Merge pull request #102 from philips-labs/spire-controller-manager

Add support for spire controller manager
philips-labs · Jan 18, 2023 · 937e896 · 937e896
2 parents 5e84479 + bd2100b
commit 937e896
Show file tree

Hide file tree

Showing 16 changed files with 689 additions and 11 deletions.
diff --git a/.github/tests/spire-controller-manager/values.yaml b/.github/tests/spire-controller-manager/values.yaml
@@ -0,0 +1,6 @@
+spire-server:
+  k8sWorkloadRegistrar:
+    enabled: false
+
+  controllerManager:
+    enabled: true
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -27,12 +27,13 @@ description: |
           - --service-account-signing-key-file=/run/config/pki/sa.key
   ```
 type: application
-version: 0.10.2
+version: 0.11.0
 appVersion: "1.5.4"
-keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
-home: https://github.com/philips-labs/helm-charts/charts/spire
+keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
+home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire
 sources:
-  - https://github.com/philips-labs/helm-charts/charts/spire
+  - https://github.com/philips-labs/helm-charts/tree/main/charts/spire
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
   - name: marcofranssen
     email: [email protected]

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. -->
 
-![Version: 0.10.2](https://img.shields.io/badge/Version-0.10.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square)
+![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square)
 
 A Helm chart for deploying spire-server and spire-agent.
 
@@ -30,7 +30,7 @@ spec:
         - --service-account-signing-key-file=/run/config/pki/sa.key
 ```
 
-**Homepage:** <https://github.com/philips-labs/helm-charts/charts/spire>
+**Homepage:** <https://github.com/philips-labs/helm-charts/tree/main/charts/spire>
 
 ## Maintainers
 
@@ -40,7 +40,7 @@ spec:
 
 ## Source Code
 
-* <https://github.com/philips-labs/helm-charts/charts/spire>
+* <https://github.com/philips-labs/helm-charts/tree/main/charts/spire>
 
 ## Requirements
 
@@ -70,5 +70,4 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.bundleConfigMap | string | `"spire-bundle"` |  |
 | spire-server.clusterName | string | `"example-cluster"` |  |
 | spire-server.nameOverride | string | `"server"` |  |
-| spire-server.socketPath | string | `"/run/spire/server-sockets/spire-server.sock"` |  |
 | spire-server.trustDomain | string | `"example.org"` |  |
diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -20,6 +20,23 @@ A Helm chart to install the SPIRE server.
 | ca_subject.country | string | `"NL"` |  |
 | ca_subject.organization | string | `"Example"` |  |
 | clusterName | string | `"example-cluster"` |  |
+| controllerManager.enabled | bool | `false` |  |
+| controllerManager.identities.dnsNameTemplates | list | `[]` |  |
+| controllerManager.identities.enabled | bool | `true` |  |
+| controllerManager.identities.podSelector | object | `{}` |  |
+| controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` |  |
+| controllerManager.ignoreNamespaces[0] | string | `"kube-system"` |  |
+| controllerManager.ignoreNamespaces[1] | string | `"kube-public"` |  |
+| controllerManager.ignoreNamespaces[2] | string | `"local-path-storage"` |  |
+| controllerManager.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controllerManager.image.registry | string | `"ghcr.io"` |  |
+| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` |  |
+| controllerManager.image.version | string | `"0.2.1"` |  |
+| controllerManager.resources | object | `{}` |  |
+| controllerManager.securityContext | object | `{}` |  |
+| controllerManager.service.annotations | object | `{}` |  |
+| controllerManager.service.port | int | `443` |  |
+| controllerManager.service.type | string | `"ClusterIP"` |  |
 | dataStorage.accessMode | string | `"ReadWriteOnce"` |  |
 | dataStorage.enabled | bool | `true` |  |
 | dataStorage.size | string | `"1Gi"` |  |
@@ -31,7 +48,7 @@ A Helm chart to install the SPIRE server.
 | image.version | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` |  |
-| k8sWorkloadRegistrar.enabled | bool | `true` |  |
+| k8sWorkloadRegistrar.enabled | bool | `true` | The `k8s-workload-registrar` is deprecated in favor of the `spire-controller-manager` A next release will switch to use the `spire-controller-manager` by default. |
 | k8sWorkloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` |  |
 | k8sWorkloadRegistrar.image.registry | string | `"gcr.io"` |  |
 | k8sWorkloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` |  |

diff --git a/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml b/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml
@@ -0,0 +1,96 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: clusterfederatedtrustdomains.spire.spiffe.io
+spec:
+  group: spire.spiffe.io
+  names:
+    kind: ClusterFederatedTrustDomain
+    listKind: ClusterFederatedTrustDomainList
+    plural: clusterfederatedtrustdomains
+    singular: clusterfederatedtrustdomain
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.trustDomain
+      name: Trust Domain
+      type: string
+    - jsonPath: .spec.bundleEndpointURL
+      name: Endpoint URL
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterFederatedTrustDomainSpec defines the desired state
+              of ClusterFederatedTrustDomain
+            properties:
+              bundleEndpointProfile:
+                description: BundleEndpointProfile is the profile for the bundle endpoint.
+                properties:
+                  endpointSPIFFEID:
+                    description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
+                      It is required for the "https_spiffe" profile.
+                    type: string
+                  type:
+                    description: Type is the type of the bundle endpoint profile.
+                    enum:
+                    - https_spiffe
+                    - https_web
+                    type: string
+                required:
+                - type
+                type: object
+              bundleEndpointURL:
+                description: BundleEndpointURL is the URL of the bundle endpoint.
+                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
+                type: string
+              trustDomain:
+                description: TrustDomain is the name of the trust domain to federate
+                  with (e.g. example.org)
+                pattern: '[a-z0-9._-]{1,255}'
+                type: string
+              trustDomainBundle:
+                description: TrustDomainBundle is the contents of the bundle for the
+                  referenced trust domain. This field is optional when the resource
+                  is created.
+                type: string
+            required:
+            - bundleEndpointProfile
+            - bundleEndpointURL
+            - trustDomain
+            type: object
+          status:
+            description: ClusterFederatedTrustDomainStatus defines the observed state
+              of ClusterFederatedTrustDomain
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []