From 01f85ba9536d8e4374261a54dff169a66f3f9797 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 23 Jan 2025 12:29:42 -0800 Subject: [PATCH] Fix usage of Docker Compose (#139) * Fix GitHub PR workflow - Use "docker compose" rather than "docker-compose" command to be compatible with latest Docker versions - Bump actions versions to latest Signed-off-by: Ryan Turner Signed-off-by: Sorin Dumitru Co-authored-by: Sorin Dumitru --- .github/workflows/pr_build.yml | 4 ++-- .../federation/1-start-spire-agents.sh | 14 +++++------ .../federation/2-bootstrap-federation.sh | 8 +++---- .../3-create-registration-entries.sh | 4 ++-- docker-compose/federation/README.md | 12 +++++----- docker-compose/federation/build.sh | 2 +- docker-compose/federation/docker-compose.yaml | 1 - .../federation/scripts/clean-env.sh | 2 +- docker-compose/federation/scripts/set-env.sh | 4 ++-- docker-compose/federation/test.sh | 2 +- docker-compose/metrics/README.md | 2 +- docker-compose/metrics/docker-compose.yaml | 1 - docker-compose/metrics/scripts/clean-env.sh | 2 +- .../create-workload-registration-entry.sh | 4 ++-- docker-compose/metrics/scripts/fetch_svid.sh | 2 +- docker-compose/metrics/scripts/set-env.sh | 10 ++++---- docker-compose/metrics/test.sh | 4 ++-- docker-compose/nested-spire/README.md | 12 +++++----- .../nested-spire/docker-compose.yaml | 1 - .../nested-spire/scripts/clean-env.sh | 2 +- .../create-workload-registration-entries.sh | 6 ++--- .../nested-spire/scripts/set-env.sh | 24 +++++++++---------- docker-compose/nested-spire/test.sh | 4 ++-- k8s/envoy-jwt-auth-helper/Dockerfile | 4 ++-- k8s/envoy-opa/scripts/set-env.sh | 2 +- 25 files changed, 65 insertions(+), 68 deletions(-) diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml index b7f95fe..eb29b43 100644 --- a/.github/workflows/pr_build.yml +++ b/.github/workflows/pr_build.yml @@ -15,9 +15,9 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} - name: install minikube diff --git a/docker-compose/federation/1-start-spire-agents.sh b/docker-compose/federation/1-start-spire-agents.sh index 7f5b979..151b3c9 100755 --- a/docker-compose/federation/1-start-spire-agents.sh +++ b/docker-compose/federation/1-start-spire-agents.sh @@ -7,21 +7,21 @@ nn=$(tput sgr0) DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show # Bootstrap trust to the SPIRE server for each agent by copying over the # trust bundle into each agent container. echo "${bb}Bootstrapping trust between SPIRE agents and SPIRE servers...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show | - docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp tee conf/agent/bootstrap.crt +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show | + docker compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp tee conf/agent/bootstrap.crt -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server bundle show | - docker-compose -f "${DIR}"/docker-compose.yaml exec -T stock-quotes-service tee conf/agent/bootstrap.crt +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server bundle show | + docker compose -f "${DIR}"/docker-compose.yaml exec -T stock-quotes-service tee conf/agent/bootstrap.crt # Start up the broker-webapp SPIRE agent. echo "${bb}Starting broker-webapp SPIRE agent...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -d broker-webapp bin/spire-agent run +docker compose -f "${DIR}"/docker-compose.yaml exec -d broker-webapp bin/spire-agent run # Start up the stock-quotes-service SPIRE agent. echo "${bb}Starting stock-quotes-service SPIRE agent...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -d stock-quotes-service bin/spire-agent run +docker compose -f "${DIR}"/docker-compose.yaml exec -d stock-quotes-service bin/spire-agent run diff --git a/docker-compose/federation/2-bootstrap-federation.sh b/docker-compose/federation/2-bootstrap-federation.sh index d8134ea..4ba2125 100755 --- a/docker-compose/federation/2-bootstrap-federation.sh +++ b/docker-compose/federation/2-bootstrap-federation.sh @@ -8,13 +8,13 @@ nn=$(tput sgr0) DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" echo "${bb}bootstrapping bundle from broker to quotes-service server...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ /opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-stockmarket.example/conf/broker.example.bundle -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://broker.example -path /opt/spire/conf/server/broker.example.bundle echo "${bb}bootstrapping bundle from quotes-service to broker server...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ /opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-broker.example/conf/stockmarket.example.bundle -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://stockmarket.example -path /opt/spire/conf/server/stockmarket.example.bundle diff --git a/docker-compose/federation/3-create-registration-entries.sh b/docker-compose/federation/3-create-registration-entries.sh index 6997223..3eae174 100755 --- a/docker-compose/federation/3-create-registration-entries.sh +++ b/docker-compose/federation/3-create-registration-entries.sh @@ -18,14 +18,14 @@ BROKER_WEBAPP_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/broker-webapp/conf/a QUOTES_SERVICE_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/stock-quotes-service/conf/agent.crt.pem) echo "${bb}Creating registration entry for the broker-webapp...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server entry create \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server entry create \ -parentID spiffe://broker.example/spire/agent/x509pop/${BROKER_WEBAPP_AGENT_FINGERPRINT} \ -spiffeID spiffe://broker.example/webapp \ -selector unix:uid:0 \ -federatesWith "spiffe://stockmarket.example" echo "${bb}Creating registration entry for the stock-quotes-service...${nn}" -docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server entry create \ +docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server entry create \ -parentID spiffe://stockmarket.example/spire/agent/x509pop/${QUOTES_SERVICE_AGENT_FINGERPRINT} \ -spiffeID spiffe://stockmarket.example/quotes-service \ -selector unix:uid:0 \ diff --git a/docker-compose/federation/README.md b/docker-compose/federation/README.md index bcce77a..8ea7b36 100644 --- a/docker-compose/federation/README.md +++ b/docker-compose/federation/README.md @@ -289,7 +289,7 @@ $ ./build.sh Run the following command to start the SPIRE Servers and the applications: ``` -$ docker-compose up -d +$ docker compose up -d ``` ## Start SPIRE Agents @@ -327,7 +327,7 @@ Open up a browser to http://localhost:8080/quotes and you should see a grid of r To see the broker's SPIRE Server configuration you can run: ``` -$ docker-compose exec spire-server-broker cat conf/server/server.conf +$ docker compose exec spire-server-broker cat conf/server/server.conf ``` You should see: @@ -385,7 +385,7 @@ plugins { To see the stock market's SPIRE Server configuration you can run: ``` -$ docker-compose exec spire-server-stock cat conf/server/server.conf +$ docker compose exec spire-server-stock cat conf/server/server.conf ``` You should see: @@ -445,7 +445,7 @@ plugins { To see the broker's SPIRE Server registration entries you can run: ``` -$ docker-compose exec spire-server-broker bin/spire-server entry show +$ docker compose exec spire-server-broker bin/spire-server entry show ``` You should see something like this: @@ -464,7 +464,7 @@ FederatesWith : spiffe://stockmarket.example To see the stock martket's SPIRE Server registration entries you can run: ``` -$ docker-compose exec spire-server-stock bin/spire-server entry show +$ docker compose exec spire-server-stock bin/spire-server entry show ``` You should see something like this: @@ -483,5 +483,5 @@ FederatesWith : spiffe://broker.example ## Cleanup ``` -$ docker-compose down +$ docker compose down ``` diff --git a/docker-compose/federation/build.sh b/docker-compose/federation/build.sh index c6c96be..ff0e5c3 100755 --- a/docker-compose/federation/build.sh +++ b/docker-compose/federation/build.sh @@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" (cd "${DIR}"/src/broker-webapp && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/broker-webapp/broker-webapp) (cd "${DIR}"/src/stock-quotes-service && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/stock-quotes-service/stock-quotes-service) -docker-compose -f "${DIR}"/docker-compose.yaml build +docker compose -f "${DIR}"/docker-compose.yaml build diff --git a/docker-compose/federation/docker-compose.yaml b/docker-compose/federation/docker-compose.yaml index 5b07e90..d7b31ad 100644 --- a/docker-compose/federation/docker-compose.yaml +++ b/docker-compose/federation/docker-compose.yaml @@ -1,4 +1,3 @@ -version: '3' services: spire-server-stock: diff --git a/docker-compose/federation/scripts/clean-env.sh b/docker-compose/federation/scripts/clean-env.sh index 4dbe321..58101bd 100644 --- a/docker-compose/federation/scripts/clean-env.sh +++ b/docker-compose/federation/scripts/clean-env.sh @@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")" norm=$(tput sgr0) || true green=$(tput setaf 2) || true -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down +docker compose -f "${PARENT_DIR}"/docker-compose.yaml down echo "${green}Cleaning completed.${norm}" diff --git a/docker-compose/federation/scripts/set-env.sh b/docker-compose/federation/scripts/set-env.sh index b15e7f5..2153d87 100755 --- a/docker-compose/federation/scripts/set-env.sh +++ b/docker-compose/federation/scripts/set-env.sh @@ -24,7 +24,7 @@ check-entry-is-propagated() { # Wait one second between checks. log "Checking registration entry is propagated..." for ((i=1;i<=30;i++)); do - if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T $1 cat /opt/spire/agent.log 2>&1 | grep -qe "$2"; then + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T $1 cat /opt/spire/agent.log 2>&1 | grep -qe "$2"; then log "${green}Entry is propagated.${nn}" return 0 fi @@ -40,7 +40,7 @@ log "Building" bash "${PARENT_DIR}"/build.sh log "Starting container" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d bash "${PARENT_DIR}"/1-start-spire-agents.sh diff --git a/docker-compose/federation/test.sh b/docker-compose/federation/test.sh index 6b02e7c..65632fd 100755 --- a/docker-compose/federation/test.sh +++ b/docker-compose/federation/test.sh @@ -34,7 +34,7 @@ clean-env bash "${DIR}"/scripts/set-env.sh for ((i=0;i<60;i++)); do - if docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp wget localhost:8080/quotes -O - 2>&1 | grep -qe "Quotes service unavailable"; then + if docker compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp wget localhost:8080/quotes -O - 2>&1 | grep -qe "Quotes service unavailable"; then log "Service not found, retrying..." sleep 1 continue diff --git a/docker-compose/metrics/README.md b/docker-compose/metrics/README.md index 99a46e0..ee159d4 100644 --- a/docker-compose/metrics/README.md +++ b/docker-compose/metrics/README.md @@ -128,7 +128,7 @@ $ bash scripts/set-env.sh Once the script is completed, in another terminal run the following command to review the logs from all the services: ```console -$ docker-compose logs -f -t +$ docker compose logs -f -t ``` diff --git a/docker-compose/metrics/docker-compose.yaml b/docker-compose/metrics/docker-compose.yaml index 91adb04..785e952 100644 --- a/docker-compose/metrics/docker-compose.yaml +++ b/docker-compose/metrics/docker-compose.yaml @@ -1,4 +1,3 @@ -version: '3' services: graphite-statsd: image: graphiteapp/graphite-statsd:1.1.7-6 diff --git a/docker-compose/metrics/scripts/clean-env.sh b/docker-compose/metrics/scripts/clean-env.sh index 4dbe321..58101bd 100644 --- a/docker-compose/metrics/scripts/clean-env.sh +++ b/docker-compose/metrics/scripts/clean-env.sh @@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")" norm=$(tput sgr0) || true green=$(tput setaf 2) || true -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down +docker compose -f "${PARENT_DIR}"/docker-compose.yaml down echo "${green}Cleaning completed.${norm}" diff --git a/docker-compose/metrics/scripts/create-workload-registration-entry.sh b/docker-compose/metrics/scripts/create-workload-registration-entry.sh index 0265130..9bfb569 100644 --- a/docker-compose/metrics/scripts/create-workload-registration-entry.sh +++ b/docker-compose/metrics/scripts/create-workload-registration-entry.sh @@ -29,7 +29,7 @@ check-entry-is-propagated() { # Wait one second between checks. log "Checking registration entry is propagated..." for ((i=1;i<=30;i++)); do - if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then log "${green}Entry is propagated.${nn}" return 0 fi @@ -43,7 +43,7 @@ check-entry-is-propagated() { # Workload for workload-A deployment log "creating workload-A workload registration entries..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server \ +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/spire/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/workload-A" \ diff --git a/docker-compose/metrics/scripts/fetch_svid.sh b/docker-compose/metrics/scripts/fetch_svid.sh index 7592ef3..76c1c4e 100644 --- a/docker-compose/metrics/scripts/fetch_svid.sh +++ b/docker-compose/metrics/scripts/fetch_svid.sh @@ -4,7 +4,7 @@ set -e echo "Will call api fetch x509 100 times in a random interval between 1 and 10 of seconds." for ((i=0;i<100;i++)); do - docker-compose exec -u 1001 -T spire-agent \ + docker compose exec -u 1001 -T spire-agent \ /opt/spire/bin/spire-agent api fetch x509 \ -socketPath /opt/spire/sockets/workload_api.sock > /dev/null sleep $(( $RANDOM % 10 + 1 )) diff --git a/docker-compose/metrics/scripts/set-env.sh b/docker-compose/metrics/scripts/set-env.sh index 5c30fa0..3631634 100755 --- a/docker-compose/metrics/scripts/set-env.sh +++ b/docker-compose/metrics/scripts/set-env.sh @@ -12,16 +12,16 @@ log() { } log "Start StatsD-Graphite server" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d graphite-statsd +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d graphite-statsd log "Start prometheus server" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d prometheus +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d prometheus log "Start SPIRE Server" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-server +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-server log "bootstrapping SPIRE Agent..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/spire/agent/bootstrap.crt +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/spire/agent/bootstrap.crt log "Start SPIRE Agent" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-agent +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-agent diff --git a/docker-compose/metrics/test.sh b/docker-compose/metrics/test.sh index 78174de..bf8ec6e 100755 --- a/docker-compose/metrics/test.sh +++ b/docker-compose/metrics/test.sh @@ -29,7 +29,7 @@ log "Checking Statsd received metrics pushed by SPIRE..." STATSD_LOG_LINE="MetricLineReceiver connection with .* established" for ((i=0;i<60;i++)); do - if ! docker-compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then + if ! docker compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then sleep 1 continue fi @@ -43,7 +43,7 @@ fi log "Checking that Prometheus can reach the endpoint exposed by SPIRE..." for ((i=0;i<60;i++)); do - if ! docker-compose -f "${DIR}"/docker-compose.yaml exec -T prometheus wget -S spire-server:8088/ 2>&1 | grep -qe "200 OK" ; then + if ! docker compose -f "${DIR}"/docker-compose.yaml exec -T prometheus wget -S spire-server:8088/ 2>&1 | grep -qe "200 OK" ; then sleep 1 continue fi diff --git a/docker-compose/nested-spire/README.md b/docker-compose/nested-spire/README.md index 626a228..270bdbf 100644 --- a/docker-compose/nested-spire/README.md +++ b/docker-compose/nested-spire/README.md @@ -108,7 +108,7 @@ The Docker Compose definition for the `nestedA-server` service in the [docker-co The `nestedA-server` must be registered on the `root-server` to obtain its identity which will be used to mint SVIDs. We achieve this by creating a registration entry in the root SPIRE Server for the `nestedA-server`. ```console - docker-compose exec -T root-server \ + docker compose exec -T root-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint root/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedA" \ @@ -132,7 +132,7 @@ Ensure that the current working directory is `.../spire-tutorials/docker-compose Once the script is completed, in another terminal run the following command to review the logs from all the services: ```console - docker-compose logs -f -t + docker compose logs -f -t ``` @@ -146,14 +146,14 @@ To test the scenario we create two workload registration entries, one entry for ```console # Workload for nestedA deployment - docker-compose exec -T nestedA-server \ + docker compose exec -T nestedA-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedA/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedA/workload" \ -selector "unix:uid:1001" \ # Workload for nestedB deployment - docker-compose exec -T nestedB-server \ + docker compose exec -T nestedB-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedB/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedB/workload" \ @@ -177,14 +177,14 @@ The test consists of getting a JWT-SVID from the `nestedA-agent` SPIRE Agent and Type this command to fetch the JWT-SVID on the `nestedA` SPIRE Agent and extract the token from the JWT-SVID: ```console - token=$(docker-compose exec -u 1001 -T nestedA-agent \ + token=$(docker compose exec -u 1001 -T nestedA-agent \ /opt/spire/bin/spire-agent api fetch jwt -audience nested-test -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') ``` Run the following command to validate the token from `nestedA` on the `nestedB` SPIRE Agent: ```console - docker-compose exec -u 1001 -T nestedB-agent \ + docker compose exec -u 1001 -T nestedB-agent \ /opt/spire/bin/spire-agent api validate jwt -audience nested-test -svid "${token}" \ -socketPath /opt/spire/sockets/workload_api.sock ``` diff --git a/docker-compose/nested-spire/docker-compose.yaml b/docker-compose/nested-spire/docker-compose.yaml index 8b4faa4..d7e91da 100644 --- a/docker-compose/nested-spire/docker-compose.yaml +++ b/docker-compose/nested-spire/docker-compose.yaml @@ -1,4 +1,3 @@ -version: '3' services: # Root root-server: diff --git a/docker-compose/nested-spire/scripts/clean-env.sh b/docker-compose/nested-spire/scripts/clean-env.sh index 4dbe321..58101bd 100755 --- a/docker-compose/nested-spire/scripts/clean-env.sh +++ b/docker-compose/nested-spire/scripts/clean-env.sh @@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")" norm=$(tput sgr0) || true green=$(tput setaf 2) || true -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down +docker compose -f "${PARENT_DIR}"/docker-compose.yaml down echo "${green}Cleaning completed.${norm}" diff --git a/docker-compose/nested-spire/scripts/create-workload-registration-entries.sh b/docker-compose/nested-spire/scripts/create-workload-registration-entries.sh index bc3d1eb..a84b541 100644 --- a/docker-compose/nested-spire/scripts/create-workload-registration-entries.sh +++ b/docker-compose/nested-spire/scripts/create-workload-registration-entries.sh @@ -29,7 +29,7 @@ check-entry-is-propagated() { # Wait one second between checks. log "Checking registration entry is propagated..." for ((i=1;i<=30;i++)); do - if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then log "${green}Entry is propagated.${nn}" return 0 fi @@ -43,7 +43,7 @@ check-entry-is-propagated() { # Workload for nestedA deployment log "creating nestedA workload registration entry..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server \ +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/nestedA/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedA/workload" \ @@ -54,7 +54,7 @@ check-entry-is-propagated nestedA-agent spiffe://example.org/nestedA/workload # Workload for nestedB deployment log "creating nestedB workload registration entry..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server \ +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/nestedB/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedB/workload" \ diff --git a/docker-compose/nested-spire/scripts/set-env.sh b/docker-compose/nested-spire/scripts/set-env.sh index df2ff98..23f7fba 100755 --- a/docker-compose/nested-spire/scripts/set-env.sh +++ b/docker-compose/nested-spire/scripts/set-env.sh @@ -36,7 +36,7 @@ check-entry-is-propagated() { # Wait one second between checks. log "Checking registration entry is propagated..." for ((i=1;i<=30;i++)); do - if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then + if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then log "${green}Entry is propagated.${nn}" return 0 fi @@ -66,17 +66,17 @@ log "Generate certificates for the root SPIRE deployment" setup "${PARENT_DIR}"/root/server "${PARENT_DIR}"/root/agent log "Start root server" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-server +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-server log "bootstrapping root-agent." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/root/agent/bootstrap.crt +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/root/agent/bootstrap.crt log "Start root agent" -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-agent +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-agent # Creates registration entries for the nested servers log "creating nestedA downstream registration entry..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \ +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/root/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedA" \ @@ -86,7 +86,7 @@ docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \ check-entry-is-propagated root-agent spiffe://example.org/nestedA log "creating nestedB downstream registration entry..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \ +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \ /opt/spire/bin/spire-server entry create \ -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/root/agent/agent.crt.pem)" \ -spiffeID "spiffe://example.org/nestedB" \ @@ -101,13 +101,13 @@ log "Generate certificates for the nestedA deployment" setup "${PARENT_DIR}"/nestedA/server "${PARENT_DIR}"/nestedA/agent log "Starting nestedA-server.." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server log "bootstrapping nestedA agent..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt log "Starting nestedA-agent..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-agent +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-agent # Starts nestedB SPIRE deployment @@ -115,10 +115,10 @@ log "Generate certificates for the nestedB deployment" setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent log "Starting nestedB-server.." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server log "bootstrapping nestedB agent..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt +docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt log "Starting nestedB-agent..." -docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-agent +docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-agent diff --git a/docker-compose/nested-spire/test.sh b/docker-compose/nested-spire/test.sh index c5a512b..e41ae1c 100755 --- a/docker-compose/nested-spire/test.sh +++ b/docker-compose/nested-spire/test.sh @@ -37,11 +37,11 @@ bash "${DIR}"/scripts/create-workload-registration-entries.sh log "checking nested JWT-SVID..." # Fetch JWT-SVID and extract token -token=$(docker-compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \ +token=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \ /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail "JWT-SVID check failed" # Validate token -validation_result=$(docker-compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \ +validation_result=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \ /opt/spire/bin/spire-agent api validate jwt -audience testIt -svid "${token}" -socketPath /opt/spire/sockets/workload_api.sock) if echo $validation_result | grep -qe "SVID is valid."; then diff --git a/k8s/envoy-jwt-auth-helper/Dockerfile b/k8s/envoy-jwt-auth-helper/Dockerfile index 336ff49..8cd85c6 100644 --- a/k8s/envoy-jwt-auth-helper/Dockerfile +++ b/k8s/envoy-jwt-auth-helper/Dockerfile @@ -1,11 +1,11 @@ -FROM golang:bookworm as build-stage +FROM golang:bookworm AS build-stage WORKDIR /app COPY . . RUN go mod download RUN go build -FROM debian:bookworm-slim as production-stage +FROM debian:bookworm-slim AS production-stage RUN apt update && DEBIAN_FRONTEND=noninteractive apt full-upgrade -y && \ apt install -y dumb-init iputils-ping curl procps diff --git a/k8s/envoy-opa/scripts/set-env.sh b/k8s/envoy-opa/scripts/set-env.sh index aac12b6..e63d1b2 100755 --- a/k8s/envoy-opa/scripts/set-env.sh +++ b/k8s/envoy-opa/scripts/set-env.sh @@ -39,7 +39,7 @@ wait_for_envoy() { LOGLINE="all dependencies initialized. starting workers" LOGLINE2="membership update for TLS cluster backend added 1 removed 1" for ((i=0;i<30;i++)); do - if ! kubectl logs --tail=100 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then + if ! kubectl logs --tail=1000 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then sleep 5 echo "Waiting until backend envoy instance is ready..." continue