Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist

(cherry picked from commit 2ec839e)
Signed-off-by: aviralgarg05 <gargaviral99@gmail.com>

Author: aviralgarg05

conf/agent/agent_full.conf

@@ -526,9 +526,29 @@ plugins {
 
 #         # optional TLS configuration for Prometheus exporter.
 #         tls {
+#             # use_spire_svid: Use the current SPIRE SVID for the Prometheus
+#             # endpoint instead of cert_file/key_file.
+#             # use_spire_svid = false
+#
+#             # authorized_spiffe_ids: Optional list of SPIFFE IDs allowed to
+#             # connect to the Prometheus endpoint. Cannot be used with
+#             # client_ca_file.
+#             # authorized_spiffe_ids = ["spiffe://example.org/monitoring/prometheus"]
+#
+#             # cert_file: Path to the PEM-encoded certificate to serve from
+#             # the Prometheus endpoint. Must be set with key_file unless
+#             # use_spire_svid is enabled.
 #             cert_file = "/path/to/cert.pem"
+#
+#             # key_file: Path to the PEM-encoded private key to serve from the
+#             # Prometheus endpoint. Must be set with cert_file unless
+#             # use_spire_svid is enabled.
 #             key_file = "/path/to/key.pem"
-#             client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
+#
+#             # client_ca_file: Optional PEM-encoded CA bundle used to verify
+#             # Prometheus clients for mTLS. Cannot be used with
+#             # authorized_spiffe_ids.
+#             client_ca_file = "/path/to/ca.pem"
 #         }
 #     }
 

conf/server/server_full.conf

@@ -1001,9 +1001,29 @@ plugins {
 
 #         # optional TLS configuration for Prometheus exporter.
 #         tls {
+#             # use_spire_svid: Use the current SPIRE SVID for the Prometheus
+#             # endpoint instead of cert_file/key_file.
+#             # use_spire_svid = false
+#
+#             # authorized_spiffe_ids: Optional list of SPIFFE IDs allowed to
+#             # connect to the Prometheus endpoint. Cannot be used with
+#             # client_ca_file.
+#             # authorized_spiffe_ids = ["spiffe://example.org/monitoring/prometheus"]
+#
+#             # cert_file: Path to the PEM-encoded certificate to serve from
+#             # the Prometheus endpoint. Must be set with key_file unless
+#             # use_spire_svid is enabled.
 #             cert_file = "/path/to/cert.pem"
+#
+#             # key_file: Path to the PEM-encoded private key to serve from the
+#             # Prometheus endpoint. Must be set with cert_file unless
+#             # use_spire_svid is enabled.
 #             key_file = "/path/to/key.pem"
-#             client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
+#
+#             # client_ca_file: Optional PEM-encoded CA bundle used to verify
+#             # Prometheus clients for mTLS. Cannot be used with
+#             # authorized_spiffe_ids.
+#             client_ca_file = "/path/to/ca.pem"
 #         }
 #     }
 

doc/spire_agent.md

@@ -381,11 +381,17 @@ agent {
 telemetry {
     Prometheus {
         port = 1234
-        #optional TLS for prometheus
+        # optional TLS for prometheus
         tls {
-            cert_file = "/path/to/cert.pem"
-            key_file = "/path/to/key.pem"
-            client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
+            use_spire_svid = true
+            authorized_spiffe_ids = [
+                "spiffe://example.org/monitoring/prometheus",
+            ]
+
+            # Alternatively, configure a web certificate directly:
+            # cert_file = "/path/to/cert.pem"
+            # key_file = "/path/to/key.pem"
+            # client_ca_file = "/path/to/ca.pem"
         }
     }
 }

doc/spire_server.md

@@ -821,11 +821,17 @@ server {
 telemetry {
     Prometheus {
         port = 1234
-        #optional TLS for prometheus
+        # optional TLS for prometheus
         tls {
-            cert_file = "/path/to/cert.pem"
-            key_file = "/path/to/key.pem"
-            client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
+            use_spire_svid = true
+            authorized_spiffe_ids = [
+                "spiffe://example.org/monitoring/prometheus",
+            ]
+
+            # Alternatively, configure a web certificate directly:
+            # cert_file = "/path/to/cert.pem"
+            # key_file = "/path/to/key.pem"
+            # client_ca_file = "/path/to/ca.pem"
         }
     }
 }

doc/telemetry/telemetry_config.md

@@ -38,6 +38,17 @@ You may use all, some, or none of the collectors. The following collectors suppo
 |---------------|----------|------------------------------------|
 | `host`        | `string` | Prometheus exporter listen address |
 | `port`        | `int`    | Prometheus exporter listen port    |
+| `tls`         | `object` | TLS configuration for the Prometheus exporter |
+
+#### `Prometheus.tls`
+
+| Configuration | Type | Description |
+|---------------|------|-------------|
+| `cert_file` | `string` | Path to the PEM-encoded certificate for the Prometheus exporter. Must be set with `key_file` unless `use_spire_svid` is enabled |
+| `key_file` | `string` | Path to the PEM-encoded private key for the Prometheus exporter. Must be set with `cert_file` unless `use_spire_svid` is enabled |
+| `client_ca_file` | `string` | Optional path to the PEM-encoded CA bundle used to verify client certificates for mTLS. Cannot be combined with `authorized_spiffe_ids` |
+| `use_spire_svid` | `bool` | When `true`, serve the Prometheus endpoint with the current SPIRE SVID instead of `cert_file` and `key_file` |
+| `authorized_spiffe_ids` | `list(string)` | Optional list of SPIFFE IDs allowed to connect to the Prometheus endpoint. Requires SPIRE trust bundles and cannot be combined with `client_ca_file` |
 
 ### `DogStatsd`
 
@@ -64,11 +75,17 @@ Here is a sample configuration:
 telemetry {
         Prometheus {
             port = 9988
-            #optional TLS for prometheus
+            # optional TLS for prometheus
             tls {
-                cert_file = "/path/to/cert.pem"
-                key_file = "/path/to/key.pem"
-                client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
+                use_spire_svid = true
+                authorized_spiffe_ids = [
+                    "spiffe://example.org/monitoring/prometheus",
+                ]
+
+                # Alternatively, configure a web certificate directly:
+                # cert_file = "/path/to/cert.pem"
+                # key_file = "/path/to/key.pem"
+                # client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS
             }
         }
 

pkg/agent/agent.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/andres-erbsen/clock"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	admin_api "github.com/spiffe/spire/pkg/agent/api"
 	node_attestor "github.com/spiffe/spire/pkg/agent/attestor/node"
@@ -79,11 +81,45 @@ func (a *Agent) Run(ctx context.Context) error {
 		defer stopProfiling()
 	}
 
+	var mgr manager.Manager
 	metrics, err := telemetry.NewMetrics(&telemetry.MetricsConfig{
 		FileConfig:  a.c.Telemetry,
 		Logger:      a.c.Log.WithField(telemetry.SubsystemName, telemetry.Telemetry),
 		ServiceName: telemetry.SpireAgent,
 		TrustDomain: a.c.TrustDomain.Name(),
+		GetX509SVID: func() (*x509svid.SVID, error) {
+			if mgr == nil {
+				return nil, errors.New("agent manager is not initialized")
+			}
+
+			credentials := mgr.GetCurrentCredentials()
+			if len(credentials.SVID) == 0 {
+				return nil, errors.New("no certificates found")
+			}
+
+			id, err := x509svid.IDFromCert(credentials.SVID[0])
+			if err != nil {
+				return nil, err
+			}
+
+			return &x509svid.SVID{
+				ID:           id,
+				Certificates: credentials.SVID,
+				PrivateKey:   credentials.Key,
+			}, nil
+		},
+		GetX509BundleAuthorities: func(td spiffeid.TrustDomain) ([]*x509.Certificate, error) {
+			if mgr == nil {
+				return nil, errors.New("agent manager is not initialized")
+			}
+
+			bundle := mgr.GetBundles()[td]
+			if bundle == nil {
+				return nil, fmt.Errorf("no bundle found for trust domain %q", td)
+			}
+
+			return bundle.X509Authorities(), nil
+		},
 	})
 	if err != nil {
 		return err
@@ -108,8 +144,6 @@ func (a *Agent) Run(ctx context.Context) error {
 	}
 
 	taskRunner := util.NewTaskRunner(ctx, cancel)
-	taskRunner.StartTasks(metrics.ListenAndServe)
-
 	nodeAttestor := nodeattestor.JoinToken(a.c.Log, a.c.JoinToken)
 	if a.c.JoinToken == "" {
 		nodeAttestor = cat.GetNodeAttestor()
@@ -226,7 +260,7 @@ func (a *Agent) Run(ctx context.Context) error {
 
 	svidStoreCache := a.newSVIDStoreCache(metrics)
 
-	manager, err := a.newManager(ctx, sto, cat, metrics, as, svidStoreCache, nodeAttestor)
+	mgr, err = a.newManager(ctx, sto, cat, metrics, as, svidStoreCache, nodeAttestor)
 	if err != nil {
 		return err
 	}
@@ -238,21 +272,22 @@ func (a *Agent) Run(ctx context.Context) error {
 		Metrics: metrics,
 	})
 
-	agentEndpoints := a.newEndpoints(metrics, manager, workloadAttestor)
+	agentEndpoints := a.newEndpoints(metrics, mgr, workloadAttestor)
 	go func() {
 		agentEndpoints.WaitForListening(readyForHealthChecks)
 		a.started = true
 	}()
 
 	tasks := []func(context.Context) error{
-		manager.Run,
+		metrics.ListenAndServe,
+		mgr.Run,
 		storeService.Run,
 		agentEndpoints.ListenAndServe,
 		catalog.ReconfigureTask(a.c.Log.WithField(telemetry.SubsystemName, "reconfigurer"), cat),
 	}
 
 	if a.c.AdminBindAddress != nil {
-		adminEndpoints := a.newAdminEndpoints(metrics, manager, workloadAttestor, a.c.AuthorizedDelegates)
+		adminEndpoints := a.newAdminEndpoints(metrics, mgr, workloadAttestor, a.c.AuthorizedDelegates)
 		tasks = append(tasks, adminEndpoints.ListenAndServe)
 	}
 

pkg/agent/manager/manager.go

@@ -94,6 +94,9 @@ type Manager interface {
 
 	// GetBundle get latest cached bundle
 	GetBundle() *cache.Bundle
+
+	// GetBundles gets the latest cached bundles for all trust domains.
+	GetBundles() map[spiffeid.TrustDomain]*cache.Bundle
 }
 
 // Cache stores each registration entry, signed X509-SVIDs for those entries,
@@ -104,6 +107,9 @@ type Cache interface {
 	// Bundle gets latest cached bundle
 	Bundle() *spiffebundle.Bundle
 
+	// Bundles gets the latest cached bundles for all trust domains.
+	Bundles() map[spiffeid.TrustDomain]*spiffebundle.Bundle
+
 	// SyncSVIDsWithSubscribers syncs SVID cache
 	SyncSVIDsWithSubscribers()
 
@@ -430,6 +436,13 @@ func (m *manager) GetBundle() *cache.Bundle {
 	return m.cache.Bundle()
 }
 
+func (m *manager) GetBundles() map[spiffeid.TrustDomain]*cache.Bundle {
+	m.mtx.RLock()
+	defer m.mtx.RUnlock()
+
+	return m.cache.Bundles()
+}
+
 func (m *manager) runSVIDObserver(ctx context.Context) error {
 	svidStream := m.SubscribeToSVIDChanges()
 	for {

pkg/common/telemetry/config.go

@@ -1,16 +1,22 @@
 package telemetry
 
 import (
+	"crypto/x509"
+
 	"github.com/hashicorp/hcl/hcl/token"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
 )
 
 type MetricsConfig struct {
-	FileConfig  FileConfig
-	Logger      logrus.FieldLogger
-	ServiceName string
-	Sinks       []Sink
-	TrustDomain string
+	FileConfig               FileConfig
+	Logger                   logrus.FieldLogger
+	ServiceName              string
+	Sinks                    []Sink
+	TrustDomain              string
+	GetX509SVID              func() (*x509svid.SVID, error)
+	GetX509BundleAuthorities func(spiffeid.TrustDomain) ([]*x509.Certificate, error)
 }
 
 type FileConfig struct {
@@ -44,9 +50,11 @@ type PrometheusConfig struct {
 }
 
 type TLSConfig struct {
-	CertFile     string `hcl:"cert_file"`
-	KeyFile      string `hcl:"key_file"`
-	ClientCAFile string `hcl:"client_ca_file"` // optional
+	CertFile            string   `hcl:"cert_file"`
+	KeyFile             string   `hcl:"key_file"`
+	ClientCAFile        string   `hcl:"client_ca_file"` // optional
+	UseSPIRESVID        bool     `hcl:"use_spire_svid"`
+	AuthorizedSPIFFEIDs []string `hcl:"authorized_spiffe_ids"`
 }
 
 type StatsdConfig struct {