Add support for the new fallback spire-controller-manager feature

charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml

@@ -45,6 +45,11 @@ spec:
  description: AutoPopulateDNSNames indicates whether or not to auto
  populate service DNS names.
  type: boolean
+ fallback:
+ description: |-
+ Apply this ID only if there are no other matching non fallback
+ ClusterSPIFFEIDs
+ type: boolean
  dnsNameTemplates:
  description: DNSNameTemplate represents templates for extra DNS names
  that are applicable to SVIDs minted for this ClusterSPIFFEID. The

charts/spire/charts/spire-server/README.md

@@ -289,6 +289,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` |
 | `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` |
 | `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` |
+| `controllerManager.identities.clusterSPIFFEIDs.default.fallback` | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs | `true` |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable this identity for controller manager | `false` |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.type` | The type of rule this is. | `child-servers` |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `true` |

charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml

@@ -30,7 +30,7 @@ matchLabels:
 {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }}
 {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
 {{- range $skey, $svalue := $value }}
-{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }}
+{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback")) }}
 {{- fail (printf "Unsupported property specified: %s" $skey) }}
 {{- end }}
 {{- end }}
@@ -103,6 +103,9 @@ spec:
  {{- with $value.autoPopulateDNSNames }}
  autoPopulateDNSNames: {{ . }}
  {{- end }}
+ {{- with $value.fallback }}
+ fallback: {{ . }}
+ {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

charts/spire/charts/spire-server/values.yaml

@@ -628,6 +628,8 @@ controllerManager:
  downstream: false
  ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods
  autoPopulateDNSNames: false
+ ## @param controllerManager.identities.clusterSPIFFEIDs.default.fallback Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs
+ fallback: true
 
  child-servers:
  ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager