Configurable data directory for SPIKE Nexus backing store (#232)

* Configurable data directory.

This will be useful to parallelize tests too.

Signed-off-by: Volkan Özçelik <[email protected]>

* Configurable data directory.

This will be useful to parallelize tests too.

Signed-off-by: Volkan Özçelik <[email protected]>

* WIP.

Signed-off-by: Volkan Özçelik <[email protected]>

* WIP.

Signed-off-by: Volkan Özçelik <[email protected]>

* WIP.

Signed-off-by: Volkan Özçelik <[email protected]>

* hopefully-working version.

will check tomorrow.

Signed-off-by: Volkan Özçelik <[email protected]>

* minor changes.

Signed-off-by: Volkan Özçelik <[email protected]>

* wip.

Signed-off-by: Volkan Özçelik <[email protected]>

* wip.

Signed-off-by: Volkan Özçelik <[email protected]>

* add docs.

Signed-off-by: Volkan Özçelik <[email protected]>

* env var const

Signed-off-by: Volkan Özçelik <[email protected]>

* wip

Signed-off-by: Volkan Özçelik <[email protected]>

* docs

Signed-off-by: Volkan Özçelik <[email protected]>

* fix failing test.

Signed-off-by: Volkan Özçelik <[email protected]>

---------

Signed-off-by: Volkan Özçelik <[email protected]>

Author: v0lkan

CLAUDE.md

@@ -53,17 +53,21 @@ missing environment variables that are not mentioned and suggest updates here.
 | SPIKE Nexus     | `SPIKE_NEXUS_SHAMIR_SHARES`             | The total number of shares used for secret sharding, this should be equal to the number of SPIKE Keepers too.                                       | `3`                                                                      |
 | SPIKE Nexus     | `SPIKE_NEXUS_SHAMIR_THRESHOLD`          | The minimum number of shares to be able to reconstruct the root key.                                                                                | `2`                                                                      |
 | SPIKE Nexus     | `SPIKE_NEXUS_KEEPER_UPDATE_INTERVAL`    | The duration between SPIKE Nexus updates SPIKE Keepers with the relevant shard information.                                                         | `5m`                                                                     |
+| SPIKE Nexus     | `SPIKE_NEXUS_DATA_DIR`                  | Custom data directory for SPIKE Nexus database storage. If not set, falls back to `~/.spike/data`.                                                  | `""` (uses `~/.spike/data`)                                              |
+| SPIKE Pilot     | `SPIKE_PILOT_RECOVERY_DIR`              | Custom recovery directory for SPIKE Pilot recovery shards. If not set, falls back to `~/.spike/recover`.                                            | `""` (uses `~/.spike/recover`)                                           |
 | SPIKE Pilot     | `SPIKE_PILOT_SHOW_MEMORY_WARNING`       | Whether to show a warning when the system cannot lock memory for security.                                                                          | `false`                                                                  |
 | All             | `SPIKE_SYSTEM_LOG_LEVEL`                | The log level for all SPIKE components (`"DEBUG"`, `"INFO"`, `"WARN"`, `"ERROR"`).                                                                  | `"WARN"`                                                                 |
 | All             | `SPIKE_NEXUS_API_URL`                   | The URL where SPIKE Nexus can be reached                                                                                                            | `"https://localhost:8553"`                                               |
 | All             | `SPIKE_TRUST_ROOT`                      | The SPIFFE trust root used within the SPIKE trust boundary. Can be a single entry, or a comma-delimited list of suitable trust roots.               | `"spike.ist"`                                                            |
 | All             | `SPIKE_TRUST_ROOT_KEEPER`               | The SPIFFE trust root used for SPIKE Keeper instances. Can be a single entry, or a comma-delimited list of suitable trust roots.                    | `"spike.ist"`                                                            |
 | All             | `SPIKE_TRUST_ROOT_PILOT`                | The SPIFFE trust root used for SPIKE Pilot instances. Can be a single entry, or a comma-delimited list of suitable trust roots.                     | `"spike.ist"`                                                            |
 | All             | `SPIKE_TRUST_ROOT_NEXUS`                | The SPIFFE trust root used for SPIKE Nexus instances. Can be a single entry, or a comma-delimited list of suitable trust roots.                     | `"spike.ist"`                                                            |
+| All             | `SPIKE_TRUST_ROOT_BOOTSTRAP`            | The SPIFFE trust root used for SPIKE Bootstrap. Can be a single entry, or a comma-delimited list of suitable trust roots.                           | `"spike.ist"`                                                            |
 | All             | `SPIKE_TRUST_ROOT_LITE_WORKLOAD`        | The SPIFFE trust root used for lite workload instances. Can be a single entry, or a comma-delimited list of suitable trust roots.                   | `"spike.ist"`                                                            |
 | All             | `SPIKE_BANNER_ENABLED`                  | Whether to display the SPIKE banner on startup. Set to `true` to enable.                                                                            | `true`                                                                   |
 | All             | `SPIFFE_ENDPOINT_SOCKET`                | The Unix domain socket path used for SPIFFE Workload API                                                                                            | `"unix:///tmp/spire-agent/public/api.sock"`                              |
 
+
 ### Error Handling Strategy
 - `panic()` for "should never happen" errors (testable)
 - `os.Exit(1)` should NEVER happen (panic instead; it is testable)

app/VERSION.txt

@@ -1 +1 @@
-0.5.1
+0.6.0

app/bootstrap/cmd/main.go

@@ -15,13 +15,13 @@ import (
 	"github.com/spiffe/spike-sdk-go/retry"
 	"github.com/spiffe/spike-sdk-go/spiffe"
 	svid "github.com/spiffe/spike-sdk-go/spiffeid"
-	"github.com/spiffe/spike/internal/config"
 
 	"github.com/spiffe/spike/app/bootstrap/internal/env"
 	"github.com/spiffe/spike/app/bootstrap/internal/lifecycle"
 	"github.com/spiffe/spike/app/bootstrap/internal/net"
 	"github.com/spiffe/spike/app/bootstrap/internal/state"
 	"github.com/spiffe/spike/app/bootstrap/internal/url"
+	"github.com/spiffe/spike/internal/config"
 )
 
 func main() {
@@ -62,7 +62,7 @@ func main() {
 		return
 	}
 
-	if !svid.IsBootstrap(env.TrustRoot(), sv.ID.String()) {
+	if !svid.IsBootstrap(sv.ID.String()) {
 		log.Log().Error(
 			"Authenticate: You need a 'bootstrap' SPIFFE ID to use this command.",
 		)

app/bootstrap/internal/env/env.go

@@ -132,43 +132,6 @@ func Keepers() map[string]string {
 	return peers
 }
 
-// TrustRootForKeeper returns the trust root domain(s) specifically for
-// SPIKE Keeper service.
-//
-// It retrieves the trust root from the SPIKE_TRUST_ROOT_KEEPER environment
-// variable. If the environment variable is not set, it returns the default
-// value "spike.ist". The return value can be a comma-delimited string of
-// multiple trust root domains.
-//
-// Returns:
-//   - A string containing one or more trust root domains for SPIKE Keeper,
-//     comma-delimited if multiple
-func TrustRootForKeeper() string {
-	tr := os.Getenv(env.TrustRootKeeper)
-	if tr == "" {
-		return "spike.ist"
-	}
-	return tr
-}
-
-// TrustRoot returns the trust root domain(s) for the application.
-//
-// It retrieves the trust root from the SPIKE_TRUST_ROOT environment variable.
-// If the environment variable is not set, it returns the default value
-// "spike.ist". The return value can be a comma-delimited string of multiple
-// trust root domains.
-//
-// Returns:
-//   - A string containing one or more trust root domains, comma-delimited if
-//     multiple
-func TrustRoot() string {
-	tr := os.Getenv(env.TrustRoot)
-	if tr == "" {
-		return "spike.ist"
-	}
-	return tr
-}
-
 // ConfigMapName returns the name of the ConfigMap used to store SPIKE
 // Bootstrap state information.
 //

app/bootstrap/internal/net/net.go

@@ -17,10 +17,9 @@ import (
 	"github.com/spiffe/spike-sdk-go/crypto"
 	"github.com/spiffe/spike-sdk-go/log"
 	network "github.com/spiffe/spike-sdk-go/net"
+	"github.com/spiffe/spike-sdk-go/predicate"
 	"github.com/spiffe/spike-sdk-go/spiffe"
-	"github.com/spiffe/spike-sdk-go/spiffeid"
 
-	"github.com/spiffe/spike/app/bootstrap/internal/env"
 	"github.com/spiffe/spike/internal/net"
 )
 
@@ -47,9 +46,7 @@ func Source() *workloadapi.X509Source {
 func MTLSClient(source *workloadapi.X509Source) *http.Client {
 	const fName = "MTLSClient"
 	client, err := network.CreateMTLSClientWithPredicate(
-		source, func(peerId string) bool {
-			return spiffeid.IsKeeper(env.TrustRootForKeeper(), peerId)
-		},
+		source, predicate.AllowKeeper,
 	)
 	if err != nil {
 		log.FatalLn(fName,

app/demo/cmd/main.go

@@ -11,13 +11,20 @@ import (
 )
 
 func main() {
+	fmt.Println("SPIKE Demo")
+
+	// Make sure you register the demo app SPIRE Server registration entry first:
+	// ./examples/consume-secrets/demo-register-entry.sh
+
 	// https://pkg.go.dev/github.com/spiffe/spike-sdk-go/api#New
 	api := spike.New() // Use the default Workload API Socket
 
+	fmt.Println("Connected to SPIKE Nexus.")
+
 	// https://pkg.go.dev/github.com/spiffe/spike-sdk-go/api#Close
 	defer api.Close() // Close the connection when done
 
-	path := "^tenants/demo/db/creds"
+	path := "tenants/demo/db/creds"
 
 	// Create a Secret
 	// https://pkg.go.dev/github.com/spiffe/spike-sdk-go/api#PutSecret

app/keeper/cmd/main.go

@@ -49,9 +49,10 @@ func main() {
 	defer spiffe.CloseSource(source)
 
 	// I should be a SPIKE Keeper.
-	if !spiffeid.IsKeeper(env.TrustRoot(), selfSPIFFEID) {
+	if !spiffeid.IsKeeper(selfSPIFFEID) {
 		log.FatalLn(appName, "message",
-			"Authenticate: SPIFFE ID %s is not valid.\n", selfSPIFFEID)
+			"Authenticate: SPIFFE ID is not valid",
+			"spiffeid", selfSPIFFEID)
 	}
 
 	log.Log().Info(

app/keeper/internal/env/spiffe.go

@@ -8,7 +8,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/spiffe/spike-sdk-go/log"
 	"github.com/spiffe/spike-sdk-go/net"
-	"github.com/spiffe/spike-sdk-go/spiffeid"
+	"github.com/spiffe/spike-sdk-go/predicate"
 
 	"github.com/spiffe/spike/app/keeper/internal/env"
 	http "github.com/spiffe/spike/app/keeper/internal/route/base"
@@ -33,10 +33,9 @@ func Serve(appName string, source *workloadapi.X509Source) {
 	if err := net.ServeWithPredicate(
 		source,
 		func() { routing.HandleRoute(http.Route) },
-		func(peerSpiffeId string) bool {
-			// Only SPIKE Nexus can talk to SPIKE Keeper:
-			return spiffeid.PeerCanTalkToKeeper(env.TrustRootForNexus(), peerSpiffeId)
-		},
+		// Security: Only SPIKE Nexus and SPIKE Bootstrap
+		// can talk to SPIKE Keepers.
+		predicate.AllowKeeperPeer,
 		env.TLSPort(),
 	); err != nil {
 		log.FatalF("%s: Failed to serve: %s\n", appName, err.Error())

app/keeper/internal/net/serve.go

@@ -9,6 +9,7 @@ import (
 	"crypto/fips140"
 	"fmt"
 
+	cfg "github.com/spiffe/spike-sdk-go/config/env"
 	"github.com/spiffe/spike-sdk-go/log"
 	"github.com/spiffe/spike-sdk-go/security/mem"
 	"github.com/spiffe/spike-sdk-go/spiffe"
@@ -43,9 +44,10 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	log.Log().Info(appName, "message", "SPIFFE Trust Domain: "+env.TrustRoot())
+	log.Log().Info(appName,
+		"message", "SPIFFE Trust Domain: "+cfg.TrustRootVal(),
+	)
 
-	fmt.Println("before trying to get source...")
 	source, selfSPIFFEID, err := spiffe.Source(ctx, spiffe.EndpointSocket())
 	if err != nil {
 		log.FatalLn(appName, "message", "failed to get source", "err", err.Error())
@@ -54,11 +56,12 @@ func main() {
 
 	log.Log().Info(appName, "message", "self.spiffeid: "+selfSPIFFEID)
 
-	// I should be Nexus.
-	if !spiffeid.IsNexus(env.TrustRoot(), selfSPIFFEID) {
+	// I should be SPIKE Nexus.
+	if !spiffeid.IsNexus(selfSPIFFEID) {
 		log.FatalLn(appName,
 			"message",
-			"Authenticate: SPIFFE ID %s is not valid.\n", selfSPIFFEID)
+			"Authenticate: SPIFFE ID is not valid",
+			"spiffeid", selfSPIFFEID)
 	}
 
 	initialization.Initialize(source)