Autogen jwtIssuer (#88)

* Autogen jwtIssuer Unset a default for jwtIssuer and global.spire.jwtIssuer. When unset, generate it to the default of oidc-discovery.$trustDomain so in many cases the user doesn't need to set it at all. Signed-off-by: Kevin Fox <[email protected]> * Apply suggestions from code review Co-authored-by: Faisal Memon <[email protected]> Signed-off-by: kfox1111 <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]> Co-authored-by: Mariusz Sabath <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
spiffe · Nov 9, 2023 · f2758a8 · f2758a8
1 parent 93c20c6
commit f2758a8
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 24 deletions.
diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -2,7 +2,6 @@ global:
  spire:
  clusterName: production
  trustDomain: production.other
- jwtIssuer: oidc-discovery.production.other
 
 spire-server:
  controllerManager:

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -144,19 +144,19 @@ Now you can interact with the Spire agent socket from your own application. The
 
 ### Global parameters
 
-| Name | Description | Value  |
-| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
-| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local`  |
-| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""`  |
-| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster`  |
-| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens     | `oidc-discovery.example.org` |
-| `global.spire.trustDomain` | The trust domain for Spire install | `example.org`  |
-| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""`  |
-| `global.spire.image.registry` | Override all Spire image registries at once | `""`  |
-| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false`  |
-| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`  |
-| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true`  |
-| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true`  |
+| Name | Description | Value |
+| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
+| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
+| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
+| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
+| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` |
+| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
+| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
+| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
+| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` |
+| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
+| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
+| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
 
 ### Spire server parameters
 

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@@ -60,7 +60,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
 | `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.2-alpine` |
 | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` |
-| `jwtIssuer` | Path to JWT issuer     | `https://oidc-discovery.example.org` |
+| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` |
 | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` |
 | `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` |
 | `config.acme.tosAccepted` | Flag for Terms of Service acceptance | `false` |

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -125,8 +125,8 @@ insecureScheme:
  # cpu: 100m
  # memory: 64Mi
 
-## @param jwtIssuer Path to JWT issuer
-jwtIssuer: https://oidc-discovery.example.org
+## @param jwtIssuer Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset
+jwtIssuer: ""
 
 config:
  ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error"

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -142,7 +142,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `dataStore.sql.externalSecret.name` | The name of the secret object | `""` |
 | `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` |
 | `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` |
-| `jwtIssuer` | The JWT issuer domain     | `https://oidc-discovery.example.org` |
+| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` |
 | `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` |
 | `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` |
 | `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` |

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -174,8 +174,8 @@ dataStore:
 
 ## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
 logLevel: info
-## @param jwtIssuer The JWT issuer domain
-jwtIssuer: https://oidc-discovery.example.org
+## @param jwtIssuer The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset
+jwtIssuer: ""
 
 ## @param clusterName Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`)
 clusterName: example-cluster

diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl
@@ -17,8 +17,10 @@
 {{- define "spire-lib.jwt-issuer" }}
 {{- if ne (len (dig "spire" "jwtIssuer" "" .Values.global)) 0 }}
 {{- .Values.global.spire.jwtIssuer }}
-{{- else }}
+{{- else if ne (len .Values.jwtIssuer) 0 }}
 {{- .Values.jwtIssuer }}
+{{- else }}
+{{- printf "oidc-discovery.%s" (include "spire-lib.trust-domain" .) }}
 {{- end }}
 {{- end }}
 

diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
@@ -13,8 +13,8 @@ global:
  bundleConfigMap: ""
  ## @param global.spire.clusterName The name of the k8s cluster for Spire install
  clusterName: example-cluster
- ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens
- jwtIssuer: oidc-discovery.example.org
+ ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset
+ jwtIssuer: ""
  ## @param global.spire.trustDomain The trust domain for Spire install
  trustDomain: example.org
  ## @param global.spire.upstreamServerAddress Set what address to use for the upstream server when using nested spire

diff --git a/examples/production/example-your-values.yaml b/examples/production/example-your-values.yaml
@@ -2,7 +2,6 @@ global:
  spire:
  clusterName: production
  trustDomain: production.other
- jwtIssuer: oidc-discovery.production.other
 
 spire-server:
  ca_subject: