From 3c5c3f46dd6a9b12907bfd7cfd477361469a92ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Mon, 11 Mar 2024 16:52:14 -0300
Subject: [PATCH 01/27] Fix Dockerfile to have the proper permissions in
 directories
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 56 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 30 insertions(+), 26 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 972b628412..a607cc9716 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,37 +23,31 @@ ARG TARGETPLATFORM
 ARG TARGETARCH
 COPY --link --from=xx / /
 
-# For users that wish to run SPIRE containers as a non-root user,
-# provide a default unprivileged user such that the default paths
-# that SPIRE will try to read from, write to, and create at runtime
-# can be given the correct file ownership/permissions at build time.
-ARG spireuid=1000
-ARG spiregid=1000
-
 # Set up directories that SPIRE expects by default
 # Set up base directories
-RUN install -d -o root -g root -m 777 /spireroot
-RUN install -d -o root -g root -m 755 /spireroot/etc/ssl/certs
-RUN install -d -o root -g root -m 755 /spireroot/run
-RUN install -d -o root -g root -m 755 /spireroot/var/lib
-RUN install -d -o root -g root -m 1777 /spireroot/tmp
+RUN install -d /spireroot
+RUN install -d /spireroot/etc/ssl/certs
+RUN install -d /spireroot/run
+RUN install -d /spireroot/var/lib
+RUN install -d /spireroot/tmp
 
 # Set up directories used by SPIRE
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/etc/spire
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/run/spire
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/var/lib/spire
+RUN install -d /spireroot/opt/spire
+RUN install -d /spireroot/etc/spire
+RUN install -d /spireroot/run/spire
+RUN install -d /spireroot/var/lib/spire
 
 # Set up spire-server directories
 RUN cp -r /spireroot /spireserverroot
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/etc/spire/server
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/run/spire/server/private
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/var/lib/spire/server
+RUN install -d /spireserverroot/etc/spire/server
+RUN install -d /spireserverroot/run/spire/server/private
+RUN install -d /spireserverroot/var/lib/spire/server
 
 # Set up spire-agent directories
 RUN cp -r /spireroot /spireagentroot
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/etc/spire/agent
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/run/spire/agent/public
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/var/lib/spire/agent
+RUN install -d /spireagentroot/etc/spire/agent
+RUN install -d /spireagentroot/run/spire/agent/public
+RUN install -d /spireagentroot/var/lib/spire/agent
 
 RUN xx-go --wrap
 RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
@@ -71,20 +65,30 @@ COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 # SPIRE Server
 FROM spire-base AS spire-server
+# For users that wish to run SPIRE containers as a non-root user,
+# provide a default unprivileged user such that the default paths
+# that SPIRE will try to read from, write to, and create at runtime
+# can be given the correct file ownership/permissions at build time.
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-COPY --link --from=builder /spireserverroot /
-COPY --link --from=builder /spire/bin/static/spire-server bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireserverroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server bin/
 
 # SPIRE Agent
 FROM spire-base AS spire-agent
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=builder /spireagentroot /
-COPY --link --from=builder /spire/bin/static/spire-agent bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireagentroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent bin/
 
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
-COPY --link --from=builder /spire/bin/static/oidc-discovery-provider bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider bin/

From 6a53fdb917594a8709e9784c5ba427c2bc659b48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Tue, 12 Mar 2024 20:16:49 -0300
Subject: [PATCH 02/27] Use user 1000 instead of 1001 in integration tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/setup/adminclient/client.go           |  6 +++---
 .../admin-endpoints/05-create-registration-entries     |  2 +-
 .../suites/admin-endpoints/06-test-endpoints           |  2 +-
 .../debug-endpoints/04-create-registration-entries     |  2 +-
 .../suites/debug-endpoints/05-test-endpoints           |  2 +-
 .../delegatedidentity/04-create-registration-entries   |  2 +-
 .../suites/delegatedidentity/05-test-endpoints         |  2 +-
 .../suites/downstream-endpoints/04-create-entries      |  2 +-
 .../suites/downstream-endpoints/05-test-endpoints      |  2 +-
 .../fetch-x509-svids/04-create-registration-entries    |  4 ++--
 .../suites/fetch-x509-svids/05-fetch-x509-svids        |  6 +++---
 .../suites/fetch-x509-svids/07-fetch-x509-svids        |  6 +++---
 .../suites/nested-rotation/09-create-workload-entries  |  8 ++++----
 test/integration/suites/nested-rotation/10-check-svids |  8 ++++----
 test/integration/suites/node-attestation/00-setup      |  2 +-
 .../suites/node-attestation/03-test-node-attestation   | 10 +++++-----
 .../node-attestation/04-test-x509pop-attestation       |  4 ++--
 test/integration/suites/svidstore/common               |  4 ++--
 18 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/test/integration/setup/adminclient/client.go b/test/integration/setup/adminclient/client.go
index 09f35b445b..9fb81b226c 100644
--- a/test/integration/setup/adminclient/client.go
+++ b/test/integration/setup/adminclient/client.go
@@ -487,7 +487,7 @@ func batchCreateEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1001",
+				Value: "uid:1000",
 			},
 		},
 	}
@@ -583,7 +583,7 @@ func getEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1001",
+				Value: "uid:1000",
 			},
 		},
 	}
@@ -620,7 +620,7 @@ func batchUpdateEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1001",
+				Value: "uid:1000",
 			},
 			{
 				Type:  "unix",
diff --git a/test/integration/suites/admin-endpoints/05-create-registration-entries b/test/integration/suites/admin-endpoints/05-create-registration-entries
index 62115bc0ba..e6da526b91 100755
--- a/test/integration/suites/admin-endpoints/05-create-registration-entries
+++ b/test/integration/suites/admin-endpoints/05-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server-a \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain-a.test/spire/agent/x509pop/$(fingerprint conf/domain-a/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain-a.test/admin" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent-a" "spiffe://domain-a.test/admin"
diff --git a/test/integration/suites/admin-endpoints/06-test-endpoints b/test/integration/suites/admin-endpoints/06-test-endpoints
index 9c64362f0f..c821a55dc9 100755
--- a/test/integration/suites/admin-endpoints/06-test-endpoints
+++ b/test/integration/suites/admin-endpoints/06-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-debug "test admin workload..."
-docker-compose exec -u 1001 -T spire-agent-a \
+docker-compose exec -u 1000 -T spire-agent-a \
 	/opt/spire/conf/agent/adminclient -trustDomain domain-a.test -serverAddr spire-server-a:8081 || fail-now "failed to check admin endpoints"
 
 log-debug "test foreign admin workload..."
diff --git a/test/integration/suites/debug-endpoints/04-create-registration-entries b/test/integration/suites/debug-endpoints/04-create-registration-entries
index 6eed24af31..99d2bc7e54 100755
--- a/test/integration/suites/debug-endpoints/04-create-registration-entries
+++ b/test/integration/suites/debug-endpoints/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/admin" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/admin"
diff --git a/test/integration/suites/debug-endpoints/05-test-endpoints b/test/integration/suites/debug-endpoints/05-test-endpoints
index ac4a6c25c1..b610e4d582 100755
--- a/test/integration/suites/debug-endpoints/05-test-endpoints
+++ b/test/integration/suites/debug-endpoints/05-test-endpoints
@@ -15,7 +15,7 @@ for ((i=1; i<=MAXCHECKS;i++)); do
 done
 
 # Verify server TCP server does not implements Debug endpoint
-docker-compose exec -u 1001 -T spire-agent \
+docker-compose exec -u 1000 -T spire-agent \
 	/opt/spire/conf/agent/debugclient -testCase "serverWithWorkload" || fail-now "failed to check server debug endpoints using admin workload"
 
 docker-compose exec -u 1002 -T spire-agent \
diff --git a/test/integration/suites/delegatedidentity/04-create-registration-entries b/test/integration/suites/delegatedidentity/04-create-registration-entries
index d21a2505a3..9066954d7d 100755
--- a/test/integration/suites/delegatedidentity/04-create-registration-entries
+++ b/test/integration/suites/delegatedidentity/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/authorized_delegate" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/authorized_delegate"
 
diff --git a/test/integration/suites/delegatedidentity/05-test-endpoints b/test/integration/suites/delegatedidentity/05-test-endpoints
index 78f3011028..413f88e621 100755
--- a/test/integration/suites/delegatedidentity/05-test-endpoints
+++ b/test/integration/suites/delegatedidentity/05-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-info "Test Delegated Identity API (for success)"
-docker-compose exec -u 1001 -T spire-agent \
+docker-compose exec -u 1000 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient -expectedID spiffe://domain.test/workload || fail-now "Failed to check Delegated Identity API"
 
 log-info "Test Delegated Identity API (expecting permission denied)"
diff --git a/test/integration/suites/downstream-endpoints/04-create-entries b/test/integration/suites/downstream-endpoints/04-create-entries
index 470658106b..f603e90778 100755
--- a/test/integration/suites/downstream-endpoints/04-create-entries
+++ b/test/integration/suites/downstream-endpoints/04-create-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/downstream" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -downstream \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/downstream"
diff --git a/test/integration/suites/downstream-endpoints/05-test-endpoints b/test/integration/suites/downstream-endpoints/05-test-endpoints
index ac67cc48e6..ecc3523215 100755
--- a/test/integration/suites/downstream-endpoints/05-test-endpoints
+++ b/test/integration/suites/downstream-endpoints/05-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-debug "test downstream workload..."
-docker-compose exec -u 1001 -T spire-agent \
+docker-compose exec -u 1000 -T spire-agent \
 	/opt/spire/conf/agent/downstreamclient || fail-now "failed to check downstream endpoints"
 
 log-debug "Test regular workload..."
diff --git a/test/integration/suites/fetch-x509-svids/04-create-registration-entries b/test/integration/suites/fetch-x509-svids/04-create-registration-entries
index 1866777122..1b7dcf77eb 100755
--- a/test/integration/suites/fetch-x509-svids/04-create-registration-entries
+++ b/test/integration/suites/fetch-x509-svids/04-create-registration-entries
@@ -2,14 +2,14 @@
 
 SIZE=10
 
-# Create entries for uid 1001
+# Create entries for uid 1000
 for ((m=1;m<=$SIZE;m++)); do
   log-debug "creating registration entry: $m"
   docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/workload-$m" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0 &
 done
 
diff --git a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
index 4bb53c55df..25317b705f 100755
--- a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
@@ -3,14 +3,14 @@
 ENTRYCOUNT=10
 CACHESIZE=8
 
-X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
+X509SVIDCOUNT=$(docker-compose exec -u 1000 -T spire-agent \
   /opt/spire/bin/spire-agent api fetch x509 \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
 if [ "$X509SVIDCOUNT" -ne "$ENTRYCOUNT" ]; then
-  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1001";
+  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1000";
 else
-  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1001";
+  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1000";
 fi
 
 # Call agent debug endpoints and check if extra X.509-SVIDs from cache are cleaned up
diff --git a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
index 9a46e29602..fb86dfe570 100755
--- a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
@@ -13,14 +13,14 @@ else
   log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1002";
 fi
 
-X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
+X509SVIDCOUNT=$(docker-compose exec -u 1000 -T spire-agent \
   /opt/spire/bin/spire-agent api fetch x509 \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
 if [ "$X509SVIDCOUNT" -ne "$ENTRYCOUNT" ]; then
-  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1001";
+  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1000";
 else
-  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1001";
+  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1000";
 fi
 
 # Call agent debug endpoints and check if extra X.509-SVIDs from cache are cleaned up
diff --git a/test/integration/suites/nested-rotation/09-create-workload-entries b/test/integration/suites/nested-rotation/09-create-workload-entries
index 12e16679f4..ede113f1ab 100755
--- a/test/integration/suites/nested-rotation/09-create-workload-entries
+++ b/test/integration/suites/nested-rotation/09-create-workload-entries
@@ -5,7 +5,7 @@ docker-compose exec -T intermediateA-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint intermediateA/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/intermediateA/workload" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "intermediateA-agent" "spiffe://domain.test/intermediateA/workload"
 
@@ -14,7 +14,7 @@ docker-compose exec -T leafA-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint leafA/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/leafA/workload" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "leafA-agent" "spiffe://domain.test/leafA/workload"
 
@@ -23,7 +23,7 @@ docker-compose exec -T intermediateB-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint intermediateB/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/intermediateB/workload" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "intermediateB-agent" "spiffe://domain.test/intermediateB/workload"
 
@@ -32,6 +32,6 @@ docker-compose exec -T leafB-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint leafB/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/leafB/workload" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "leafB-agent" "spiffe://domain.test/leafB/workload"
diff --git a/test/integration/suites/nested-rotation/10-check-svids b/test/integration/suites/nested-rotation/10-check-svids
index 03d483b872..0b926b3bc0 100755
--- a/test/integration/suites/nested-rotation/10-check-svids
+++ b/test/integration/suites/nested-rotation/10-check-svids
@@ -5,7 +5,7 @@ CHECKINTERVAL=6
 
 validateX509SVID() {
   # Write svid on disk
-  docker-compose exec -u 1001 -T $1 \
+  docker-compose exec -u 1000 -T $1 \
       /opt/spire/bin/spire-agent api fetch x509 \
       -socketPath /opt/spire/sockets/workload_api.sock \
       -write /tmp || fail-now "x509-SVID check failed"
@@ -13,7 +13,7 @@ validateX509SVID() {
   # Copy SVID
   docker cp $(docker-compose ps -q $1):/tmp/svid.0.pem - | docker cp - $(docker-compose ps -q $2):/opt/
 
-  docker-compose exec -u 1001 -T $2 \
+  docker-compose exec -u 1000 -T $2 \
       /opt/spire/bin/spire-agent api fetch x509 \
       -socketPath /opt/spire/sockets/workload_api.sock \
       -write /tmp || fail-now "x509-SVID check failed"
@@ -23,11 +23,11 @@ validateX509SVID() {
 
 validateJWTSVID() {
    # Fetch JWT-SVID and extract token
-  token=$(docker-compose exec -u 1001 -T $1 \
+  token=$(docker-compose exec -u 1000 -T $1 \
       /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail-now "JWT-SVID check failed"
 
   # Validate token
-  docker-compose exec -u 1001 -T $2 \
+  docker-compose exec -u 1000 -T $2 \
       /opt/spire/bin/spire-agent api validate jwt -audience testIt  -svid "${token}" \
         -socketPath /opt/spire/sockets/workload_api.sock
 }
diff --git a/test/integration/suites/node-attestation/00-setup b/test/integration/suites/node-attestation/00-setup
index b8b14e18fd..dc3e2a4f1d 100755
--- a/test/integration/suites/node-attestation/00-setup
+++ b/test/integration/suites/node-attestation/00-setup
@@ -5,7 +5,7 @@ echo ${ROOTDIR}
 # Move test x509pop certificate and key
 mv conf/agent.key.pem conf/agent/test.key.pem
 mv conf/agent.crt.pem conf/agent/test.crt.pem
-# add read access to prevent error when reading with user 1001
+# add read access to prevent error when reading with user 1000
 chmod +r conf/agent/test.key.pem
 
 "${ROOTDIR}/setup/node-attestation/build.sh" "${RUNDIR}/conf/server/node-attestation"
diff --git a/test/integration/suites/node-attestation/03-test-node-attestation b/test/integration/suites/node-attestation/03-test-node-attestation
index fcc83e5e2e..c493b63d8d 100755
--- a/test/integration/suites/node-attestation/03-test-node-attestation
+++ b/test/integration/suites/node-attestation/03-test-node-attestation
@@ -1,31 +1,31 @@
 #!/bin/bash
 
 # Test node attestation api
-jointoken=`docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
+jointoken=`docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
 echo "Created Join Token" $jointoken
 
-svid1=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
+svid1=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Received initial SVID:" $svid1
 
-svid2=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
+svid2=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do SVID renewal"
 fi
 echo "Received renewed SVID:" $svid2
 
-docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
+docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Agent banned"
 
-if docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
+if docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
 then
 	fail-now "Expected agent to be banned"
 fi
diff --git a/test/integration/suites/node-attestation/04-test-x509pop-attestation b/test/integration/suites/node-attestation/04-test-x509pop-attestation
index c652c7acd6..207194e7ac 100755
--- a/test/integration/suites/node-attestation/04-test-x509pop-attestation
+++ b/test/integration/suites/node-attestation/04-test-x509pop-attestation
@@ -5,10 +5,10 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/admin" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/admin"
 
 log-debug "running x509pop test..."
-docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"
+docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"
diff --git a/test/integration/suites/svidstore/common b/test/integration/suites/svidstore/common
index f94d6b5ff1..b2a8b81341 100644
--- a/test/integration/suites/svidstore/common
+++ b/test/integration/suites/svidstore/common
@@ -23,7 +23,7 @@ check-stored-svids() {
       fi
     done
 
-    docker-compose exec -u 1001 -T spire-server \
+    docker-compose exec -u 1000 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }
 
@@ -48,6 +48,6 @@ check-deleted-svids() {
       fail-now "timed out waiting for agent to delete all svids"
     fi
 
-    docker-compose exec -u 1001 -T spire-server \
+    docker-compose exec -u 1000 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }

From 68be7e3586a5130fa9833c39690828ac83becadb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Tue, 12 Mar 2024 22:26:07 -0300
Subject: [PATCH 03/27] Have WORKDIR after COPY
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a607cc9716..e4bd207f4b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -59,7 +59,6 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     for f in $(find bin -executable -type f); do xx-verify $f; done
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
-WORKDIR /opt/spire
 CMD []
 COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
@@ -75,6 +74,7 @@ USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireserverroot /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server bin/
+WORKDIR /opt/spire
 
 # SPIRE Agent
 FROM spire-base AS spire-agent
@@ -84,6 +84,7 @@ USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireagentroot /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent bin/
+WORKDIR /opt/spire
 
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
@@ -92,3 +93,4 @@ ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider bin/
+WORKDIR /opt/spire

From b8b7df004584ac51238a424e2e58b352c5d9317e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Tue, 12 Mar 2024 22:28:52 -0300
Subject: [PATCH 04/27] Have WORKDIR after COPY
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e4bd207f4b..24b317a236 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -73,7 +73,7 @@ ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireserverroot /
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/
 WORKDIR /opt/spire
 
 # SPIRE Agent
@@ -83,7 +83,7 @@ ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireagentroot /
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/
 WORKDIR /opt/spire
 
 # OIDC Discovery Provider
@@ -92,5 +92,5 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider /opt/spire/bin/
 WORKDIR /opt/spire

From d75e62a033e81db4ccc5d39986f90442adf30798 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Wed, 13 Mar 2024 17:50:44 -0300
Subject: [PATCH 05/27] Fix permission in generated key file for tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/setup/x509pop/gencerts.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/integration/setup/x509pop/gencerts.go b/test/integration/setup/x509pop/gencerts.go
index f2d5e060f9..440a21f0e7 100644
--- a/test/integration/setup/x509pop/gencerts.go
+++ b/test/integration/setup/x509pop/gencerts.go
@@ -74,7 +74,7 @@ func writeKey(path string, key crypto.Signer) {
 		Type:  "PRIVATE KEY",
 		Bytes: keyBytes,
 	})
-	writeFile(path, pemBytes, 0o600)
+	writeFile(path, pemBytes, 0o644) // This key is used only for testing purposes.
 }
 
 func writeCerts(path string, certs ...*x509.Certificate) {

From 061d4188b45ebf1cde17fa1754016de0137fbe9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Wed, 13 Mar 2024 20:29:33 -0300
Subject: [PATCH 06/27] Fix permission in shared folders for agent socket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/nested-rotation/00-setup | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/integration/suites/nested-rotation/00-setup b/test/integration/suites/nested-rotation/00-setup
index 8d8fb9f846..42e1daced0 100755
--- a/test/integration/suites/nested-rotation/00-setup
+++ b/test/integration/suites/nested-rotation/00-setup
@@ -1,13 +1,13 @@
 #!/bin/bash
 
 # create shared folder for root agent socket
-mkdir -p shared/rootSocket
+mkdir -p -m 644 shared/rootSocket
 
 # create shared folder for intermediateA agent socket
-mkdir -p shared/intermediateASocket
+mkdir -p -m 644 shared/intermediateASocket
 
 # create shared folder for intermediateB agent socket
-mkdir -p shared/intermediateBSocket
+mkdir -p -m 644 shared/intermediateBSocket
 
 # root certificates
 "${ROOTDIR}/setup/x509pop/setup.sh" root/server root/agent

From 92c9dcfab99946180f69fc56c95484a75ae8ed1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 08:12:55 -0300
Subject: [PATCH 07/27] Prepare common directories used by tests, using proper
 permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/test-one.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/integration/test-one.sh b/test/integration/test-one.sh
index 821734aef5..dc29eadabc 100755
--- a/test/integration/test-one.sh
+++ b/test/integration/test-one.sh
@@ -68,6 +68,13 @@ trap cleanup EXIT
 #################################################
 # Prepare the run directory
 #################################################
+
+# Prepare common directories used by tests.
+# These directories on the host are mapped to paths in containers, possibly
+# running with a different user.
+mkdir -p -m 777 "${RUNDIR}/conf/agent"
+mkdir -p -m 777 "${RUNDIR}/conf/server"
+
 cp -R "${TESTDIR}"/* "${RUNDIR}/"
 
 #################################################

From 3b9cedc4b1d61b0c89f1f8e1807555ce6d3100d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 13:11:51 -0300
Subject: [PATCH 08/27] Revert changes of uid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/setup/adminclient/client.go           |  6 +++---
 .../admin-endpoints/05-create-registration-entries     |  2 +-
 .../suites/admin-endpoints/06-test-endpoints           |  2 +-
 .../debug-endpoints/04-create-registration-entries     |  2 +-
 .../suites/debug-endpoints/05-test-endpoints           |  2 +-
 .../delegatedidentity/04-create-registration-entries   |  2 +-
 .../suites/delegatedidentity/05-test-endpoints         |  2 +-
 .../suites/downstream-endpoints/04-create-entries      |  2 +-
 .../suites/downstream-endpoints/05-test-endpoints      |  2 +-
 .../fetch-x509-svids/04-create-registration-entries    |  4 ++--
 .../suites/fetch-x509-svids/05-fetch-x509-svids        |  2 +-
 .../suites/fetch-x509-svids/07-fetch-x509-svids        |  2 +-
 .../suites/nested-rotation/09-create-workload-entries  |  8 ++++----
 test/integration/suites/nested-rotation/10-check-svids |  8 ++++----
 .../suites/node-attestation/03-test-node-attestation   | 10 +++++-----
 .../node-attestation/04-test-x509pop-attestation       |  4 ++--
 test/integration/suites/svidstore/common               |  4 ++--
 17 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/test/integration/setup/adminclient/client.go b/test/integration/setup/adminclient/client.go
index 9fb81b226c..09f35b445b 100644
--- a/test/integration/setup/adminclient/client.go
+++ b/test/integration/setup/adminclient/client.go
@@ -487,7 +487,7 @@ func batchCreateEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1000",
+				Value: "uid:1001",
 			},
 		},
 	}
@@ -583,7 +583,7 @@ func getEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1000",
+				Value: "uid:1001",
 			},
 		},
 	}
@@ -620,7 +620,7 @@ func batchUpdateEntry(ctx context.Context, c *itclient.Client) error {
 		Selectors: []*types.Selector{
 			{
 				Type:  "unix",
-				Value: "uid:1000",
+				Value: "uid:1001",
 			},
 			{
 				Type:  "unix",
diff --git a/test/integration/suites/admin-endpoints/05-create-registration-entries b/test/integration/suites/admin-endpoints/05-create-registration-entries
index e6da526b91..62115bc0ba 100755
--- a/test/integration/suites/admin-endpoints/05-create-registration-entries
+++ b/test/integration/suites/admin-endpoints/05-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server-a \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain-a.test/spire/agent/x509pop/$(fingerprint conf/domain-a/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain-a.test/admin" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent-a" "spiffe://domain-a.test/admin"
diff --git a/test/integration/suites/admin-endpoints/06-test-endpoints b/test/integration/suites/admin-endpoints/06-test-endpoints
index c821a55dc9..9c64362f0f 100755
--- a/test/integration/suites/admin-endpoints/06-test-endpoints
+++ b/test/integration/suites/admin-endpoints/06-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-debug "test admin workload..."
-docker-compose exec -u 1000 -T spire-agent-a \
+docker-compose exec -u 1001 -T spire-agent-a \
 	/opt/spire/conf/agent/adminclient -trustDomain domain-a.test -serverAddr spire-server-a:8081 || fail-now "failed to check admin endpoints"
 
 log-debug "test foreign admin workload..."
diff --git a/test/integration/suites/debug-endpoints/04-create-registration-entries b/test/integration/suites/debug-endpoints/04-create-registration-entries
index 99d2bc7e54..6eed24af31 100755
--- a/test/integration/suites/debug-endpoints/04-create-registration-entries
+++ b/test/integration/suites/debug-endpoints/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/admin" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/admin"
diff --git a/test/integration/suites/debug-endpoints/05-test-endpoints b/test/integration/suites/debug-endpoints/05-test-endpoints
index b610e4d582..ac4a6c25c1 100755
--- a/test/integration/suites/debug-endpoints/05-test-endpoints
+++ b/test/integration/suites/debug-endpoints/05-test-endpoints
@@ -15,7 +15,7 @@ for ((i=1; i<=MAXCHECKS;i++)); do
 done
 
 # Verify server TCP server does not implements Debug endpoint
-docker-compose exec -u 1000 -T spire-agent \
+docker-compose exec -u 1001 -T spire-agent \
 	/opt/spire/conf/agent/debugclient -testCase "serverWithWorkload" || fail-now "failed to check server debug endpoints using admin workload"
 
 docker-compose exec -u 1002 -T spire-agent \
diff --git a/test/integration/suites/delegatedidentity/04-create-registration-entries b/test/integration/suites/delegatedidentity/04-create-registration-entries
index 9066954d7d..d21a2505a3 100755
--- a/test/integration/suites/delegatedidentity/04-create-registration-entries
+++ b/test/integration/suites/delegatedidentity/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/authorized_delegate" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/authorized_delegate"
 
diff --git a/test/integration/suites/delegatedidentity/05-test-endpoints b/test/integration/suites/delegatedidentity/05-test-endpoints
index 413f88e621..78f3011028 100755
--- a/test/integration/suites/delegatedidentity/05-test-endpoints
+++ b/test/integration/suites/delegatedidentity/05-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-info "Test Delegated Identity API (for success)"
-docker-compose exec -u 1000 -T spire-agent \
+docker-compose exec -u 1001 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient -expectedID spiffe://domain.test/workload || fail-now "Failed to check Delegated Identity API"
 
 log-info "Test Delegated Identity API (expecting permission denied)"
diff --git a/test/integration/suites/downstream-endpoints/04-create-entries b/test/integration/suites/downstream-endpoints/04-create-entries
index f603e90778..470658106b 100755
--- a/test/integration/suites/downstream-endpoints/04-create-entries
+++ b/test/integration/suites/downstream-endpoints/04-create-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/downstream" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -downstream \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/downstream"
diff --git a/test/integration/suites/downstream-endpoints/05-test-endpoints b/test/integration/suites/downstream-endpoints/05-test-endpoints
index ecc3523215..ac67cc48e6 100755
--- a/test/integration/suites/downstream-endpoints/05-test-endpoints
+++ b/test/integration/suites/downstream-endpoints/05-test-endpoints
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 log-debug "test downstream workload..."
-docker-compose exec -u 1000 -T spire-agent \
+docker-compose exec -u 1001 -T spire-agent \
 	/opt/spire/conf/agent/downstreamclient || fail-now "failed to check downstream endpoints"
 
 log-debug "Test regular workload..."
diff --git a/test/integration/suites/fetch-x509-svids/04-create-registration-entries b/test/integration/suites/fetch-x509-svids/04-create-registration-entries
index 1b7dcf77eb..1866777122 100755
--- a/test/integration/suites/fetch-x509-svids/04-create-registration-entries
+++ b/test/integration/suites/fetch-x509-svids/04-create-registration-entries
@@ -2,14 +2,14 @@
 
 SIZE=10
 
-# Create entries for uid 1000
+# Create entries for uid 1001
 for ((m=1;m<=$SIZE;m++)); do
   log-debug "creating registration entry: $m"
   docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/workload-$m" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0 &
 done
 
diff --git a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
index 25317b705f..5174d444e0 100755
--- a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
@@ -3,7 +3,7 @@
 ENTRYCOUNT=10
 CACHESIZE=8
 
-X509SVIDCOUNT=$(docker-compose exec -u 1000 -T spire-agent \
+X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
   /opt/spire/bin/spire-agent api fetch x509 \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
diff --git a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
index fb86dfe570..ce888d462a 100755
--- a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
@@ -13,7 +13,7 @@ else
   log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1002";
 fi
 
-X509SVIDCOUNT=$(docker-compose exec -u 1000 -T spire-agent \
+X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
   /opt/spire/bin/spire-agent api fetch x509 \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
diff --git a/test/integration/suites/nested-rotation/09-create-workload-entries b/test/integration/suites/nested-rotation/09-create-workload-entries
index ede113f1ab..12e16679f4 100755
--- a/test/integration/suites/nested-rotation/09-create-workload-entries
+++ b/test/integration/suites/nested-rotation/09-create-workload-entries
@@ -5,7 +5,7 @@ docker-compose exec -T intermediateA-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint intermediateA/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/intermediateA/workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "intermediateA-agent" "spiffe://domain.test/intermediateA/workload"
 
@@ -14,7 +14,7 @@ docker-compose exec -T leafA-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint leafA/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/leafA/workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "leafA-agent" "spiffe://domain.test/leafA/workload"
 
@@ -23,7 +23,7 @@ docker-compose exec -T intermediateB-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint intermediateB/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/intermediateB/workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "intermediateB-agent" "spiffe://domain.test/intermediateB/workload"
 
@@ -32,6 +32,6 @@ docker-compose exec -T leafB-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint leafB/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/leafB/workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "leafB-agent" "spiffe://domain.test/leafB/workload"
diff --git a/test/integration/suites/nested-rotation/10-check-svids b/test/integration/suites/nested-rotation/10-check-svids
index 0b926b3bc0..03d483b872 100755
--- a/test/integration/suites/nested-rotation/10-check-svids
+++ b/test/integration/suites/nested-rotation/10-check-svids
@@ -5,7 +5,7 @@ CHECKINTERVAL=6
 
 validateX509SVID() {
   # Write svid on disk
-  docker-compose exec -u 1000 -T $1 \
+  docker-compose exec -u 1001 -T $1 \
       /opt/spire/bin/spire-agent api fetch x509 \
       -socketPath /opt/spire/sockets/workload_api.sock \
       -write /tmp || fail-now "x509-SVID check failed"
@@ -13,7 +13,7 @@ validateX509SVID() {
   # Copy SVID
   docker cp $(docker-compose ps -q $1):/tmp/svid.0.pem - | docker cp - $(docker-compose ps -q $2):/opt/
 
-  docker-compose exec -u 1000 -T $2 \
+  docker-compose exec -u 1001 -T $2 \
       /opt/spire/bin/spire-agent api fetch x509 \
       -socketPath /opt/spire/sockets/workload_api.sock \
       -write /tmp || fail-now "x509-SVID check failed"
@@ -23,11 +23,11 @@ validateX509SVID() {
 
 validateJWTSVID() {
    # Fetch JWT-SVID and extract token
-  token=$(docker-compose exec -u 1000 -T $1 \
+  token=$(docker-compose exec -u 1001 -T $1 \
       /opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail-now "JWT-SVID check failed"
 
   # Validate token
-  docker-compose exec -u 1000 -T $2 \
+  docker-compose exec -u 1001 -T $2 \
       /opt/spire/bin/spire-agent api validate jwt -audience testIt  -svid "${token}" \
         -socketPath /opt/spire/sockets/workload_api.sock
 }
diff --git a/test/integration/suites/node-attestation/03-test-node-attestation b/test/integration/suites/node-attestation/03-test-node-attestation
index c493b63d8d..fcc83e5e2e 100755
--- a/test/integration/suites/node-attestation/03-test-node-attestation
+++ b/test/integration/suites/node-attestation/03-test-node-attestation
@@ -1,31 +1,31 @@
 #!/bin/bash
 
 # Test node attestation api
-jointoken=`docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
+jointoken=`docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
 echo "Created Join Token" $jointoken
 
-svid1=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
+svid1=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Received initial SVID:" $svid1
 
-svid2=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
+svid2=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do SVID renewal"
 fi
 echo "Received renewed SVID:" $svid2
 
-docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
+docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Agent banned"
 
-if docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
+if docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
 then
 	fail-now "Expected agent to be banned"
 fi
diff --git a/test/integration/suites/node-attestation/04-test-x509pop-attestation b/test/integration/suites/node-attestation/04-test-x509pop-attestation
index 207194e7ac..c652c7acd6 100755
--- a/test/integration/suites/node-attestation/04-test-x509pop-attestation
+++ b/test/integration/suites/node-attestation/04-test-x509pop-attestation
@@ -5,10 +5,10 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/admin" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/admin"
 
 log-debug "running x509pop test..."
-docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"
+docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"
diff --git a/test/integration/suites/svidstore/common b/test/integration/suites/svidstore/common
index b2a8b81341..f94d6b5ff1 100644
--- a/test/integration/suites/svidstore/common
+++ b/test/integration/suites/svidstore/common
@@ -23,7 +23,7 @@ check-stored-svids() {
       fi
     done
 
-    docker-compose exec -u 1000 -T spire-server \
+    docker-compose exec -u 1001 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }
 
@@ -48,6 +48,6 @@ check-deleted-svids() {
       fail-now "timed out waiting for agent to delete all svids"
     fi
 
-    docker-compose exec -u 1000 -T spire-server \
+    docker-compose exec -u 1001 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }

From 2508f012cfc0f3a265c53c8ae2be5b06f9896e22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 13:14:02 -0300
Subject: [PATCH 09/27] Revert changes of uid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/fetch-x509-svids/05-fetch-x509-svids | 4 ++--
 test/integration/suites/fetch-x509-svids/07-fetch-x509-svids | 4 ++--
 test/integration/suites/node-attestation/00-setup            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
index 5174d444e0..4bb53c55df 100755
--- a/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/05-fetch-x509-svids
@@ -8,9 +8,9 @@ X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
 if [ "$X509SVIDCOUNT" -ne "$ENTRYCOUNT" ]; then
-  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1000";
+  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1001";
 else
-  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1000";
+  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1001";
 fi
 
 # Call agent debug endpoints and check if extra X.509-SVIDs from cache are cleaned up
diff --git a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
index ce888d462a..9a46e29602 100755
--- a/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
+++ b/test/integration/suites/fetch-x509-svids/07-fetch-x509-svids
@@ -18,9 +18,9 @@ X509SVIDCOUNT=$(docker-compose exec -u 1001 -T spire-agent \
   -socketPath /opt/spire/sockets/workload_api.sock | grep -i "spiffe://domain.test" | wc -l || fail-now "X.509-SVID check failed")
 
 if [ "$X509SVIDCOUNT" -ne "$ENTRYCOUNT" ]; then
-  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1000";
+  fail-now "X.509-SVID check failed. Expected $ENTRYCOUNT X.509-SVIDs but received $X509SVIDCOUNT for uid 1001";
 else
-  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1000";
+  log-info "Expected $ENTRYCOUNT X.509-SVIDs and received $X509SVIDCOUNT for uid 1001";
 fi
 
 # Call agent debug endpoints and check if extra X.509-SVIDs from cache are cleaned up
diff --git a/test/integration/suites/node-attestation/00-setup b/test/integration/suites/node-attestation/00-setup
index dc3e2a4f1d..b8b14e18fd 100755
--- a/test/integration/suites/node-attestation/00-setup
+++ b/test/integration/suites/node-attestation/00-setup
@@ -5,7 +5,7 @@ echo ${ROOTDIR}
 # Move test x509pop certificate and key
 mv conf/agent.key.pem conf/agent/test.key.pem
 mv conf/agent.crt.pem conf/agent/test.crt.pem
-# add read access to prevent error when reading with user 1000
+# add read access to prevent error when reading with user 1001
 chmod +r conf/agent/test.key.pem
 
 "${ROOTDIR}/setup/node-attestation/build.sh" "${RUNDIR}/conf/server/node-attestation"

From 33d83d8d882f71198ddc041ec408ba3aa9509ed5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 13:18:52 -0300
Subject: [PATCH 10/27] Use uid 1000 instead of 0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh      | 6 +++---
 test/integration/suites/envoy-sds-v3/00-test-envoy-releases | 4 ++--
 .../suites/ghostunnel-federation/04-create-workload-entries | 4 ++--
 test/integration/suites/join-token/04-create-workload-entry | 2 +-
 test/integration/suites/rotation/04-create-workload-entry   | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh b/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
index 4fc8e8fa6b..89ee88ce6a 100755
--- a/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
+++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
@@ -57,7 +57,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://federated-domain.test/spire/agent/x509pop/$(fingerprint conf/downstream-federated/agent/agent.crt.pem)" \
         -spiffeID "spiffe://federated-domain.test/downstream-proxy" \
-        -selector "unix:uid:0" \
+        -selector "unix:uid:1000" \
         -federatesWith "spiffe://domain.test" \
         -ttl 0
     
@@ -66,7 +66,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/upstream/agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/upstream-proxy" \
-        -selector "unix:uid:0" \
+        -selector "unix:uid:1000" \
         -federatesWith "spiffe://federated-domain.test" \
         -ttl 0
 
@@ -75,7 +75,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/downstream/agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/downstream-proxy" \
-        -selector "unix:uid:0" \
+        -selector "unix:uid:1000" \
         -ttl 0
 }
 
diff --git a/test/integration/suites/envoy-sds-v3/00-test-envoy-releases b/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
index 61eb93e3b8..e25eb18515 100755
--- a/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
+++ b/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
@@ -19,7 +19,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/upstream-agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/upstream-workload" \
-        -selector "unix:uid:0" \
+        -selector "unix:uid:1000" \
         -ttl 0
 
     log-debug "creating registration entry for downstream workload..."
@@ -27,7 +27,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/downstream-agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/downstream-workload" \
-        -selector "unix:uid:0" \
+        -selector "unix:uid:1000" \
         -ttl 0
 }
 
diff --git a/test/integration/suites/ghostunnel-federation/04-create-workload-entries b/test/integration/suites/ghostunnel-federation/04-create-workload-entries
index edd691b721..d116cbe4bc 100755
--- a/test/integration/suites/ghostunnel-federation/04-create-workload-entries
+++ b/test/integration/suites/ghostunnel-federation/04-create-workload-entries
@@ -7,7 +7,7 @@ docker-compose exec -T downstream-spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://downstream-domain.test/spire/agent/x509pop/$(fingerprint conf/downstream/agent/agent.crt.pem)" \
     -spiffeID "spiffe://downstream-domain.test/downstream-workload" \
-    -selector "unix:uid:0" \
+    -selector "unix:uid:1000" \
     -federatesWith "spiffe://upstream-domain.test" \
     -ttl 0
 
@@ -16,6 +16,6 @@ docker-compose exec -T upstream-spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://upstream-domain.test/spire/agent/x509pop/$(fingerprint conf/upstream/agent/agent.crt.pem)" \
     -spiffeID "spiffe://upstream-domain.test/upstream-workload" \
-    -selector "unix:uid:0" \
+    -selector "unix:uid:1000" \
     -federatesWith "spiffe://downstream-domain.test" \
     -ttl 0
diff --git a/test/integration/suites/join-token/04-create-workload-entry b/test/integration/suites/join-token/04-create-workload-entry
index 9d261b885a..81007d4469 100755
--- a/test/integration/suites/join-token/04-create-workload-entry
+++ b/test/integration/suites/join-token/04-create-workload-entry
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/node" \
     -spiffeID "spiffe://domain.test/workload" \
-    -selector "unix:uid:0" \
+    -selector "unix:uid:1000" \
     -ttl 0
 
 # Check at most 30 times (with one second in between) that the agent has
diff --git a/test/integration/suites/rotation/04-create-workload-entry b/test/integration/suites/rotation/04-create-workload-entry
index 8686f3eaa9..af9c30ae03 100755
--- a/test/integration/suites/rotation/04-create-workload-entry
+++ b/test/integration/suites/rotation/04-create-workload-entry
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/workload" \
-    -selector "unix:uid:0" \
+    -selector "unix:uid:1000" \
     -ttl 0
 
 # Check at most 30 times (with one second in between) that the agent has

From d605288e57792640444483cfd6fdea6f64938b9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 14:07:04 -0300
Subject: [PATCH 11/27] Dockerfile changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 51 ++++++++++++++++++---------------------------------
 1 file changed, 18 insertions(+), 33 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 24b317a236..0e0a1b0225 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,29 +25,7 @@ COPY --link --from=xx / /
 
 # Set up directories that SPIRE expects by default
 # Set up base directories
-RUN install -d /spireroot
-RUN install -d /spireroot/etc/ssl/certs
-RUN install -d /spireroot/run
-RUN install -d /spireroot/var/lib
-RUN install -d /spireroot/tmp
-
-# Set up directories used by SPIRE
-RUN install -d /spireroot/opt/spire
-RUN install -d /spireroot/etc/spire
-RUN install -d /spireroot/run/spire
-RUN install -d /spireroot/var/lib/spire
-
-# Set up spire-server directories
-RUN cp -r /spireroot /spireserverroot
-RUN install -d /spireserverroot/etc/spire/server
-RUN install -d /spireserverroot/run/spire/server/private
-RUN install -d /spireserverroot/var/lib/spire/server
-
-# Set up spire-agent directories
-RUN cp -r /spireroot /spireagentroot
-RUN install -d /spireagentroot/etc/spire/agent
-RUN install -d /spireagentroot/run/spire/agent/public
-RUN install -d /spireagentroot/var/lib/spire/agent
+RUN install -d /empty-dir
 
 RUN xx-go --wrap
 RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
@@ -59,22 +37,28 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     for f in $(find bin -executable -type f); do xx-verify $f; done
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
-CMD []
-COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-
-# SPIRE Server
-FROM spire-base AS spire-server
 # For users that wish to run SPIRE containers as a non-root user,
 # provide a default unprivileged user such that the default paths
 # that SPIRE will try to read from, write to, and create at runtime
 # can be given the correct file ownership/permissions at build time.
 ARG spireuid=1000
 ARG spiregid=1000
+CMD []
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=777 /empty-dir /opt/spire
+COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+WORKDIR /opt/spire
+
+# SPIRE Server
+FROM spire-base AS spire-server
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireserverroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /etc/spire/server
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /run/spire/server/private
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /var/lib/spire/server
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /tmp/spire-server/private
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/
-WORKDIR /opt/spire
 
 # SPIRE Agent
 FROM spire-base AS spire-agent
@@ -82,9 +66,11 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spireagentroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /etc/spire/agent
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /run/spire/agent/public
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /var/lib/spire/agent
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /tmp/spire-agent/public
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/
-WORKDIR /opt/spire
 
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
@@ -93,4 +79,3 @@ ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider /opt/spire/bin/
-WORKDIR /opt/spire

From ba113fe890a37528a612112b51b000c1e7daf210 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 14:47:26 -0300
Subject: [PATCH 12/27] Avoid mounting volumes that are not needed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../conf/server/spire-server.yaml                          | 7 -------
 .../conf/server/base/spire-server.yaml                     | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml
index c8bfa4c394..5370924e54 100644
--- a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml
+++ b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml
@@ -128,9 +128,6 @@ spec:
             - name: spire-config
               mountPath: /run/spire/config
               readOnly: true
-            - name: spire-server-socket
-              mountPath: /tmp/spire-server/private
-              readOnly: false
           livenessProbe:
             httpGet:
               path: /live
@@ -147,7 +144,3 @@ spec:
         - name: spire-config
           configMap:
             name: spire-server
-        - name: spire-server-socket
-          hostPath:
-            path: /run/spire/server-sockets
-            type: DirectoryOrCreate
diff --git a/test/integration/suites/upstream-authority-vault/conf/server/base/spire-server.yaml b/test/integration/suites/upstream-authority-vault/conf/server/base/spire-server.yaml
index db9ee52b4d..05b8bfe53c 100644
--- a/test/integration/suites/upstream-authority-vault/conf/server/base/spire-server.yaml
+++ b/test/integration/suites/upstream-authority-vault/conf/server/base/spire-server.yaml
@@ -201,9 +201,6 @@ spec:
             - name: spire-config
               mountPath: /run/spire/config
               readOnly: true
-            - name: spire-server-socket
-              mountPath: /tmp/spire-server/private
-              readOnly: false
             - name: vault-tls
               mountPath: "/run/spire/vault"
               readOnly: true
@@ -223,10 +220,6 @@ spec:
         - name: spire-config
           configMap:
             name: spire-server
-        - name: spire-server-socket
-          hostPath:
-            path: /run/spire/server-sockets
-            type: DirectoryOrCreate
         - name: vault-tls
           secret:
             secretName: vault-tls

From 3724d67ef36e4e13cb87c21921c1591be1367fd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 16:08:31 -0300
Subject: [PATCH 13/27] Use uid 1000 instead of 1001 in svidstore integration
 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/svidstore/common | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/integration/suites/svidstore/common b/test/integration/suites/svidstore/common
index f94d6b5ff1..b2a8b81341 100644
--- a/test/integration/suites/svidstore/common
+++ b/test/integration/suites/svidstore/common
@@ -23,7 +23,7 @@ check-stored-svids() {
       fi
     done
 
-    docker-compose exec -u 1001 -T spire-server \
+    docker-compose exec -u 1000 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }
 
@@ -48,6 +48,6 @@ check-deleted-svids() {
       fail-now "timed out waiting for agent to delete all svids"
     fi
 
-    docker-compose exec -u 1001 -T spire-server \
+    docker-compose exec -u 1000 -T spire-server \
       /opt/spire/conf/server/checkstoredsvids /opt/spire/conf/agent/svids.json  || fail-now "failed to check stored svids"
 }

From 6ba64d073795bd8157778b8c06688db803a7fd19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 16:30:09 -0300
Subject: [PATCH 14/27] Update permissions in shared directores for nested
 rotation integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/nested-rotation/00-setup | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/integration/suites/nested-rotation/00-setup b/test/integration/suites/nested-rotation/00-setup
index 42e1daced0..960dd21df9 100755
--- a/test/integration/suites/nested-rotation/00-setup
+++ b/test/integration/suites/nested-rotation/00-setup
@@ -1,13 +1,13 @@
 #!/bin/bash
 
 # create shared folder for root agent socket
-mkdir -p -m 644 shared/rootSocket
+mkdir -p -m 777 shared/rootSocket
 
 # create shared folder for intermediateA agent socket
-mkdir -p -m 644 shared/intermediateASocket
+mkdir -p -m 777 shared/intermediateASocket
 
 # create shared folder for intermediateB agent socket
-mkdir -p -m 644 shared/intermediateBSocket
+mkdir -p -m 777 shared/intermediateBSocket
 
 # root certificates
 "${ROOTDIR}/setup/x509pop/setup.sh" root/server root/agent

From 3fd06ed86e54375b0b23e5abe259f26c7c748157 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 17:38:31 -0300
Subject: [PATCH 15/27] Fix root-agent  Docker compose definition in the nested
 rotation integration test to be able to access the Docker daemon socket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/nested-rotation/docker-compose.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/integration/suites/nested-rotation/docker-compose.yaml b/test/integration/suites/nested-rotation/docker-compose.yaml
index cb8b92ffcf..3dd9b52c9e 100644
--- a/test/integration/suites/nested-rotation/docker-compose.yaml
+++ b/test/integration/suites/nested-rotation/docker-compose.yaml
@@ -19,6 +19,8 @@ services:
       - ./root/agent:/opt/spire/conf/agent
       - /var/run/docker.sock:/var/run/docker.sock
     command: ["-config", "/opt/spire/conf/agent/agent.conf"]
+    # Make sure that we can access the Docker daemon socket
+    user: 0:0
   # IntermediateA
   intermediateA-server:
     # Share the host pid namespace so this server can be attested by the root agent

From 62b12d4d93e2388890e4b4a7f6ec47b2d71f7ec1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 18:36:01 -0300
Subject: [PATCH 16/27] Fix k8s integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/k8s/conf/agent/spire-agent.yaml   | 4 ++++
 test/integration/suites/k8s/conf/server/spire-server.yaml | 7 -------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/test/integration/suites/k8s/conf/agent/spire-agent.yaml b/test/integration/suites/k8s/conf/agent/spire-agent.yaml
index fdd901c78d..facdf8e66f 100644
--- a/test/integration/suites/k8s/conf/agent/spire-agent.yaml
+++ b/test/integration/suites/k8s/conf/agent/spire-agent.yaml
@@ -111,6 +111,10 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: spire-agent
+      # Make sure that we can create the directory for the socket in the host
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
       containers:
         - name: spire-agent
           image: spire-agent:latest-local
diff --git a/test/integration/suites/k8s/conf/server/spire-server.yaml b/test/integration/suites/k8s/conf/server/spire-server.yaml
index b206991e9c..bad6a2a7b0 100644
--- a/test/integration/suites/k8s/conf/server/spire-server.yaml
+++ b/test/integration/suites/k8s/conf/server/spire-server.yaml
@@ -199,9 +199,6 @@ spec:
             - name: spire-config
               mountPath: /run/spire/config
               readOnly: true
-            - name: spire-server-socket
-              mountPath: /tmp/spire-server/private
-              readOnly: false
           livenessProbe:
             httpGet:
               path: /live
@@ -218,10 +215,6 @@ spec:
         - name: spire-config
           configMap:
             name: spire-server
-        - name: spire-server-socket
-          hostPath:
-            path: /run/spire/server-sockets
-            type: DirectoryOrCreate
 
 ---
 

From 1038bcc5ddc6ec347422f038af62b4b000748c08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 19:10:09 -0300
Subject: [PATCH 17/27] Fix Delegated Identity API integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/delegatedidentity/docker-compose.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/integration/suites/delegatedidentity/docker-compose.yaml b/test/integration/suites/delegatedidentity/docker-compose.yaml
index 0e67183c23..4e341e685d 100644
--- a/test/integration/suites/delegatedidentity/docker-compose.yaml
+++ b/test/integration/suites/delegatedidentity/docker-compose.yaml
@@ -13,3 +13,4 @@ services:
     volumes:
       - ./conf/agent:/opt/spire/conf/agent
     command: ["-config", "/opt/spire/conf/agent/agent.conf"]
+    user: 0:0

From 7745e96131d432445c4fdfcd027e310c3c670c5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 19:19:06 -0300
Subject: [PATCH 18/27] Fix node attestation integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/node-attestation/00-setup      |  2 --
 .../suites/node-attestation/03-test-node-attestation   | 10 +++++-----
 .../node-attestation/04-test-x509pop-attestation       |  4 ++--
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/test/integration/suites/node-attestation/00-setup b/test/integration/suites/node-attestation/00-setup
index b8b14e18fd..9bb3aae582 100755
--- a/test/integration/suites/node-attestation/00-setup
+++ b/test/integration/suites/node-attestation/00-setup
@@ -5,8 +5,6 @@ echo ${ROOTDIR}
 # Move test x509pop certificate and key
 mv conf/agent.key.pem conf/agent/test.key.pem
 mv conf/agent.crt.pem conf/agent/test.crt.pem
-# add read access to prevent error when reading with user 1001
-chmod +r conf/agent/test.key.pem
 
