Replace k8s_sat NodeAttestor with k8s_psat

.github/workflows/pr_build.yaml

@@ -6,11 +6,11 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.19.4
+  GO_VERSION: 1.24.1
   CHANGE_MINIKUBE_NONE_USER: true
 jobs:
   test-all:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps: 
       - name: Checkout

README.md

@@ -12,30 +12,26 @@ The SPIRE project is growing rapidly, and new features are released often. In or
 
 Examples showing how SPIRE integrates with Envoy.
 
-* [Envoy SDS Integration with SPIRE 1.5.1](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
+* [Envoy SDS Integration](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
 
 ## Kubernetes
 
 Examples showing how to deploy SPIRE on Kubernetes. There are several configuration possibilities.
 
-+ [Simple SAT with SPIRE 1.5.1](examples/k8s/simple_sat) - This is a simple configuration using the Kubernetes
-  [service account token (SAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
-  that deploys SPIRE server as a StatefulSet and SPIRE agent as a DaemonSet.
-+ [Simple PSAT with SPIRE 1.5.1](examples/k8s/simple_psat) - This is a simple configuration using the
++ [Simple PSAT](examples/k8s/simple_psat) - This is a simple configuration using the
   Kubernetes
-  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md)
-  that otherwise deploys SPIRE as in the **Simple SAT** example.
-+ [Postgres with SPIRE 1.5.1](examples/k8s/postgres) - This expands on the **Simple SAT** configuration by
+  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md).
++ [Postgres](examples/k8s/postgres) - This expands on the **Simple PSAT** configuration by
   moving the SPIRE datastore into a Postgres StatefulSet. The SPIRE server is
   now a stateless Deployment that can be scaled.
-+ [Kustomize with SPIRE 1.5.1](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
++ [Kustomize](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
   as shown at the SPIFFE Community Day in May 2019.
 
 ## EKS
 
 Examples showing how to deploy SPIRE on Amazon EKS.
 
-+ [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to
++ [EKS-based SAT](examples/k8s/eks_psat) - This slightly modifies the **Kubernetes Simple PSAT** configuration to
   make it compatible with EKS platform.
 
 ## SystemD

examples/envoy/README.md

@@ -1,4 +1,4 @@
-# Envoy 1.17.0 SDS Example with SPIRE 1.5.1
+# Envoy 1.17.0 SDS Example with SPIRE
 
 [!WARNING]  
 This example is no longer tested regularly. Some assembly may be required. Please let us know if changes are needed.

examples/envoy/docker/echo/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
+FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
 
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent

examples/envoy/docker/spire-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-server:1.6.1
+FROM ghcr.io/spiffe/spire-server:1.11.2
 
 # Override spire configurations
 COPY conf/spire-server.conf /opt/spire/conf/server/server.conf

examples/envoy/docker/web/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
+FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
 
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent

examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl

@@ -28,7 +28,7 @@ spec:
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME

examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl

@@ -21,7 +21,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args:
             - -config
             - /run/spire/config/server.conf

examples/k8s/eks_sat/README.md → examples/k8s/eks_psat/README.md

@@ -1,18 +1,18 @@
-# SPIRE 1.5.1 deployment using SAT node attestor on EKS
+# SPIRE deployment using PSAT node attestor on EKS
 
-This configuration is an example of a SPIRE 1.5.1 deployment for Kubernetes on EKS. This example is based on the [simple SAT](../simple_sat/README.md), with minor modifications to make it work on EKS platform.
+This configuration is an example of a SPIRE deployment for Kubernetes on EKS. This example is based on the [simple PSAT](../simple_psat/README.md), with minor modifications to make it work on EKS platform.
 
-Compare the [simple SAT server](../simple_sat/spire-server.yaml) configuration with
-this [EKS SAT server](spire-server.yaml) to see the differences, which
+Compare the [simple PSAT server](../simple_psat/spire-server.yaml) configuration with
+this [EKS PSAT server](spire-server.yaml) to see the differences, which
 consist of:
 
-+ Node attestation is done using the [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
++ Node attestation is done using the [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md)
 with kubernetes token review validation enabled.
 + As a consequence of the above, volume and volume mounts for validation key are removed.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
 
-In the same way, the differences between the [simple SAT agent](../simple_sat/spire-agent.yaml) and [EKS SAT server](spire-agent.yaml) are:
-+ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
+In the same way, the differences between the [simple PSAT agent](../simple_psat/spire-agent.yaml) and [EKS PSAT server](spire-agent.yaml) are:
++ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
 
 Both SPIRE agent and server run in the **spire** namespace, using service accounts of **spire-server** and **spire-agent**.
@@ -42,5 +42,5 @@ The server log shows the attestation result:
 $ kubectl -n spire logs -f spire-server-0
 ```
 ```
-level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_sat" subsystem_name=node_api
+level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_psat" subsystem_name=node_api
 ```

examples/k8s/eks_sat/spire-agent.yaml → examples/k8s/eks_psat/spire-agent.yaml

@@ -52,7 +52,7 @@ data:
     }
 
     plugins {
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           cluster = "demo-cluster"
         }
@@ -130,7 +130,7 @@ spec:
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME
@@ -144,6 +144,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -166,3 +168,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

examples/k8s/eks_sat/spire-server.yaml → examples/k8s/eks_psat/spire-server.yaml

@@ -80,12 +80,11 @@ data:
         }
       }
 
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
             "demo-cluster" = {
               service_account_allow_list = ["spire:spire-agent"]
-              use_token_review_api_validation = true
             }
           }
         }
@@ -152,7 +151,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args: ["-config", "/run/spire/config/server.conf"]
           ports:
             - containerPort: 8081

examples/k8s/k7e/README.md

@@ -4,7 +4,7 @@ This directory contains various examples of deploying and configuring SPIRE to
 Kubernetes using [kustomize](https://kustomize.io) which is part of Kubectl as
 of 1.14.
 
-+ [base_minikube_sat](base_minikube_sat) - A base configuration for SPIRE in
++ [base_minikube_psat](base_minikube_psat) - A base configuration for SPIRE in
   minikube using the SAT attestor. This is also the base configuration from
   which all other configurations in this directory are derived.
 + [community_day_2019_may](community_day_2019_may) - This is the demo from
@@ -28,7 +28,7 @@ by kubectl, you can use the "kustomize" argument to `kubectl` along with the
 directory of the configuration to apply. For example:
 
 ```
-$ kubectl kustomize base_minikube_sat
+$ kubectl kustomize base_minikube_psat
 ```
 
 ## Apply Configuration to Kubernetes
@@ -37,5 +37,5 @@ To apply a kustomize configuration with kubectl, use the "-k" option to the
 "apply" option along with the directory of the configuration to apply:
 
 ```
-$ kubectl apply -k base_minikube_sat
+$ kubectl apply -k base_minikube_psat
 ```

examples/k8s/k7e/base_minikube_sat/config/spire-agent.conf → examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf

@@ -9,7 +9,7 @@ agent {
 }
 
 plugins {
-  NodeAttestor "k8s_sat" {
+  NodeAttestor "k8s_psat" {
     plugin_data {
       cluster = "demo-cluster"
     }

examples/k8s/k7e/base_minikube_sat/config/spire-server.conf → examples/k8s/k7e/base_minikube_psat/config/spire-server.conf

@@ -19,11 +19,10 @@ plugins {
     }
   }
 
-  NodeAttestor "k8s_sat" {
+  NodeAttestor "k8s_psat" {
     plugin_data {
       clusters = {
         "demo-cluster" = {
-          service_account_key_file = "/run/k8s-certs/sa.pub"
           service_account_allow_list = ["spire:spire-agent"]
         }
       }

examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-deployment.yaml → examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml

@@ -28,7 +28,7 @@ spec:
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           imagePullPolicy: Always
           args: ["-config", "/run/spire/config/spire-agent.conf"]
           env:
@@ -46,6 +46,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -71,3 +73,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-deployment.yaml → examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml

@@ -20,7 +20,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           imagePullPolicy: Always
           args: ["-config", "/run/spire/config/spire-server.conf"]
           ports:

examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-role.yaml → examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml

@@ -8,3 +8,6 @@ rules:
   resources: ["configmaps"]
   resourceNames: ["spire-bundle"]
   verbs: ["get", "patch"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]

examples/k8s/k7e/community_day_2019_may/README.md

@@ -1,10 +1,10 @@
 # Demo from SPIRE Community Day, May 2019
 
 This example will allow you to recreate the demo from SPIRE Community Day in
-May, 2019. To run this example you'll need:
+May 2019. To run this example you'll need:
 
 + A working minikube.
-+ `kubectl` version 1.14 or later.
++ `kubectl` version 1.20 or later.
 + The [examples/k8s/k7e](/examples/k8s/k7e) directory tree from the SPIRE github
   repository.
 
@@ -24,11 +24,11 @@ $ watch 'set -x; kubectl get pods -n spire; kubectl get pods'
 
 ### Deploy SPIRE
 
-To deploy SPIRE, apply the `base_minikube_sat` configuration from the parent
+To deploy SPIRE, apply the `base_minikube_psat` configuration from the parent
 directory:
 
 ```
-$ kubectl apply -k ../base_minikube_sat
+$ kubectl apply -k ../base_minikube_psat
 ```
 
 Within 30 seconds or so, you should now have pods in "Running" status for both
@@ -102,13 +102,13 @@ registration entries. We'll create two registration entries:
 First, let's create the `node` registration entry:
 
 ```
-$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_sat:cluster:demo-cluster
+$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_psat:cluster:demo-cluster
 
 Entry ID      : 1685a30f-fb14-4242-a86a-568038407ed7
 SPIFFE ID     : spiffe://example.org/cluster
 Parent ID     : spiffe://example.org/spire/server
 TTL           : 3600
-Selector      : k8s_sat:cluster:demo-cluster
+Selector      : k8s_psat:cluster:demo-cluster
 ```
 
 Second, we'll create a registration entry for our client workload:

examples/k8s/k7e/community_day_2019_may/client-deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: client
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           imagePullPolicy: Always
           command: ["/opt/spire/bin/spire-agent"]
           args: ["api", "watch", "-socketPath", "/run/spire/sockets/agent.sock"]

examples/k8s/postgres/README.md

@@ -1,4 +1,4 @@
-# Postgres SPIRE 1.5.1 deployment
+# Postgres SPIRE deployment
 
 This configuration is an example of a SPIRE deployment for Kubernetes using
 Postgres as a datastore for the SPIRE server. This configuration provides
@@ -8,13 +8,13 @@ better resiliency and allows for scaling up the number of SPIRE servers.
   PersistentVolume.
 + The SPIRE [server](spire-server.yaml) runs as a stateless Deployment.
 + The SPIRE agent runs as a DaemonSet - note this configuration is a symlink
-  to the [simple sat example](../simple_sat/spire-agent.yaml).
+  to the [simple psat example](../simple_psat/spire-agent.yaml).
 
 Both SPIRE agent and server, along with postgres, run in the **spire**
 namespace, using service accounts of **spire-database**, **spire-server**, and
 **spire-agent**.
 
-Compare the [simple sat server](../simple_sat/spire-server.yaml) configuration with
+Compare the [simple psat server](../simple_psat/spire-server.yaml) configuration with
 this [postgres backed server](spire-server.yaml) to see the differences, which
 consist of: a Deployment instead of a StatefulSet, a datastore plugin change,
 an InitContainer that waits for postgres to be up, and removal of the
@@ -27,11 +27,11 @@ failures and scalability.
 + **stateless** - To run the SPIRE server stateless (as in this example), the
   `UpstreamAuthority` plugin needs to be used.
 + **stateful** - To run the SPIRE server stateful, the directory specified in
-  `data_dir` must be persistent (such as in the [simple sat example](../simple_sat)
+  `data_dir` must be persistent (such as in the [simple psat example](../simple_psat)
   where a StatefulSet and PersistentVolumeClaim are used.
 
 In this example deployment, the SPIRE server is stateless, using the example
-[dummy upstream authority](https://github.com/spiffe/spire/tree/v1.5.1/conf/server).
+[dummy upstream authority](https://github.com/spiffe/spire/tree/main/conf/server).
 
 One other **important note**: In a production environment it is very important
 to use a highly available Postgres configuration, unlike this configuration