From 6a99e8b1bc84da959fb30475533db44b31a7d3be Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 1 Oct 2024 10:52:47 -0700 Subject: [PATCH 1/2] Add support for the new fallback spire-controller-manager feature Signed-off-by: Kevin Fox --- .../templates/spire.spiffe.io_clusterspiffeids.yaml | 5 +++++ .../templates/controller-manager-cluster-ids.yaml | 5 ++++- charts/spire/charts/spire-server/values.yaml | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml index 951fa0e55..b29ad62c0 100644 --- a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml @@ -45,6 +45,11 @@ spec: description: AutoPopulateDNSNames indicates whether or not to auto populate service DNS names. type: boolean + fallback: + description: |- + Apply this ID only if there are no other matching non fallback + ClusterSPIFFEIDs + type: boolean dnsNameTemplates: description: DNSNameTemplate represents templates for extra DNS names that are applicable to SVIDs minted for this ClusterSPIFFEID. The diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index 7642d7af3..e3774c9e5 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -30,7 +30,7 @@ matchLabels: {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $skey, $svalue := $value }} -{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback")) }} {{- fail (printf "Unsupported property specified: %s" $skey) }} {{- end }} {{- end }} @@ -103,6 +103,9 @@ spec: {{- with $value.autoPopulateDNSNames }} autoPopulateDNSNames: {{ . }} {{- end }} + {{- with $value.fallback }} + fallback: {{ . }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index d70492fd6..4678ff03d 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -586,6 +586,8 @@ controllerManager: downstream: false ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.fallback Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs + fallback: true child-servers: ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager From 5692ab41fec5fad2ddffd843f4d9d3077f013b63 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 1 Oct 2024 12:04:22 -0700 Subject: [PATCH 2/2] Fix docs Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 9706a8bca..aa94ef66d 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -272,6 +272,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.fallback` | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs | `true` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable this identity for controller manager | `false` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.type` | The type of rule this is. | `child-servers` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `true` |