Sanity test mtls with spire agent (#120)

* feat: add mtls and spire support

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* feat: added tasks for deploying and removing spire  using helm

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* feat: add spire to mcp proxy

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* fix: enable mcp proxy only for base Slim test

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* fix: use latest sllim chart and images

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* feat: add possibility to run slim with spire test

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* fix: declare new params

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

* fix: add missing param for spire test

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>

---------

Signed-off-by: Magyari Sandor Szilard <sancyx@gmail.com>
Co-authored-by: Laszlo Puskas <laszlo.puskas1@gmail.com>

Author: sancyx

.github/actions/deploy-components/action.yaml

@@ -17,6 +17,14 @@ inputs:
     description: 'Deploy slim to a kind cluster'
     required: false
     default: 'false'
+  slim-config:
+    description: 'Set slim configuration to deploy'
+    required: false
+    default: 'base'
+  deploy-spire:    
+    description: 'Deploy SPIRE to a kind cluster'
+    required: false
+    default: 'false'
   slim-image-tag:
     description: 'Set slim container image version'
     required: false
@@ -104,11 +112,18 @@ runs:
         task -d ./${{ inputs.checkout-path }} integrations:kind:create \
           KIND_CLUSTER_NAME=${{ inputs.kind-cluster-name }}
 
+    - name: Deploy SPIRE
+      if: ${{ inputs.deploy-spire != 'false' }}      
+      shell: bash
+      run: |
+        task -d ./${{ inputs.checkout-path }} integrations:slim:spire:deploy
+
     - name: Deploy Slim
       if: ${{ inputs.deploy-slim != 'false' }}
       shell: bash
       run: |
         task -d ./${{ inputs.checkout-path }} integrations:slim:test-env:deploy \
+          SLIM_CONFIG=${{ inputs.slim-config }} \
           SLIM_IMAGE_TAG=${{ inputs.slim-image-tag }} \
           SLIM_CHART_TAG=${{ inputs.slim-chart-tag }} \
           KIND_CLUSTER_NAME=${{ inputs.kind-cluster-name }} \

.github/workflows/test-integrations.yaml

@@ -39,6 +39,22 @@ on:
         required: false
         default: true
         type: boolean
+      skip_slim_spire_test:
+        description: 'Skip slim with SPIRE tests'
+        required: false
+        default: true
+        type: boolean
+      run_agentic_apps_test:
+        description: 'Run agentic apps tests'
+        required: false
+        default: false
+        type: boolean
+      run_wfsm_test:                
+        description: 'Run WFSM tests'
+        required: false
+        default: false
+        type: boolean
+
   schedule:
     - cron: "0 4 * * *"
 
@@ -62,7 +78,7 @@ jobs:
           echo "kind-version=$KIND_VERSION" >> "$GITHUB_OUTPUT"
 
   run-tests-slim:
-    if: ${{ inputs.skip_slim_test == false }}
+    if:  ${{ !inputs.skip_slim_test }}
     needs: [ set-kind-version ]
     runs-on: ubuntu-latest
 
@@ -99,6 +115,7 @@ jobs:
       - name: Deploy Slim
         uses: ./.github/actions/deploy-components
         with:
+          deploy-spire: 'true'
           deploy-slim: 'true'
           slim-image-tag: ${{ inputs.override_slim_image_tag }}
           slim-chart-tag: ${{ inputs.override_slim_chart_tag }}
@@ -123,8 +140,63 @@ jobs:
         run: task integrations:slim:test:mcp-server
         shell: bash
 
+  run-tests-slim-spire:
+    if: ${{ !inputs.skip_slim_spire_test }}
+    needs: [ set-kind-version ]
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'read'
+      attestations: 'read'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
+        with:
+          python: true
+          go: false
+
+      - name: Setup K8S Tools
+        uses: ./.github/actions/setup-k8s
+        with:
+          kind-version: ${{ needs.set-kind-version.outputs.kind-version }}
+
+      - name: Deploy Slim with SPIRE
+        uses: ./.github/actions/deploy-components
+        with:
+          deploy-slim: 'true'
+          deploy-spire: 'true'
+          slim-config: 'spire'
+          slim-image-tag: ${{ inputs.override_slim_image_tag }}
+          slim-chart-tag: ${{ inputs.override_slim_chart_tag }}
+
+      - name: Run slim sanity tests (mtls with SPIRE)
+        env:
+          AZURE_OPENAI_ENDPOINT: ${{ vars.AZURE_OPENAI_ENDPOINT }}
+          AZURE_MODEL_VERSION: ${{ vars.AZURE_MODEL_VERSION }}
+          AZURE_DEPLOYMENT_NAME: ${{ vars.AZURE_DEPLOYMENT_NAME }}
+          AZURE_OPENAI_API_VERSION: ${{ vars.AZURE_OPENAI_API_VERSION }}
+          AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
+          SLIM_CONFIG: 'spire'
+        run: task integrations:slim:test:sanity
+        shell: bash
+
   run-tests-directory:
-    if: ${{ inputs.skip_directory_test == false }}
+    if: ${{ !inputs.skip_directory_test }}
     needs: [ set-kind-version ]
     runs-on: ubuntu-latest
 
@@ -170,6 +242,7 @@ jobs:
         shell: bash
 
   run-agentic-apps:
+    if: ${{ inputs.run_agentic_apps_test }}
     runs-on: ubuntu-latest
 
     steps:
@@ -194,6 +267,7 @@ jobs:
         shell: bash
 
   run-tests-wfsm:
+    if: ${{ inputs.run_wfsm_test }}  
     needs: [ set-kind-version ]
     runs-on: ubuntu-latest
 

integrations/agntcy-slim/Taskfile.yml

@@ -13,12 +13,12 @@ vars:
   IMAGE_REPO: '{{ .IMAGE_REPO | default "ghcr.io/agntcy" }}'
   SLIM_IMAGE_TAG: '{{ .SLIM_IMAGE_TAG | default "0.3.15" }}'
   MCP_PROXY_IMAGE_TAG: '{{ .MCP_PROXY_IMAGE_TAG | default "0.1.5" }}'
-  SLIM_CHART_TAG: '{{ .SLIM_CHART_TAG | default "v0.1.7" }}'
+  SLIM_CHART_TAG: '{{ .SLIM_CHART_TAG | default "v0.1.8" }}'
   SLIM_CONFIG: '{{ .SLIM_CONFIG | default "base" }}'
 
   IMAGE_BAKE_OPTS: '{{ .IMAGE_BAKE_OPTS | default "--set *.platform=linux/arm64" }}'
-  LANGCHAIN_APP_TAG: '{{ .LANGCHAIN_APP_TAG | default "v0.0.10" }}'
-  AUTOGEN_APP_TAG: '{{ .AUTOGEN_APP_TAG | default "v0.0.10" }}'
+  LANGCHAIN_APP_TAG: '{{ .LANGCHAIN_APP_TAG | default "v0.0.12" }}'
+  AUTOGEN_APP_TAG: '{{ .AUTOGEN_APP_TAG | default "v0.0.12" }}'
 
   AZURE_OPENAI_API_KEY: '{{ .AZURE_OPENAI_API_KEY | default "" }}'
   AZURE_OPENAI_ENDPOINT: '{{ .AZURE_OPENAI_ENDPOINT | default "" }}'
@@ -32,6 +32,9 @@ vars:
 
   RUNNER_TYPE: '{{ .RUNNER_TYPE | default "docker" }}'
 
+  SPIRE_NAMESPACE: '{{ .SPIRE_NAMESPACE | default "spire-server" }}'
+
+
 tasks:
   k8s:port-forward:setup:
     internal: true
@@ -53,14 +56,13 @@ tasks:
           --version {{ .SLIM_CHART_TAG }} \
           --set slim.image.tag="{{ .SLIM_IMAGE_TAG }}" \
           --set mcpProxy.image.tag="{{ .MCP_PROXY_IMAGE_TAG }}" \
-          --set mcpProxy.enabled="{{ .MCP_PROXY_DEPLOY }}" \
           -f components/config/{{ .SLIM_CONFIG }}/server-config.yaml \
           --namespace {{ .HELM_NAMESPACE }} \
           --create-namespace \
           --install \
           --wait \
           --wait-for-jobs \
-          --timeout "15m"
+          --timeout "15m"                 
 
   test-env:cleanup:
     desc: Remove agent slim test env
@@ -92,6 +94,36 @@ tasks:
     cmds:
       - kubectl apply -f components/certificates
 
