[WIP] Feat integrate spiffe

[TessaIO]

Resolves #1186

[netlify]

✅ Deploy Preview for kubernetes-sigs-nfd ready!

Name	Link
🔨 Latest commit	9a67b7b
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-nfd/deploys/67e92c285fb2100008293afb
😎 Deploy Preview	https://deploy-preview-1663--kubernetes-sigs-nfd.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[TessaIO]

/cc marquiz

[ArangoGutierrez]

Let's close #1434 ;)

[ArangoGutierrez]

Some first comments

[marquiz]

/milestone v0.17

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: TessaIO
Once this PR has been reviewed and has the lgtm label, please ask for approval from arangogutierrez. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

PR Overview

This PR integrates SPIFFE support to sign and verify NodeFeature objects, addressing issue #1186. Key changes include:

• Adding SPIFFE configuration options in the Helm chart and deployment templates.
• Implementing SPIFFE client logic and cryptographic signing/verification functions (with accompanying tests) in pkg/utils/spiffe.
• Updating nfd-worker and nfd-master to sign and verify NodeFeature objects based on SPIFFE.

Reviewed Changes

File	Description
deployment/helm/node-feature-discovery/values.yaml	Adds SPIFFE configuration options
pkg/utils/spiffe/spiffe.go	Implements SPIFFE signing and verification functions
pkg/utils/spiffe/spiffe_test.go	Provides tests for the SPIFFE implementation
docs/reference/*	Updates command line references to include SPIFFE flags
pkg/nfd-worker/nfd-worker.go	Integrates SPIFFE signing into the worker’s CRD creation/update
pkg/nfd-master/nfd-master.go	Integrates SPIFFE verification in node feature reconciliation
cmd/nfd-worker/main.go & cmd/nfd-master/main.go	Adds CLI flags for enabling SPIFFE

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

[TessaIO]

@ArangoGutierrez @marquiz any other comments about implementation? (I will start working on docs once we agree on the implementation)

[marquiz]

any other comments about implementation? (I will start working on docs once we agree on the implementation)

Thank you @TessaIO for the update. The implementation generally looks feasible to me.

The only problem I see, found in my testing, is that now the NF object changes every 60s (or whatever the worker sleepInterval is set to). The data hash does not change but the signature changes -> NF is updated -> trickles down to nfd-master getting update from every node every 60s.

I think this needs to be solved. We should cache the hash (and the signature?) in nfd-worker and not re-sign if it hasn't changed, with forced re-signing every 24 hours or smth. We could also address this in a separate PR.

Any thoughts or comments @TessaIO @ArangoGutierrez?

[marquiz]

With the caching I started to think that the signing certificates have a TTL, and thus the signature also becomes expired at some point, right(?) What is the default ttl?

I started to wonder that it might be necessary for the nfd-worker to also (every time) validate that the signature is still valid. If not -> re-sign the data.

Comments?

[TessaIO]

Yes, that's a good point. I was able to reproduce it by reducing the TTL to 1m, and I found that the master wasn't able to verify the signature. I think it's necessary to pass the TTL to the worker so that each time it invalidates the cache, it re-signs again.

[marquiz]

Sorry, I need come take back my earlier comment about the mounts 🤦‍♂️ If the spire-agent pod is deleted and re-created (for whatever reason) the nfd pods will permanently lose the spire sock (as the underlying socket changes), if I'm not mistaken. Thus a possible fix would be (and ditto nfd-worker).

            path: /run/spire/agent-sockets
            type: Directory

Thoughts?

[TessaIO]

Good point. api.sock is a symlink to spire-agent.sock, so if spire-agent gets restarted or re-created we still have a symlink to the same file name that I think kubelet updates that periodically, right?

[k8s-ci-robot]

@TessaIO: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-node-feature-discovery-build-image-cross-generic	9a67b7b	link	true	/test pull-node-feature-discovery-build-image-cross-generic

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[marquiz]

We'd still need to check the hash too, right? Only return the cached signature if the cached hash matches.