azure_imds: add configurable trust_bundle_path for additional root CAs#7143
Open
ravishen wants to merge 5 commits into
Open
azure_imds: add configurable trust_bundle_path for additional root CAs#7143ravishen wants to merge 5 commits into
ravishen wants to merge 5 commits into
Conversation
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
…nfig Signed-off-by: Ravishen Jain <ravjain@confluent.io>
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
There was a problem hiding this comment.
Pull request overview
Adds an operator-configurable trust_bundle_path to the azure_imds server node attestor so additional root CA certificates can be loaded from disk and added to SPIRE’s embedded root set when validating Azure IMDS attested document signing chains. This helps operators respond to Azure CA/root changes without waiting for a SPIRE release.
Changes:
- Add
trust_bundle_pathconfig parsing in the Azure IMDS node attestor and pass loaded certificates through to document validation. - Extend certificate chain validation to include operator-provided additional roots alongside embedded roots.
- Add/adjust unit tests and update plugin documentation to describe the new option.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/server/plugin/nodeattestor/azureimds/imds.go | Loads additional root CAs from trust_bundle_path at configure-time and wires them into attestation-time document validation. |
| pkg/server/plugin/nodeattestor/azureimds/imds_test.go | Adds configure-time tests for trust_bundle_path and updates hook signature for document validation. |
| pkg/server/plugin/nodeattestor/azureimds/doc_validation.go | Extends chain verification to include additional roots in the root pool. |
| pkg/server/plugin/nodeattestor/azureimds/doc_validation_test.go | Updates existing tests for new function signatures and adds coverage for additional-roots verification behavior. |
| doc/plugin_server_nodeattestor_azure_imds.md | Documents trust_bundle_path and provides an example configuration. |
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
ef6340a to
fb7ce71
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Affected functionality
azure_imdsserver node attestor: certificate chain validation / configuration.Description of change
Adds an optional
trust_bundle_pathconfiguration option to theazure_imdsnode attestor. When set, the PEM file at that path is loaded at configure time and its certificates are added to the set of root CAs used to validate the attested document's signing certificate chain.The configured roots are a union with the roots embedded in SPIRE, not a replacement, embedded roots remain the default and are always trusted. This lets operators react to an Azure root CA change (e.g. a newly cross-signed root)
without waiting for a new SPIRE release, addressing the root-pinning maintenance concern raised in #6952.
Details:
trust_bundle_pathHCL field, following theca_bundle_pathprecedent in the
x509popattestor.Which issue this PR fixes
Relates to #6952