+  spire:deploy:
+    desc: Deploy SPIRE server
+    cmds:
+      - |
+        helm upgrade --install  \
+        spire-crds \
+        spire-crds \
+        --repo https://spiffe.github.io/helm-charts-hardened/ \
+        --namespace {{ .SPIRE_NAMESPACE }} \
+        --create-namespace \
+        --wait \
+        --wait-for-jobs \
+        --timeout "15m"
+      - |
+        helm upgrade --install  \
+        spire \
+        spire \
+        --repo https://spiffe.github.io/helm-charts-hardened/ \
+        --namespace {{ .SPIRE_NAMESPACE }} \
+        --create-namespace \
+        --wait \
+        --wait-for-jobs \
+        --timeout "15m"
+
+  spire:remove:
+    desc: Remove SPIRE server
+    cmds:
+        - helm delete spire -n {{ .SPIRE_NAMESPACE }}
+        - helm delete spire-crds -n {{ .SPIRE_NAMESPACE }}
+
   build:agentic-apps:
     desc: Build agentic containers
     dir: ./agentic-apps
@@ -101,7 +133,7 @@ tasks:
   test:sanity:
     desc: Sanity slim test
     cmds:
-      - NAMESPACE={{.HELM_NAMESPACE}} IMAGE_REPO={{.IMAGE_REPO}} LANGCHAIN_APP_TAG={{.LANGCHAIN_APP_TAG}} AUTOGEN_APP_TAG={{.AUTOGEN_APP_TAG}} go test ./tests -v -failfast -test.v -test.paniconexit0 -ginkgo.timeout 30m -timeout 30m -ginkgo.v -ginkgo.focus "Agntcy slim sanity test"
+      - SLIM_CONFIG={{ .SLIM_CONFIG }} NAMESPACE={{.HELM_NAMESPACE}} IMAGE_REPO={{.IMAGE_REPO}} LANGCHAIN_APP_TAG={{.LANGCHAIN_APP_TAG}} AUTOGEN_APP_TAG={{.AUTOGEN_APP_TAG}} go test ./tests -v -failfast -test.v -test.paniconexit0 -ginkgo.timeout 30m -timeout 30m -ginkgo.v -ginkgo.focus "Agntcy slim sanity test"
 
   test:mcp-server:
     desc: Test MCP over Slim

integrations/agntcy-slim/components/certificates/client-cert.yaml

@@ -15,6 +15,7 @@ spec:
     kind: ClusterIssuer
   commonName: "client.agntcy.org"
   dnsNames:
-    - client.agntcy.org
+    - agntcy-slim
+    - agntcy-slim.default.svc.cluster.local
   usages:
     - client auth

integrations/agntcy-slim/components/certificates/server-cert.yaml

@@ -15,6 +15,7 @@ spec:
     kind: ClusterIssuer
   commonName: "server.agntcy.org"
   dnsNames:
-    - server.agntcy.org
+    - agntcy-slim
+    - agntcy-slim.default.svc.cluster.local
   usages:
     - server auth

integrations/agntcy-slim/components/config/base/server-config.yaml

@@ -26,4 +26,7 @@ slim:
           server:
             endpoint: "0.0.0.0:46358"
             tls:
-              insecure: true
+              insecure: true
+
+mcpProxy:
+  enabled: true              

integrations/agntcy-slim/components/config/mtls/server-config.yaml

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 slim:
+
   config:
     tracing:
       log_level: debug
@@ -21,8 +22,7 @@ slim:
             tls:
               cert_file: "/etc/certs/tls.crt"
               key_file: "/etc/certs/tls.key"
-
-              client_ca_file: "/etc/certs/ca.crt"
+              ca_file: "/etc/certs/ca.crt"
 
           clients: []
 

integrations/agntcy-slim/components/config/spire/helper.conf

@@ -0,0 +1,15 @@
+agent_address =  "/run/spire/agent-sockets/api.sock"
+cmd = ""
+cmd_args = ""
+cert_dir = "/svids"
+renew_signal = ""
+svid_file_name = "tls.crt"
+svid_key_file_name = "tls.key"
+svid_bundle_file_name = "svid_bundle.pem"
+jwt_bundle_file_name = "cert.jwt"
+cert_file_mode = 0644
+key_file_mode = 0644
+jwt_svid_file_mode = 0644
+jwt_bundle_file_mode = 0644
+jwt_svids = [{jwt_audience="test", jwt_svid_file_name="jwt_svid.token"}]
+daemon_mode = false

integrations/agntcy-slim/components/config/spire/server-config.yaml

@@ -0,0 +1,43 @@
+# Copyright AGNTCY Contributors (https://github.com/agntcy)
+# SPDX-License-Identifier: Apache-2.0
+
+spire:
+  enabled: true
+
+slim:
+
+  config:
+    tracing:
+      log_level: debug
+      display_thread_names: true
+      display_thread_ids: true
+
+    runtime:
+      n_cores: 0
+      thread_name: "slim-data-plane"
+      drain_timeout: 10s
+
+    services:
+      slim/0:
+        pubsub:
+          servers:
+          - endpoint: "0.0.0.0:46357"
+            tls:
+              cert_file: "/svids/tls.crt"
+              key_file: "/svids/tls.key"
+              ca_file: "/svids/svid_bundle.pem"
+
+          clients: []
+
+mcpProxy:   
+  enabled: false       
+  config:
+    services:
+      slim/0:
+        pubsub:
+          clients:
+            - endpoint: "https://agntcy-slim:46357"              
+              tls:
+                cert_file: "/svids/tls.crt"
+                key_file: "/svids/tls.key"
+                ca_file: "/svids/svid_bundle.pem"