From 13736cdf6ff328ed9ca013090ed6401eeaa645d5 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 17 Oct 2024 15:48:09 -0700 Subject: [PATCH] Add support for the new hint spire-controller-manager feature (#472) * Add support for the new hint spire-controller-manager feature Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 --- .../templates/spire.spiffe.io_clusterspiffeids.yaml | 3 +++ .../templates/controller-manager-cluster-ids.yaml | 9 ++++++++- charts/spire/charts/spire-server/values.yaml | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml index b29ad62c0..2f3489489 100644 --- a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml @@ -71,6 +71,9 @@ spec: items: type: string type: array + hint: + description: Set the entry hint + type: string jwtTtl: description: JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this ClusterSPIFFEID. diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index e3774c9e5..1973bdaba 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -30,7 +30,7 @@ matchLabels: {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $skey, $svalue := $value }} -{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback")) }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback" "hint")) }} {{- fail (printf "Unsupported property specified: %s" $skey) }} {{- end }} {{- end }} @@ -63,6 +63,13 @@ metadata: {{- end }} spec: className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- if hasKey $value "hint" }} + {{- if ne $value.hint "" }} + hint: {{ $value.hint }} + {{- end }} + {{- else }} + hint: {{ $key }} + {{- end }} {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }} spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} {{- else }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index daa82b0ef..819997605 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -630,6 +630,8 @@ controllerManager: autoPopulateDNSNames: false ## @param controllerManager.identities.clusterSPIFFEIDs.default.fallback Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs fallback: true + # Set what hint to use. If unset, it will be asigned the clusterSPIFFEID name. If set to "", it will be unset. Any other value will set the hint to exactly what is specified. + # hint: "" child-servers: ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager