Allow additional CRs to be managed by the chart (#117)

* Add support for the new spire-controller-manager class feature Signed-off-by: Kevin Fox <[email protected]> * Fix docs. Swich nested deployment to use controller manager Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Test with nightly Signed-off-by: Kevin Fox <[email protected]> * Fix global object naming clash Signed-off-by: Kevin Fox <[email protected]> * Fix missing dot Signed-off-by: Kevin Fox <[email protected]> * Fix naming conflict with cluster ids Signed-off-by: Kevin Fox <[email protected]> * Fix scoping issue Signed-off-by: Kevin Fox <[email protected]> * Fix typo Signed-off-by: Kevin Fox <[email protected]> * Fix webhook name collision Signed-off-by: Kevin Fox <[email protected]> * Fix webhook reference and add note to user about className Signed-off-by: Kevin Fox <[email protected]> * Upgrade has to work on the old version of the object before rename Signed-off-by: Kevin Fox <[email protected]> * Fix formatting Signed-off-by: Kevin Fox <[email protected]> * Remove extra junk from job Signed-off-by: Kevin Fox <[email protected]> * Easier local runs and wait for crds Signed-off-by: Kevin Fox <[email protected]> * Add missing crd upgrade Signed-off-by: Kevin Fox <[email protected]> * Update upgrade notes Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml Co-authored-by: Marco Franssen <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Bump version to the released 0.4.0 Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Merge in crd changes from upstream Signed-off-by: Kevin Fox <[email protected]> * Add auto populate dns Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/README.md Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Add missing ClusterSPIFFEID fields There are a few options in the CRD not available via the chart. Sync them to the chart. Signed-off-by: Kevin Fox <[email protected]> * Add another missing one Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Allow additional CRs to be managed by the chart Sometimes additional ClusterSPIFFEIDs and the other CRs are needed. Add support for the end user to manage those extra CRs via the chart. Signed-off-by: Kevin Fox <[email protected]> * Add validation Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Add className to crs Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Fix readme formatting Signed-off-by: Kevin Fox <[email protected]> * Update charts/spire/README.md Signed-off-by: kfox1111 <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Apply suggestions from code review Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Apply suggestions from code review Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Remove dead code Signed-off-by: Kevin Fox <[email protected]> * Fix extra newline Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> Co-authored-by: Marco Franssen <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
spiffe · Nov 28, 2023 · e030fa1 · e030fa1
1 parent d936293
commit e030fa1
Show file tree

Hide file tree

Showing 9 changed files with 420 additions and 244 deletions.
diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -6,13 +6,15 @@ global:
 spire-server:
   controllerManager:
     identities:
-      namespaceSelector:
-        kubernetes.io/metadata.name: spire-server
-      podSelector:
-        app.kubernetes.io/component: server
-        app.kubernetes.io/instance: spire
-        app.kubernetes.io/name: server
-      downstream: true
+      clusterSPIFFEIDs:
+        default:
+          namespaceSelector:
+            kubernetes.io/metadata.name: spire-server
+          podSelector:
+            app.kubernetes.io/component: server
+            app.kubernetes.io/instance: spire
+            app.kubernetes.io/name: server
+          downstream: true
   nodeAttestor:
     k8sPsat:
       serviceAccountAllowList:

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -32,6 +32,10 @@ For production installs, please see [the production example](https://github.com/
 
 ## Upgrade notes
 
+### 0.16.X
+
+The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
+
 ### 0.15.X
 
 The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
@@ -1,42 +1,68 @@
 {{- $root := . }}
-{{- with .Values.controllerManager }}
-{{- if and (eq (.enabled | toString) "true") (eq (.identities.enabled | toString) "true") }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "spiffeIDTemplate" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
-  name: {{ $root.Release.Namespace }}-{{ include "spire-controller-manager.fullname" $root }}-service-account-based
-  namespace: {{ include "spire-server.namespace" $root }}
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }}
-  {{- with .identities.federatesWith }}
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }}
+  {{- with $value.federatesWith }}
   federatesWith:
   {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.podSelector }}
+  {{- with $value.podSelector }}
   podSelector:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.namespaceSelector }}
+  {{- with $value.namespaceSelector }}
   namespaceSelector:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.dnsNameTemplates }}
+  {{- with $value.dnsNameTemplates }}
   dnsNameTemplates:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.workloadSelectorTemplates }}
+  {{- with $value.workloadSelectorTemplates }}
   workloadSelectorTemplates:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.ttl }}
+  {{- with $value.ttl }}
   ttl: {{ . | quote }}
   {{- end }}
-  {{- with .identities.jwtTTL }}
+  {{- with $value.jwtTTL }}
   jwtTtl: {{ . | quote }}
   {{- end }}
-  admin: {{ .identities.admin }}
-  downstream: {{ .identities.downstream }}
-  autoPopulateDNSNames: {{ .identities.autoPopulateDNSNames }}
-  className: {{ include "spire-server.controller-manager-class-name" $root | quote}}
-{{- end }}
+  {{- with $value.admin }}
+  admin: {{ . }}
+  {{- end }}
+  {{- with $value.downstream }}
+  downstream: {{ . }}
+  {{- end }}
+  {{- with $value.autoPopulateDNSNames }}
+  autoPopulateDNSNames: {{ . }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
 {{- end }}
diff --git a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml
@@ -0,0 +1,45 @@
+{{- $root := . }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterFederatedTrustDomain
+metadata:
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  {{- with $value.bundleEndpointProfile }}
+  bundleEndpointProfile:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.bundleEndpointURL }}
+  bundleEndpointURL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.trustDomain }}
+  trustDomain: {{ . | quote }}
+  {{- end }}
+  {{- with $value.trustDomainBundle }}
+  trustDomainBundle: {{ . | quote }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
diff --git a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml
@@ -0,0 +1,63 @@
+{{- $root := . }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterStaticEntries }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "spiffeID" "selectors" "parentID" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterStaticEntry
+metadata:
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  spiffeID: {{ $value.spiffeID | quote }}
+  {{- with $value.federatesWith }}
+  federatesWith:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.selectors }}
+  selectors:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.parentID }}
+  parentID: {{ . | quote }}
+  {{- end }}
+  {{- with $value.dnsNames }}
+  dnsNames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.hint }}
+  hint: {{ . | quote }}
+  {{- end }}
+  {{- with $value.x509SVIDTTL }}
+  x509SVIDTTL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.jwtSVIDTTL }}
+  jwtSVIDTTL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.admin }}
+  admin: {{ . }}
+  {{- end }}
+  {{- with $value.downstream }}
+  downstream: {{ . }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -445,38 +445,70 @@ controllerManager:
     - local-path-storage
 
   identities:
-    ## @param controllerManager.identities.enabled Flag to enable default identities for controller manager
-    enabled: true
-
-    ## @param controllerManager.identities.spiffeIDTemplate Spiffe ID template for identities
-    spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
-    ## @param controllerManager.identities.podSelector [object] Selector for pods to issue identity
-    podSelector: {}
-      # matchLabels:
-      #   spiffe.io/spiffe-id: "true"
-    ## @param controllerManager.identities.namespaceSelector [object] Selector for namespacs to issue identity
-    namespaceSelector: {}
-      # matchLabels:
-      #   spiffe.io/spiffe-id: "true"
-    ## @param controllerManager.identities.dnsNameTemplates [array] DNS name template for issued identities
-    dnsNameTemplates: []
-      # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local'
-    ## @param controllerManager.identities.federatesWith [array] Other Spire server URLs for identity federation
-    federatesWith: []
-    # - example.io
-    # - example.ai
-    ## @param controllerManager.identities.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID
-    workloadSelectorTemplates: []
-    ## @param controllerManager.identities.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen.
-    ttl: ""
-    ## @param controllerManager.identities.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen.
-    jwtTTL: ""
-    ## @param controllerManager.identities.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care.
-    admin: false
-    ## @param controllerManager.identities.downstream Set if this spire instance is a root server and the workloads are downstream servers.
-    downstream: false
-    ## @param controllerManager.identities.autoPopulateDNSNames Auto populate DNS names from services attached to pods
-    autoPopulateDNSNames: false
+    clusterSPIFFEIDs:
+      # NOTE you can add multiple uniquely named entries to create multiple ClusterSPIFFEID objects. See example below.
+      default:
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable this identity for controller manager
+        enabled: true
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate Spiffe ID template for identities
+        spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.podSelector [object] Selector for pods to issue identity
+        podSelector: {}
+          # matchLabels:
+          #   spiffe.io/spiffe-id: "true"
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity
+        namespaceSelector: {}
+          # matchLabels:
+          #   spiffe.io/spiffe-id: "true"
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates [array] DNS name template for issued identities
+        dnsNameTemplates: []
+          # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local'
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.federatesWith [array] Other Spire server URLs for identity federation
+        federatesWith: []
+        # - example.io
+        # - example.ai
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID
+        workloadSelectorTemplates: []
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen.
+        ttl: ""
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen.
+        jwtTTL: ""
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care.
+        admin: false
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.downstream Set if this spire instance is a root server and the workloads are downstream servers.
+        downstream: false
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods
+        autoPopulateDNSNames: false
+
+      # You can specify additional ClusterSPIFFEIDs following this example:
+      # foo:
+      #   labels:
+      #     foo: bar
+      #   spiffeIDTemplate: spiffe://{{ .TrustDomain }}/foo
+      #   namespaceSelector:
+      #     matchLabels:
+      #       foo: bar
+
+    ## @param controllerManager.identities.clusterStaticEntries Specify ClusterStaticEntry objects.
+    clusterStaticEntries: {}
+    # foo:
+    #   labels:
+    #     foo: bar
+    #   parentID: spiffe://example.com/bar
+    #   spiffeID: spiffe://example.com/foo
+    #   selectors:
+    #   - k8s:pod-label:app.kubernetes.io/name:server
+
+    ## @param controllerManager.identities.clusterFederatedTrustDomains Specify ClusterFederatedTrustDomain objects.
+    clusterFederatedTrustDomains: {}
+    # foo:
+    #   labels:
+    #     foo: bar
+    #   bundleEndpointProfile:
+    #     endpointSPIFFEID: spiffe://example.com/foo
+    #     type: https_spiffe
+    #   bundleEndpointURL: https://rootserver.example.com:1234
+    #   trustDomain: example.com
 
   validatingWebhookConfiguration:
     ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued

diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml
@@ -11,7 +11,9 @@ spire-server:
   controllerManager:
     enabled: true
     identities:
-      spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+      clusterSPIFFEIDs:
+        default:
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
 
 spiffe-oidc-discovery-provider:
   enabled: true

diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh
@@ -2,7 +2,7 @@
 
 set -xe
 
-UPGRADE_VERSION=v0.14.0
+UPGRADE_VERSION=v0.15.1
 UPGRADE_REPO=https://spiffe.github.io/helm-charts-hardened
 
 SCRIPT="$(readlink -f "$0")"