Skip to content

azure_imds: add configurable trust_bundle_path for additional root CAs#7143

Open
ravishen wants to merge 5 commits into
spiffe:mainfrom
ravishen:azure-imds-trust-bundle-path
Open

azure_imds: add configurable trust_bundle_path for additional root CAs#7143
ravishen wants to merge 5 commits into
spiffe:mainfrom
ravishen:azure-imds-trust-bundle-path

Conversation

@ravishen

Copy link
Copy Markdown
Contributor

Affected functionality

azure_imds server node attestor: certificate chain validation / configuration.

Description of change

Adds an optional trust_bundle_path configuration option to the azure_imds node attestor. When set, the PEM file at that path is loaded at configure time and its certificates are added to the set of root CAs used to validate the attested document's signing certificate chain.

The configured roots are a union with the roots embedded in SPIRE, not a replacement, embedded roots remain the default and are always trusted. This lets operators react to an Azure root CA change (e.g. a newly cross-signed root)
without waiting for a new SPIRE release, addressing the root-pinning maintenance concern raised in #6952.

Details:

  • Added trust_bundle_path HCL field, following the ca_bundle_path
    precedent in the x509pop attestor.
  • Updated docs

Which issue this PR fixes

Relates to #6952

ravishen added 3 commits July 13, 2026 15:37
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
…nfig

Signed-off-by: Ravishen Jain <ravjain@confluent.io>
Signed-off-by: Ravishen Jain <ravjain@confluent.io>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an operator-configurable trust_bundle_path to the azure_imds server node attestor so additional root CA certificates can be loaded from disk and added to SPIRE’s embedded root set when validating Azure IMDS attested document signing chains. This helps operators respond to Azure CA/root changes without waiting for a SPIRE release.

Changes:

  • Add trust_bundle_path config parsing in the Azure IMDS node attestor and pass loaded certificates through to document validation.
  • Extend certificate chain validation to include operator-provided additional roots alongside embedded roots.
  • Add/adjust unit tests and update plugin documentation to describe the new option.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/server/plugin/nodeattestor/azureimds/imds.go Loads additional root CAs from trust_bundle_path at configure-time and wires them into attestation-time document validation.
pkg/server/plugin/nodeattestor/azureimds/imds_test.go Adds configure-time tests for trust_bundle_path and updates hook signature for document validation.
pkg/server/plugin/nodeattestor/azureimds/doc_validation.go Extends chain verification to include additional roots in the root pool.
pkg/server/plugin/nodeattestor/azureimds/doc_validation_test.go Updates existing tests for new function signatures and adds coverage for additional-roots verification behavior.
doc/plugin_server_nodeattestor_azure_imds.md Documents trust_bundle_path and provides an example configuration.

Comment thread pkg/server/plugin/nodeattestor/azureimds/doc_validation.go
Comment thread pkg/server/plugin/nodeattestor/azureimds/imds_test.go
ravishen added 2 commits July 13, 2026 17:57
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
Signed-off-by: Ravishen Jain <ravjain@confluent.io>
@ravishen ravishen force-pushed the azure-imds-trust-bundle-path branch from ef6340a to fb7ce71 Compare July 13, 2026 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants