Skip to content

Commit 805d869

Browse files
kfox1111marcofranssenfaisal-memon
authored
spire-controller-manager 0.4.0 support (#60)
Co-authored-by: Marco Franssen <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
1 parent edf2381 commit 805d869

19 files changed

+105
-19
lines changed

.github/tests/common.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
#!/usr/bin/env bash
22

3+
GITHUB_STEP_SUMMARY="${GITHUB_STEP_SUMMARY:-/tmp/summary}"
4+
35
get_namespace_details () {
46
cat <<EOF >>"$GITHUB_STEP_SUMMARY"
57
### Namespace $1

.github/tests/dependencies/spire-root-server-values.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,14 @@ global:
66

77
spire-server:
88
controllerManager:
9-
enabled: false
9+
identities:
10+
namespaceSelector:
11+
kubernetes.io/metadata.name: spire-server
12+
podSelector:
13+
app.kubernetes.io/component: server
14+
app.kubernetes.io/instance: spire
15+
app.kubernetes.io/name: server
16+
downstream: true
1017
nodeAttestor:
1118
k8sPsat:
1219
serviceAccountAllowList:

charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ spec:
6565
description: BundleEndpointURL is the URL of the bundle endpoint.
6666
It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
6767
type: string
68+
className:
69+
description: Set the class of controller to handle this object.
70+
type: string
6871
trustDomain:
6972
description: TrustDomain is the name of the trust domain to federate
7073
with (e.g. example.org)
@@ -89,3 +92,9 @@ spec:
8992
storage: true
9093
subresources:
9194
status: {}
95+
status:
96+
acceptedNames:
97+
kind: ""
98+
plural: ""
99+
conditions: []
100+
storedVersions: []

charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@ spec:
4141
access the SPIRE administrative APIs. Extra care should be taken
4242
to only apply this SPIFFE ID to admin workloads.
4343
type: boolean
44+
autoPopulateDNSNames:
45+
description: AutoPopulateDNSNames indicates whether or not to auto
46+
populate service DNS names.
47+
type: boolean
4448
dnsNameTemplates:
4549
description: DNSNameTemplate represents templates for extra DNS names
4650
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@@ -53,6 +57,9 @@ spec:
5357
description: Downstream indicates that the entry describes a downstream
5458
SPIRE server.
5559
type: boolean
60+
className:
61+
description: Set the class of controller to handle this object.
62+
type: string
5663
federatesWith:
5764
description: FederatesWith is a list of trust domain names that workloads
5865
that obtain this SPIFFE ID will federate with.
@@ -224,3 +231,9 @@ spec:
224231
storage: true
225232
subresources:
226233
status: {}
234+
status:
235+
acceptedNames:
236+
kind: ""
237+
plural: ""
238+
conditions: []
239+
storedVersions: []

charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ spec:
3939
properties:
4040
admin:
4141
type: boolean
42+
className:
43+
description: Set the class of controller to handle this object.
44+
type: string
4245
dnsNames:
4346
items:
4447
type: string
@@ -90,3 +93,9 @@ spec:
9093
storage: true
9194
subresources:
9295
status: {}
96+
status:
97+
acceptedNames:
98+
kind: ""
99+
plural: ""
100+
conditions: []
101+
storedVersions: []

charts/spire/README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,14 @@ For production installs, please see [the production example](https://github.com/
3232

3333
## Upgrade notes
3434

35+
### 0.15.X
36+
37+
The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
38+
39+
The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field. By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`.
40+
41+
If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified.
42+
3543
### 0.14.X
3644

3745
If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart

charts/spire/charts/spire-server/README.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -215,13 +215,15 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
215215
| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` |
216216
| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
217217
| `controllerManager.enabled` | Flag to enable controller manager | `false` |
218+
| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` |
219+
| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` |
218220
| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
219221
| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` |
220222
| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
221223
| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` |
222224
| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` |
223225
| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
224-
| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.3.0` |
226+
| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` |
225227
| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` |
226228
| `controllerManager.securityContext` | Security context | `{}` |
227229
| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` |
@@ -240,6 +242,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
240242
| `controllerManager.identities.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` |
241243
| `controllerManager.identities.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` |
242244
| `controllerManager.identities.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` |
245+
| `controllerManager.identities.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` |
243246
| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` |
244247
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
245248
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |

charts/spire/charts/spire-server/templates/_helpers.tpl

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,3 +220,11 @@ The code below determines what connection type should be used.
220220
{{- end }}
221221
{{ $args | toYaml }}
222222
{{- end -}}
223+
224+
{{- define "spire-server.controller-manager-class-name" -}}
225+
{{- if .Values.controllerManager.className }}
226+
{{- .Values.controllerManager.className }}
227+
{{- else }}
228+
{{- .Release.Namespace }}-{{ .Release.Name }}
229+
{{- end -}}
230+
{{- end -}}

charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
apiVersion: spire.spiffe.io/v1alpha1
55
kind: ClusterSPIFFEID
66
metadata:
7-
name: {{ include "spire-controller-manager.fullname" $root }}-service-account-based
7+
name: {{ $root.Release.Namespace }}-{{ include "spire-controller-manager.fullname" $root }}-service-account-based
88
namespace: {{ include "spire-server.namespace" $root }}
99
spec:
1010
spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }}
@@ -36,5 +36,7 @@ spec:
3636
{{- end }}
3737
admin: {{ .identities.admin }}
3838
downstream: {{ .identities.downstream }}
39+
autoPopulateDNSNames: {{ .identities.autoPopulateDNSNames }}
40+
className: {{ include "spire-server.controller-manager-class-name" $root | quote}}
3941
{{- end }}
4042
{{- end }}

charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,14 @@ data:
2525
leaderElect: true
2626
resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io
2727
resourceNamespace: {{ include "spire-server.namespace" . }}
28-
validatingWebhookConfigurationName: {{ include "spire-controller-manager.fullname" . }}-webhook
28+
validatingWebhookConfigurationName: {{ .Release.Namespace }}-{{ include "spire-controller-manager.fullname" . }}-webhook
2929
clusterName: {{ include "spire-lib.cluster-name" . }}
3030
trustDomain: {{ include "spire-lib.trust-domain" . }}
3131
ignoreNamespaces:
3232
{{- with .Values.controllerManager.ignoreNamespaces }}
3333
{{- toYaml . | nindent 6 }}
3434
{{- end }}
3535
spireServerSocketPath: "/tmp/spire-server/private/api.sock"
36+
className: {{ include "spire-server.controller-manager-class-name" . | quote}}
37+
watchClassless: {{ .Values.controllerManager.watchClassless | toYaml }}
3638
{{- end }}

0 commit comments

Comments
 (0)