ ```
+    plugins {
+      NodeAttestor "hybrid" {
+        plugin_cmd = "path/to/builded/file"
+        plugin_data {
+          plugins {
+            first_selected_plugin {
+                [plugin_config]
+            }
+            second_selected_plugin {
+                [plugin_config]
+            }
+          }
+        }
+      }
+    }
+ ```
+
+### Deploying the hybrid using aws_iid and k8s_psat node attestors
+To combine those two plugins, you have to be running the agent and server in an kubernetes instance inside aws.
+
+Start off by creating an ec2 instance and deploying a kind kubernetes cluster or creating an eks cluster.
+
+After that, run the following make command while in hybrid root folder:
+
+`make build`
+
+Then, to construct the docker images and push to any repo desired, set the environment variable DOCKER_HUB that should point to the docker image registry and it's used by the MAKEFILE and run the following command:
+
+`make docker`
+
+With the hybrid node attestor built and the docker image constructed, you now have to deploy it in the running kubernetes cluster in the aws. 
+Configure kubectl to point to the aws cluster.
+Change the credentials in the server.yaml and agent.yaml that are in the hybrid/dev/kubernetes and run the following command:
+
+`make deploy-agent-server-eks`
+
+You should now be able to see the running agent/server node attestor. First set the corresponding environment variables with their required values ($AWS_SECRET_ACCESS_KEY, $AWS_ACCESS_KEY_ID, $AWS_ASSUME_ROLE, $AWS_ACCOUNT_ID)
+
diff --git a/hybrid/SECURITY.md b/hybrid/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+Versions of the project that are currently being supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.0   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+If you've found a vulnerability or a potential vulnerability in this plugin please let us know at juliano.fantozzi@hpe.com. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
diff --git a/hybrid/cmd/hybrid_agent/main.go b/hybrid/cmd/hybrid_agent/main.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	hybrid_agent "github.com/hewlettpackard/hybrid/pkg/agent"
+
+	"github.com/spiffe/spire-plugin-sdk/pluginmain"
+	nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/nodeattestor/v1"
+	configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
+)
+
+func main() {
+	p := hybrid_agent.New()
+	pluginmain.Serve(
+		nodeattestorv1.NodeAttestorPluginServer(p),
+		configv1.ConfigServiceServer(p),
+	)
+}
diff --git a/hybrid/cmd/hybrid_server/main.go b/hybrid/cmd/hybrid_server/main.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	hybrid_server "github.com/hewlettpackard/hybrid/pkg/server"
+
+	"github.com/spiffe/spire-plugin-sdk/pluginmain"
+	nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1"
+	configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
+)
+
+func main() {
+	p := hybrid_server.New()
+	pluginmain.Serve(
+		nodeattestorv1.NodeAttestorPluginServer(p),
+		configv1.ConfigServiceServer(p),
+	)
+}
diff --git a/hybrid/dev/docker/agent.Dockerfile b/hybrid/dev/docker/agent.Dockerfile
@@ -0,0 +1,3 @@
+FROM gcr.io/spiffe-io/spire-agent:1.4.4 AS spire-agent-psat-iid
+COPY ./build/linux/amd64/hybrid_agent /usr/local/bin/agentattestor
+RUN chmod +x /usr/local/bin/agentattestor
diff --git a/hybrid/dev/docker/server.Dockerfile b/hybrid/dev/docker/server.Dockerfile
@@ -0,0 +1,3 @@
+FROM gcr.io/spiffe-io/spire-server:1.4.4 AS spire-server-psat-iid
+COPY ./build/linux/amd64/hybrid_server /usr/local/bin/serverattestor
+RUN chmod +x /usr/local/bin/serverattestor