Add support for the new hint spire-controller-manager feature (#472)

* Add support for the new hint spire-controller-manager feature Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]>
spiffe · Oct 17, 2024 · 13736cd · 13736cd
1 parent b08e8bf
commit 13736cd
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
@@ -71,6 +71,9 @@ spec:
  items:
  type: string
  type: array
+ hint:
+ description: Set the entry hint
+ type: string
  jwtTtl:
  description: JWTTTL indicates an upper-bound time-to-live for JWT
  SVIDs minted for this ClusterSPIFFEID.

diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
@@ -30,7 +30,7 @@ matchLabels:
 {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }}
 {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
 {{- range $skey, $svalue := $value }}
-{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback")) }}
+{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback" "hint")) }}
 {{- fail (printf "Unsupported property specified: %s" $skey) }}
 {{- end }}
 {{- end }}
@@ -63,6 +63,13 @@ metadata:
  {{- end }}
 spec:
  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+ {{- if hasKey $value "hint" }}
+ {{- if ne $value.hint "" }}
+ hint: {{ $value.hint }}
+ {{- end }}
+ {{- else }}
+ hint: {{ $key }}
+ {{- end }}
  {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }}
  spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }}
  {{- else }}

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -630,6 +630,8 @@ controllerManager:
  autoPopulateDNSNames: false
  ## @param controllerManager.identities.clusterSPIFFEIDs.default.fallback Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs
  fallback: true
+ # Set what hint to use. If unset, it will be asigned the clusterSPIFFEID name. If set to "", it will be unset. Any other value will set the hint to exactly what is specified.
+ # hint: ""
 
  child-servers:
  ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager