Support federation bundle endpoint profile http_web certificates

charts/spire/charts/spire-server/README.md

@@ -163,7 +163,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `federation.enabled` | Flag to enable federation | `false` |
 | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` |
 | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` |
-| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` |
+| `federation.bundleEndpoint.refreshHint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` |
+| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval` | Interval on which to reload the certificate/key from disk | `1h` |
 | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` |
 | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` |
 | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` |

charts/spire/charts/spire-server/templates/_helpers.tpl

@@ -298,7 +298,7 @@ The code below determines what connection type should be used.
 {{- end }}
 {{- $args = append $args (printf "https://%s/" $host) }}
 {{- else }}
-{{- $args = append $args (printf "http://%s/" $host) }}
+{{- $args = append $args (printf "-k -L http://%s/" $host) }}
 {{- end }}
 {{ $args | toYaml }}
 {{- end -}}

charts/spire/charts/spire-server/templates/configmap.yaml

@@ -38,9 +38,6 @@
 {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }}
 {{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }}
 {{- end }}
-{{- if hasKey .Values.federation.bundleEndpoint "profile" }}
-{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }}
-{{- end }}
 {{- define "spire-server.yaml-config" -}}
 {{- $upstreamAuthorityUsed := 0 }}
 {{- $keyManagerUsed := 0 }}
@@ -69,12 +66,24 @@ server:
  organization: [{{ include "spire-server.ca-subject-organization" . | quote }}]
  common_name: {{ include "spire-server.ca-subject-common-name" . | quote }}
 
- {{- with .Values.federation }}
- {{- if eq (.enabled | toString) "true" }}
+ {{- if eq (.Values.federation.enabled | toString) "true" }}
  federation:
  bundle_endpoint:
- - {{ .bundleEndpoint | toYaml | nindent 8 }}
- {{- end }}
+ address: {{ .Values.federation.bundleEndpoint.address | quote }}
+ port: {{ .Values.federation.bundleEndpoint.port }}
+ refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }}
+ profile:
+ {{- if .Values.federation.tls.spire.enabled }}
+ - https_spiffe: {}
+ {{ else }}
+ - https_web:
+ serving_cert_file:
+ file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }}
+ {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }}
+ cert_file_path: /bundle-endpoint-tls/tls.crt
+ key_file_path: /bundle-endpoint-tls/tls.key
+ {{- end }}
+ {{- end }}
  {{- end }}
 
  {{- with .Values.experimental }}

charts/spire/charts/spire-server/templates/federation-ingress.yaml

@@ -4,33 +4,18 @@
 {{- $path := "/"}}
 {{- $pathType := "Prefix" }}
 {{- $tlsSection := true }}
-{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}}
-{{- $federationIngress := deepCopy .Values.federation.ingress }}
-{{- if .Values.federation.tls.certManager.enabled }}
-{{- $secret := printf "%s-federation-cert" $svcName }}
-{{- $_ := set $federationIngress "tlsSecret" $secret }}
-{{- end }}
-{{- if .Values.federation.tls.externalSecret.enabled }}
-{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }}
-{{- end }}
 {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }}
 {{- $annotations := deepCopy .Values.federation.ingress.annotations }}
 {{- if eq $ingressControllerType "ingress-nginx" }}
 {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
 {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
 {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
-{{- if not .Values.federation.ingress.tlsSecret }}
-{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
-{{- end }}
+{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
 {{- else if eq $ingressControllerType "openshift" }}
-{{- if $federationIngress.tlsSecret }}
-{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }}
-{{- else }}
-{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
 {{- $path = "" }}
 {{- $pathType = "ImplementationSpecific" }}
 {{- $tlsSection = false }}
-{{- end }}
 {{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -44,6 +29,6 @@ metadata:
  {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
- {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+ {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
 {{- end }}
 {{- end }}

charts/spire/charts/spire-server/templates/server-resource.yaml

@@ -315,6 +315,10 @@ spec:
  mountPath: /tmp-direct-hashes
  {{- end }}
  {{- end }}
+ {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }}
+ - name: bundle-endpoint-tls
+ mountPath: /bundle-endpoint-tls
+ {{- end }}
  {{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }}
  - name: upstream-ca
  mountPath: /run/spire/upstream_ca
@@ -450,6 +454,16 @@ spec:
  name: {{ include "spire-server.fullname" . }}-tpm-direct-hash
  {{- end }}
  {{- end }}
+ {{- if .Values.federation.tls.certManager.enabled }}
+ - name: bundle-endpoint-tls
+ secret:
+ secretName: {{ printf "%s-federation-cert" (include "spire-server.fullname" .) }}
+ {{- end }}
+ {{- if .Values.federation.tls.externalSecret.enabled }}
+ - name: bundle-endpoint-tls
+ secret:
+ secretName: {{ .Values.federation.tls.externalSecret.secretName }}
+ {{- end }}
  {{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }}
  - name: server-cert
  secret:

charts/spire/charts/spire-server/values.yaml

@@ -248,8 +248,12 @@ federation:
  port: 8443
  ## @param federation.bundleEndpoint.address Address for trust bundle federation
  address: "0.0.0.0"
- ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.
- refresh_hint: "5m"
+ ## @param federation.bundleEndpoint.refreshHint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.
+ refreshHint: "5m"
+ profile:
+ httpWeb:
+ ## @param federation.bundleEndpoint.profile.httpWeb.fileSyncInterval Interval on which to reload the certificate/key from disk
+ fileSyncInterval: 1h
 
  tls:
  spire:

tests/integration/production/run-tests.sh

@@ -129,7 +129,7 @@ install_and_test() {
  --values /tmp/dummydns \
  --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
  --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
- --set spire-server.federation.ingress.tlsSecret=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \
+ --set spire-server.federation.tls.externalSecret.secretName=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \
  --wait
 
  helm test --namespace "${ns}" spire

tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml

@@ -4,10 +4,9 @@ spire-server:
  enabled: true
  federation:
  enabled: true
- ingress:
- enabled: true
- controllerType: ingress-nginx
-
- # className: nginx
-
- tlsSecret: spire-server-federation-tls
+ tls:
+ spire:
+ enabled: false
+ externalSecret:
+ enabled: true
+ secretName: spire-server-federation-tls