UpstreamAuthority cert-manager support (#82)

Author: kfox1111

.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: demo-selfsigned-ca
+spec:
+  isCA: true
+  commonName: demo-selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: demo-ca
+spec:
+  ca:
+    secretName: root-secret

.github/tests/upstream-authority-cert-manager/pre-install.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version v1.11.0 --set installCRDs=true --repo https://charts.jetstack.io --wait
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+kubectl apply -f $SCRIPT_DIR/cert-manager-ca.yaml -n "$VALUES"

.github/tests/upstream-authority-cert-manager/values.yaml

@@ -0,0 +1,5 @@
+spire-server:
+  upstreamAuthority:
+    certManager:
+      enabled: true
+      issuer_name: "demo-ca"

.github/workflows/helm-chart-ci.yaml

@@ -151,7 +151,15 @@ jobs:
 
       - name: Run chart-testing (install)
         run: |
+          [ "$VALUES" != "default" ] && kubectl create namespace "$VALUES"
+          post-install() {
+            [ -x .github/tests/$VALUES/post-install.sh ] && .github/tests/$VALUES/post-install.sh
+            exit $1
+          }
+          trap 'post-install $? $LINENO' EXIT
+          [ -x .github/tests/$VALUES/pre-install.sh ] && .github/tests/$VALUES/pre-install.sh
           ct install --debug \
+            --namespace $VALUES \
             --target-branch ${{ github.base_ref }} \
             --exclude-deprecated \
             ${{ (matrix.values != 'default' && '--helm-extra-set-args "--values=.github/tests/$VALUES/values.yaml"') || '' }}

charts/spire/charts/spire-server/README.md

@@ -78,6 +78,13 @@ A Helm chart to install the SPIRE server.
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
 | trustDomain | string | `"example.org"` |  |
+| upstreamAuthority.certManager.enabled | bool | `false` |  |
+| upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |
+| upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` |  |
+| upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` |  |
+| upstreamAuthority.certManager.kube_config_file | string | `""` |  |
+| upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into |
+| upstreamAuthority.certManager.rbac.create | bool | `true` |  |
 | upstreamAuthority.disk.enabled | bool | `false` |  |
 | upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. |
 | upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info |

charts/spire/charts/spire-server/templates/configmap.yaml

@@ -1,3 +1,4 @@
+{{ $namespace := .Release.Namespace }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -71,6 +72,22 @@ data:
       }
       {{- end }}
       {{- end }}
+
+      {{- with .Values.upstreamAuthority.certManager }}
+      {{- if eq (.enabled | toString) "true" }}
+      UpstreamAuthority "cert-manager" {
+        plugin_data {
+          issuer_name = {{ .issuer_name | quote }}
+          issuer_kind = {{ .issuer_kind | quote }}
+          issuer_group = {{ .issuer_group | quote }}
+          namespace = {{ default $namespace .namespace | quote }}
+          {{- if ne .kube_config_file "" }}
+          kube_config_file = {{ .kube_config_file | quote }}
+          {{- end }}
+        }
+      }
+      {{- end }}
+      {{- end }}
     }
 
     health_checks {

charts/spire/charts/spire-server/templates/roles.yaml

@@ -18,6 +18,18 @@ rules:
     verbs:
       - get
       - patch
+  {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.rbac.create }}
+  - apiGroups: ["cert-manager.io"]
+    resources:
+      - certificaterequests
+    verbs:
+      - list
+      - get
+      - create
+      - delete
+      - patch
+      - update
+  {{- end }}
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

charts/spire/charts/spire-server/values.yaml

@@ -104,6 +104,16 @@ upstreamAuthority:
         certificate: ""
         key: ""
         bundle: ""
+  certManager:
+    enabled: false
+    rbac:
+      create: true
+    issuer_name: "spire-ca"
+    issuer_kind: "Issuer"
+    issuer_group: "cert-manager.io"
+    # -- Specify to use a namespace other then the one the chart is installed into
+    namespace: ""
+    kube_config_file: ""
 
 controllerManager:
   enabled: false