[WIP] Feat integrate spiffe

[TessaIO]

Resolves #1186

[netlify]

✅ Deploy Preview for kubernetes-sigs-nfd ready!

Name	Link
🔨 Latest commit	1be5343
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-nfd/deploys/67fb792baa4281000980d6df
😎 Deploy Preview	https://deploy-preview-1663--kubernetes-sigs-nfd.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[TessaIO]

/cc marquiz

[ArangoGutierrez]

Let's close #1434 ;)

[ArangoGutierrez]

Some first comments

[marquiz]

/milestone v0.17

[Copilot]

PR Overview

This PR integrates SPIFFE support to sign and verify NodeFeature objects, addressing issue #1186. Key changes include:

• Adding SPIFFE configuration options in the Helm chart and deployment templates.
• Implementing SPIFFE client logic and cryptographic signing/verification functions (with accompanying tests) in pkg/utils/spiffe.
• Updating nfd-worker and nfd-master to sign and verify NodeFeature objects based on SPIFFE.

Reviewed Changes

File	Description
deployment/helm/node-feature-discovery/values.yaml	Adds SPIFFE configuration options
pkg/utils/spiffe/spiffe.go	Implements SPIFFE signing and verification functions
pkg/utils/spiffe/spiffe_test.go	Provides tests for the SPIFFE implementation
docs/reference/*	Updates command line references to include SPIFFE flags
pkg/nfd-worker/nfd-worker.go	Integrates SPIFFE signing into the worker’s CRD creation/update
pkg/nfd-master/nfd-master.go	Integrates SPIFFE verification in node feature reconciliation
cmd/nfd-worker/main.go & cmd/nfd-master/main.go	Adds CLI flags for enabling SPIFFE

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

[TessaIO]

@ArangoGutierrez @marquiz any other comments about implementation? (I will start working on docs once we agree on the implementation)

[marquiz]

any other comments about implementation? (I will start working on docs once we agree on the implementation)

Thank you @TessaIO for the update. The implementation generally looks feasible to me.

The only problem I see, found in my testing, is that now the NF object changes every 60s (or whatever the worker sleepInterval is set to). The data hash does not change but the signature changes -> NF is updated -> trickles down to nfd-master getting update from every node every 60s.

I think this needs to be solved. We should cache the hash (and the signature?) in nfd-worker and not re-sign if it hasn't changed, with forced re-signing every 24 hours or smth. We could also address this in a separate PR.

Any thoughts or comments @TessaIO @ArangoGutierrez?

[marquiz]

With the caching I started to think that the signing certificates have a TTL, and thus the signature also becomes expired at some point, right(?) What is the default ttl?

I started to wonder that it might be necessary for the nfd-worker to also (every time) validate that the signature is still valid. If not -> re-sign the data.

Comments?

[TessaIO]

Yes, that's a good point. I was able to reproduce it by reducing the TTL to 1m, and I found that the master wasn't able to verify the signature. I think it's necessary to pass the TTL to the worker so that each time it invalidates the cache, it re-signs again.

[marquiz]

Sorry, I need come take back my earlier comment about the mounts 🤦‍♂️ If the spire-agent pod is deleted and re-created (for whatever reason) the nfd pods will permanently lose the spire sock (as the underlying socket changes), if I'm not mistaken. Thus a possible fix would be (and ditto nfd-worker).

            path: /run/spire/agent-sockets
            type: Directory

Thoughts?

[TessaIO]

Good point. api.sock is a symlink to spire-agent.sock, so if spire-agent gets restarted or re-created we still have a symlink to the same file name that I think kubelet updates that periodically, right?

[marquiz]

We'd still need to check the hash too, right? Only return the cached signature if the cached hash matches.

[Copilot]

Copilot reviewed 16 out of 17 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• go.mod: Language not supported

[Copilot]

Global caching variables (latestSignature and latestHash) are used in SignData without any synchronization mechanism, which can cause race conditions in concurrent scenarios. Consider protecting these variables with a mutex to guarantee thread safety.