 "${ROOTDIR}/setup/node-attestation/build.sh" "${RUNDIR}/conf/server/node-attestation"
 "${ROOTDIR}/setup/node-attestation/build.sh" "${RUNDIR}/conf/agent/node-attestation"
diff --git a/test/integration/suites/node-attestation/03-test-node-attestation b/test/integration/suites/node-attestation/03-test-node-attestation
index fcc83e5e2e..c493b63d8d 100755
--- a/test/integration/suites/node-attestation/03-test-node-attestation
+++ b/test/integration/suites/node-attestation/03-test-node-attestation
@@ -1,31 +1,31 @@
 #!/bin/bash
 
 # Test node attestation api
-jointoken=`docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
+jointoken=`docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep jointoken`
 echo "Created Join Token" $jointoken
 
-svid1=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
+svid1=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep jointokenattest -tokenName $jointoken`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Received initial SVID:" $svid1
 
-svid2=`docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
+svid2=`docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep renew -certificate "${svid1}"`
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do SVID renewal"
 fi
 echo "Received renewed SVID:" $svid2
 
-docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
+docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep ban -tokenName ${jointoken} 
 if [[ $? -ne 0 ]];
 then
 	fail-now "Failed to do initial join token attestation"
 fi
 echo "Agent banned"
 
-if docker-compose exec -u 1001 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
+if docker-compose exec -u 1000 -T spire-server /opt/spire/conf/server/node-attestation -testStep renew -certificate "${svid2}" 
 then
 	fail-now "Expected agent to be banned"
 fi
diff --git a/test/integration/suites/node-attestation/04-test-x509pop-attestation b/test/integration/suites/node-attestation/04-test-x509pop-attestation
index c652c7acd6..207194e7ac 100755
--- a/test/integration/suites/node-attestation/04-test-x509pop-attestation
+++ b/test/integration/suites/node-attestation/04-test-x509pop-attestation
@@ -5,10 +5,10 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/admin" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -admin \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/admin"
 
 log-debug "running x509pop test..."
-docker-compose exec -u 1001 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"
+docker-compose exec -u 1000 -T spire-agent /opt/spire/conf/agent/node-attestation -testStep x509pop || fail-now "failed to check x509pop attestion"

From 040b985bd9d8aad4fb55251859c719175f09f47b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 19:43:24 -0300
Subject: [PATCH 19/27] Fix Ghostunnel-Federation integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../suites/ghostunnel-federation/04-create-workload-entries   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/integration/suites/ghostunnel-federation/04-create-workload-entries b/test/integration/suites/ghostunnel-federation/04-create-workload-entries
index d116cbe4bc..edd691b721 100755
--- a/test/integration/suites/ghostunnel-federation/04-create-workload-entries
+++ b/test/integration/suites/ghostunnel-federation/04-create-workload-entries
@@ -7,7 +7,7 @@ docker-compose exec -T downstream-spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://downstream-domain.test/spire/agent/x509pop/$(fingerprint conf/downstream/agent/agent.crt.pem)" \
     -spiffeID "spiffe://downstream-domain.test/downstream-workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:0" \
     -federatesWith "spiffe://upstream-domain.test" \
     -ttl 0
 
@@ -16,6 +16,6 @@ docker-compose exec -T upstream-spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://upstream-domain.test/spire/agent/x509pop/$(fingerprint conf/upstream/agent/agent.crt.pem)" \
     -spiffeID "spiffe://upstream-domain.test/upstream-workload" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:0" \
     -federatesWith "spiffe://downstream-domain.test" \
     -ttl 0

From 6571b6aff29c418520ef24ffe97a7b0b091f3c54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 19:52:20 -0300
Subject: [PATCH 20/27] Fix envoy-sds-v3 integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 test/integration/suites/envoy-sds-v3/00-test-envoy-releases | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/integration/suites/envoy-sds-v3/00-test-envoy-releases b/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
index e25eb18515..61eb93e3b8 100755
--- a/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
+++ b/test/integration/suites/envoy-sds-v3/00-test-envoy-releases
@@ -19,7 +19,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/upstream-agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/upstream-workload" \
-        -selector "unix:uid:1000" \
+        -selector "unix:uid:0" \
         -ttl 0
 
     log-debug "creating registration entry for downstream workload..."
@@ -27,7 +27,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/downstream-agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/downstream-workload" \
-        -selector "unix:uid:1000" \
+        -selector "unix:uid:0" \
         -ttl 0
 }
 

From f3e1e7111f7d63ae3d54a6f16899eba3a23888ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 20:04:47 -0300
Subject: [PATCH 21/27] Fix oidc-discovery-provider integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../suites/oidc-discovery-provider/docker-compose.yaml         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/test/integration/suites/oidc-discovery-provider/docker-compose.yaml b/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
index bce24a1bf5..a191fe1468 100644
--- a/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
+++ b/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
@@ -15,6 +15,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - /var/run/docker.sock:/var/run/docker.sock
     command: [ "-config", "/opt/spire/conf/agent/agent.conf" ]
+    user: 0:0
   oidc-discovery-provider-server:
     image: oidc-discovery-provider:latest-local
     hostname: oidc-discovery-provider-server
@@ -24,6 +25,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-server-api.conf" ]
+    user: 0:0
   oidc-discovery-provider-workload:
     pid: "host"
     image: oidc-discovery-provider:latest-local
@@ -37,3 +39,4 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-workload-api.conf" ]
+    user: 0:0

From d112fcb5094c144ca21fdcec04a4fd96054f339c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 14 Mar 2024 20:11:38 -0300
Subject: [PATCH 22/27] Fix envoy-sds-v3-spiffe-auth integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh b/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
index 89ee88ce6a..4fc8e8fa6b 100755
--- a/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
+++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/00-test-envoy-releases.sh
@@ -57,7 +57,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://federated-domain.test/spire/agent/x509pop/$(fingerprint conf/downstream-federated/agent/agent.crt.pem)" \
         -spiffeID "spiffe://federated-domain.test/downstream-proxy" \
-        -selector "unix:uid:1000" \
+        -selector "unix:uid:0" \
         -federatesWith "spiffe://domain.test" \
         -ttl 0
     
@@ -66,7 +66,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/upstream/agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/upstream-proxy" \
-        -selector "unix:uid:1000" \
+        -selector "unix:uid:0" \
         -federatesWith "spiffe://federated-domain.test" \
         -ttl 0
 
@@ -75,7 +75,7 @@ setup-tests() {
         /opt/spire/bin/spire-server entry create \
         -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/downstream/agent/agent.crt.pem)" \
         -spiffeID "spiffe://domain.test/downstream-proxy" \
-        -selector "unix:uid:1000" \
+        -selector "unix:uid:0" \
         -ttl 0
 }
 

From 12b4ef6ecf28b46290538b281c43a312d7bb0fb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Fri, 15 Mar 2024 10:58:34 -0300
Subject: [PATCH 23/27] Update Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0e0a1b0225..8f407a6c77 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,10 +23,6 @@ ARG TARGETPLATFORM
 ARG TARGETARCH
 COPY --link --from=xx / /
 
-# Set up directories that SPIRE expects by default
-# Set up base directories
-RUN install -d /empty-dir
-
 RUN xx-go --wrap
 RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
 ENV CGO_ENABLED=1
@@ -37,16 +33,30 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     for f in $(find bin -executable -type f); do xx-verify $f; done
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
+COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+WORKDIR /opt/spire
+
+# Preparation environment for setting up directories
+FROM alpine as prep-server
+RUN mkdir -p /opt/spire/bin \
+    /etc/spire/server \
+    /run/spire/server/private \
+    /tmp/spire-server/private \
+    /var/lib/spire/server
+
+FROM alpine as prep-agent
+RUN mkdir -p /opt/spire/bin \
+    /etc/spire/agent \
+    /run/spire/agent/public \
+    /tmp/spire-agent/public \
+    /var/lib/spire/agent
+
 # For users that wish to run SPIRE containers as a non-root user,
-# provide a default unprivileged user such that the default paths
+# a default unprivileged user is provided such that the default paths
 # that SPIRE will try to read from, write to, and create at runtime
 # can be given the correct file ownership/permissions at build time.
-ARG spireuid=1000
-ARG spiregid=1000
-CMD []
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=777 /empty-dir /opt/spire
-COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
+# This is done through the spireuid and spiregid arguments that the
+# spire-server, spire-agent, and oidc-discovery-provider build stages use.
 
