From 2b623dece376b269a6cf72df549f967d2ab2ffeb Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sat, 11 Apr 2026 14:56:43 -0700 Subject: [PATCH] Add spiffe:svid selector When you setup a node alias, it is difficult to match the workload without carefully looking at the documenation of the particular node attestor and see what selectors are unique. This is very hard to automate. Allow easy automation by making the node svid always available as a selector. Signed-off-by: Kevin Fox --- pkg/server/api/agent/v1/service.go | 15 +++++++++++++++ pkg/server/api/agent/v1/service_test.go | 8 ++++++++ 2 files changed, 23 insertions(+) diff --git a/pkg/server/api/agent/v1/service.go b/pkg/server/api/agent/v1/service.go index 46896f3862..457562c008 100644 --- a/pkg/server/api/agent/v1/service.go +++ b/pkg/server/api/agent/v1/service.go @@ -5,6 +5,8 @@ import ( "crypto/x509" "errors" "fmt" + "net/url" + "strings" "time" "github.com/andres-erbsen/clock" @@ -654,6 +656,19 @@ func (s *Service) attestChallengeResponse(ctx context.Context, agentStream agent st := status.Convert(err) return nil, api.MakeErr(log, st.Code(), st.Message(), nil) } + if result.AgentID != "" { + parsedId, err := url.Parse(result.AgentID) + if err == nil { + path := parsedId.Path + trimmedPath := strings.TrimPrefix(path, "/") + if trimmedPath != "" { + result.Selectors = append(result.Selectors, &common.Selector{ + Type: "spiffe", + Value: fmt.Sprintf("svid:%s", trimmedPath), + }) + } + } + } return result, nil } diff --git a/pkg/server/api/agent/v1/service_test.go b/pkg/server/api/agent/v1/service_test.go index dac5ad6d20..1b39277674 100644 --- a/pkg/server/api/agent/v1/service_test.go +++ b/pkg/server/api/agent/v1/service_test.go @@ -2604,6 +2604,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_result"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_result"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_result"}, {Type: "test_type", Value: "result"}, }, expectLogs: []spiretest.LogEntry{ @@ -2635,6 +2636,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_result"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_result"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_result"}, {Type: "test_type", Value: "result"}, }, expectLogs: []spiretest.LogEntry{ @@ -2684,6 +2686,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_challenge"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_challenge"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_challenge"}, {Type: "test_type", Value: "challenge"}, }, expectLogs: []spiretest.LogEntry{ @@ -2714,6 +2717,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_attested_before"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_attested_before"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_attested_before"}, {Type: "test_type", Value: "attested_before"}, }, expectLogs: []spiretest.LogEntry{ @@ -3063,6 +3067,9 @@ func TestAttestAgent(t *testing.T) { name: "nodeattestor returns ID outside of its namespace", request: getAttestAgentRequest("test_type", []byte("payload_return_id_outside_namespace"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/id_outside_namespace"), + expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:id_outside_namespace"}, + }, expectLogs: []spiretest.LogEntry{ { Level: logrus.WarnLevel, @@ -3099,6 +3106,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_selector_dups"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_selector_dups"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_selector_dups"}, {Type: "test_type", Value: "A"}, {Type: "test_type", Value: "B"}, {Type: "test_type", Value: "C"},