 # SPIRE Server
 FROM spire-base AS spire-server
@@ -54,10 +64,7 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /etc/spire/server
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /run/spire/server/private
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /var/lib/spire/server
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /tmp/spire-server/private
+COPY --link --from=prep-server --chown=${spireuid}:${spiregid} --chmod=755 / /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/
 
 # SPIRE Agent
@@ -66,10 +73,7 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /etc/spire/agent
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /run/spire/agent/public
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /var/lib/spire/agent
-COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /empty-dir /tmp/spire-agent/public
+COPY --link --from=prep-agent --chown=${spireuid}:${spiregid} --chmod=755 / /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/
 
 # OIDC Discovery Provider

From 914cc93ee8c9d35a2db8e411a8111c5df585ec31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Fri, 15 Mar 2024 13:01:39 -0300
Subject: [PATCH 24/27] Update Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8f407a6c77..106f2aa82b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,19 +37,19 @@ COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certi
 WORKDIR /opt/spire
 
 # Preparation environment for setting up directories
-FROM alpine as prep-server
-RUN mkdir -p /opt/spire/bin \
-    /etc/spire/server \
-    /run/spire/server/private \
-    /tmp/spire-server/private \
-    /var/lib/spire/server
+FROM alpine as prep-spire-server
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/server \
+    /spireroot/run/spire/server/private \
+    /spireroot/tmp/spire-server/private \
+    /spireroot/var/lib/spire/server
 
-FROM alpine as prep-agent
-RUN mkdir -p /opt/spire/bin \
-    /etc/spire/agent \
-    /run/spire/agent/public \
-    /tmp/spire-agent/public \
-    /var/lib/spire/agent
+FROM alpine as prep-spire-agent
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/agent \
+    /spireroot/run/spire/agent/public \
+    /spireroot/tmp/spire-agent/public \
+    /spireroot/var/lib/spire/agent
 
 # For users that wish to run SPIRE containers as a non-root user,
 # a default unprivileged user is provided such that the default paths
@@ -64,7 +64,7 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-COPY --link --from=prep-server --chown=${spireuid}:${spiregid} --chmod=755 / /
+COPY --link --from=prep-spire-server --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/
 
 # SPIRE Agent
@@ -73,7 +73,7 @@ ARG spireuid=1000
 ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=prep-agent --chown=${spireuid}:${spiregid} --chmod=755 / /
+COPY --link --from=prep-spire-agent --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
 COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/
 
 # OIDC Discovery Provider

From 8cf45783623dfc8cd37831f1799c8ab52533866d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Mon, 18 Mar 2024 15:25:29 -0300
Subject: [PATCH 25/27] Do not run as root when not needed. Remove WORKDIR in
 Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile                                                  | 1 -
 .../suites/delegatedidentity/04-create-registration-entries | 2 +-
 test/integration/suites/delegatedidentity/05-test-endpoints | 4 ++--
 .../suites/delegatedidentity/docker-compose.yaml            | 1 -
 .../suites/oidc-discovery-provider/docker-compose.yaml      | 6 +++---
 5 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 106f2aa82b..458351b644 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,7 +34,6 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
 COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
 
 # Preparation environment for setting up directories
 FROM alpine as prep-spire-server
diff --git a/test/integration/suites/delegatedidentity/04-create-registration-entries b/test/integration/suites/delegatedidentity/04-create-registration-entries
index d21a2505a3..9066954d7d 100755
--- a/test/integration/suites/delegatedidentity/04-create-registration-entries
+++ b/test/integration/suites/delegatedidentity/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/authorized_delegate" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/authorized_delegate"
 
diff --git a/test/integration/suites/delegatedidentity/05-test-endpoints b/test/integration/suites/delegatedidentity/05-test-endpoints
index 78f3011028..81ea845408 100755
--- a/test/integration/suites/delegatedidentity/05-test-endpoints
+++ b/test/integration/suites/delegatedidentity/05-test-endpoints
@@ -1,9 +1,9 @@
 #!/bin/bash
 
 log-info "Test Delegated Identity API (for success)"
-docker-compose exec -u 1001 -T spire-agent \
+docker-compose exec -u 1001:1000 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient -expectedID spiffe://domain.test/workload || fail-now "Failed to check Delegated Identity API"
 
 log-info "Test Delegated Identity API (expecting permission denied)"
-docker-compose exec -u 1002 -T spire-agent \
+docker-compose exec -u 1002:1000 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient || fail-now "Failed to check Delegated Identity API"
diff --git a/test/integration/suites/delegatedidentity/docker-compose.yaml b/test/integration/suites/delegatedidentity/docker-compose.yaml
index 4e341e685d..0e67183c23 100644
--- a/test/integration/suites/delegatedidentity/docker-compose.yaml
+++ b/test/integration/suites/delegatedidentity/docker-compose.yaml
@@ -13,4 +13,3 @@ services:
     volumes:
       - ./conf/agent:/opt/spire/conf/agent
     command: ["-config", "/opt/spire/conf/agent/agent.conf"]
-    user: 0:0
diff --git a/test/integration/suites/oidc-discovery-provider/docker-compose.yaml b/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
index a191fe1468..6857a1332c 100644
--- a/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
+++ b/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
@@ -15,7 +15,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - /var/run/docker.sock:/var/run/docker.sock
     command: [ "-config", "/opt/spire/conf/agent/agent.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket
   oidc-discovery-provider-server:
     image: oidc-discovery-provider:latest-local
     hostname: oidc-discovery-provider-server
@@ -25,7 +25,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-server-api.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket
   oidc-discovery-provider-workload:
     pid: "host"
     image: oidc-discovery-provider:latest-local
@@ -39,4 +39,4 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-workload-api.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket

From 1b94174279bae47df56c728849be1909b0d40224 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Mon, 18 Mar 2024 19:44:03 -0300
Subject: [PATCH 26/27] Fix integration tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 Dockerfile                                                      | 1 +
 .../suites/delegatedidentity/04-create-registration-entries     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 458351b644..106f2aa82b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,6 +34,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
 COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+WORKDIR /opt/spire
 
 # Preparation environment for setting up directories
 FROM alpine as prep-spire-server
diff --git a/test/integration/suites/delegatedidentity/04-create-registration-entries b/test/integration/suites/delegatedidentity/04-create-registration-entries
index 9066954d7d..d21a2505a3 100755
--- a/test/integration/suites/delegatedidentity/04-create-registration-entries
+++ b/test/integration/suites/delegatedidentity/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/authorized_delegate" \
-    -selector "unix:uid:1000" \
+    -selector "unix:uid:1001" \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/authorized_delegate"
 

From 8dd99c7be7c4dd5b66825785a41b96457df6c81f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Fri, 31 May 2024 10:09:53 -0300
Subject: [PATCH 27/27] Add comment about securityContext needed for hostPath
 volume
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 .../suites/k8s/conf/agent/spire-agent.yaml    | 37 +++++++++----------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/test/integration/suites/k8s/conf/agent/spire-agent.yaml b/test/integration/suites/k8s/conf/agent/spire-agent.yaml
index facdf8e66f..0d336dd009 100644
--- a/test/integration/suites/k8s/conf/agent/spire-agent.yaml
+++ b/test/integration/suites/k8s/conf/agent/spire-agent.yaml
@@ -6,36 +6,32 @@ metadata:
   namespace: spire
 
 ---
-
 # Required cluster role to allow spire-agent to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-agent-cluster-role
 rules:
-- apiGroups: [""]
-  resources: ["pods","nodes","nodes/proxy"]
-  verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "nodes/proxy"]
+    verbs: ["get"]
 
 ---
-
 # Binds above cluster role to spire-agent service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-agent-cluster-role-binding
 subjects:
-- kind: ServiceAccount
-  name: spire-agent
-  namespace: spire
+  - kind: ServiceAccount
+    name: spire-agent
+    namespace: spire
 roleRef:
   kind: ClusterRole
   name: spire-agent-cluster-role
   apiGroup: rbac.authorization.k8s.io
 
-
 ---
-
 # ConfigMap for the SPIRE agent featuring:
 # 1) PSAT node attestation
 # 2) K8S Workload Attestation over the secure kubelet port
@@ -86,7 +82,6 @@ data:
     }
 
 ---
-
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -111,12 +106,14 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: spire-agent
-      # Make sure that we can create the directory for the socket in the host
-      securityContext:
-        runAsUser: 0
-        runAsGroup: 0
       containers:
         - name: spire-agent
+          # Make sure that we can create the directory for the socket in the host,
+          # this is needed because we use a hostPath volume to share the socket
+          # for the Workload API.
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
           image: spire-agent:latest-local
           imagePullPolicy: Never
           args: ["-config", "/run/spire/config/agent.conf"]
@@ -151,6 +148,8 @@ spec:
         - name: spire-bundle
           configMap:
             name: spire-bundle
+          # The volume containing the SPIRE Agent socket that will be used by
+          # the workload container.
         - name: spire-agent-socket
           hostPath:
             path: /run/spire/agent-sockets
@@ -158,7 +157,7 @@ spec:
         - name: spire-token
           projected:
             sources:
-            - serviceAccountToken:
-                path: spire-agent
-                expirationSeconds: 7200
-                audience: spire-server
+              - serviceAccountToken:
+                  path: spire-agent
+                  expirationSeconds: 7200
+                  audience: spire-server