spiffe · faisal-memon · Nov 28, 2023 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
@@ -6,13 +6,15 @@ global:
 spire-server:
   controllerManager:
     identities:
-      namespaceSelector:
-        kubernetes.io/metadata.name: spire-server
-      podSelector:
-        app.kubernetes.io/component: server
-        app.kubernetes.io/instance: spire
-        app.kubernetes.io/name: server
-      downstream: true
+      clusterSPIFFEIDs:
+        default:
+          namespaceSelector:
+            kubernetes.io/metadata.name: spire-server
+          podSelector:
+            app.kubernetes.io/component: server
+            app.kubernetes.io/instance: spire
+            app.kubernetes.io/name: server
+          downstream: true
   nodeAttestor:
     k8sPsat:
       serviceAccountAllowList:

@@ -32,6 +32,10 @@ For production installs, please see [the production example](https://github.com/
 
 ## Upgrade notes
 
+### 0.16.X
+
+The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
+
 ### 0.15.X
 
 The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.

@@ -1,42 +1,72 @@
 {{- $root := . }}
-{{- with .Values.controllerManager }}
-{{- if and (eq (.enabled | toString) "true") (eq (.identities.enabled | toString) "true") }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "spiffeIDTemplate" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
-  name: {{ $root.Release.Namespace }}-{{ include "spire-controller-manager.fullname" $root }}-service-account-based
-  namespace: {{ include "spire-server.namespace" $root }}
+  {{- if $value.name }}
+  name: {{ $value.name }}
+  {{- else }}
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- end }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }}
-  {{- with .identities.federatesWith }}
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }}
+  {{- with $value.federatesWith }}
   federatesWith:
   {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.podSelector }}
+  {{- with $value.podSelector }}
   podSelector:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.namespaceSelector }}
+  {{- with $value.namespaceSelector }}
   namespaceSelector:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.dnsNameTemplates }}
+  {{- with $value.dnsNameTemplates }}
   dnsNameTemplates:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.workloadSelectorTemplates }}
+  {{- with $value.workloadSelectorTemplates }}
   workloadSelectorTemplates:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- with .identities.ttl }}
+  {{- with $value.ttl }}
   ttl: {{ . | quote }}
   {{- end }}
-  {{- with .identities.jwtTTL }}
+  {{- with $value.jwtTTL }}
   jwtTtl: {{ . | quote }}
   {{- end }}
-  admin: {{ .identities.admin }}
-  downstream: {{ .identities.downstream }}
-  autoPopulateDNSNames: {{ .identities.autoPopulateDNSNames }}
-  className: {{ include "spire-server.controller-manager-class-name" $root | quote}}
-{{- end }}
+  {{- with $value.admin }}
+  admin: {{ . }}
+  {{- end }}
+  {{- with $value.downstream }}
+  downstream: {{ . }}
+  {{- end }}
+  {{- with $value.autoPopulateDNSNames }}
+  autoPopulateDNSNames: {{ . }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
 {{- end }}
@@ -0,0 +1,49 @@
+{{- $root := . }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterFederatedTrustDomain
+metadata:
+  {{- if $value.name }}
+  name: {{ $value.name }}
+  {{- else }}
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- end }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  {{- with $value.bundleEndpointProfile }}
+  bundleEndpointProfile:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.bundleEndpointURL }}
+  bundleEndpointURL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.trustDomain }}
+  trustDomain: {{ . | quote }}
+  {{- end }}
+  {{- with $value.trustDomainBundle }}
+  trustDomainBundle: {{ . | quote }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
@@ -0,0 +1,70 @@
+{{- $root := . }}
+{{- range $key, $value := .Values.controllerManager.identities.clusterStaticEntries }}
+{{-   range $skey, $svalue := $value }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }}
+{{-       fail (printf "Unsupported property specified: %s" $skey) }}
+{{-     end }}
+{{-   end }}
+{{-   range $rprop := list "spiffeID" "selectors" "parentID" }}
+{{-     if not (hasKey $value $rprop) }}
+{{-       fail (printf "Required property %s was not specified" $rprop) }}
+{{-     end }}
+{{-   end }}
+{{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
+{{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
+---
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterStaticEntry
+metadata:
+  {{- if $value.name }}
+  name: {{ $value.name }}
+  {{- else }}
+  name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }}
+  {{- end }}
+  {{- with $value.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  spiffeID: {{ $value.spiffeID | quote }}
+  {{- with $value.federatesWith }}
+  federatesWith:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.selectors }}
+  selectors:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.parentID }}
+  parentID: {{ . | quote }}
+  {{- end }}
+  {{- with $value.dnsNames }}
+  dnsNames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $value.hint }}
+  hint: {{ . | quote }}
+  {{- end }}
+  {{- with $value.x509SVIDTTL }}
+  x509SVIDTTL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.jwtSVIDTTL }}
+  jwtSVIDTTL: {{ . | quote }}
+  {{- end }}
+  {{- with $value.admin }}
+  admin: {{ . }}
+  {{- end }}
+  {{- with $value.downstream }}
+  downstream: {{ . }}
+  {{- end }}
+  {{- with $value.autoPopulateDNSNames }}
+  autoPopulateDNSNames: {{ . }}
+  {{- end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
@@ -445,38 +445,68 @@ controllerManager:
     - local-path-storage
 
   identities:
-    ## @param controllerManager.identities.enabled Flag to enable default identities for controller manager
-    enabled: true
-
-    ## @param controllerManager.identities.spiffeIDTemplate Spiffe ID template for identities
-    spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
-    ## @param controllerManager.identities.podSelector [object] Selector for pods to issue identity
-    podSelector: {}
-      # matchLabels:
-      #   spiffe.io/spiffe-id: "true"
-    ## @param controllerManager.identities.namespaceSelector [object] Selector for namespacs to issue identity
-    namespaceSelector: {}
-      # matchLabels:
-      #   spiffe.io/spiffe-id: "true"
-    ## @param controllerManager.identities.dnsNameTemplates [array] DNS name template for issued identities
-    dnsNameTemplates: []
-      # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local'
-    ## @param controllerManager.identities.federatesWith [array] Other Spire server URLs for identity federation
-    federatesWith: []
-    # - example.io
-    # - example.ai
-    ## @param controllerManager.identities.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID
-    workloadSelectorTemplates: []
-    ## @param controllerManager.identities.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen.
-    ttl: ""
-    ## @param controllerManager.identities.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen.
-    jwtTTL: ""
-    ## @param controllerManager.identities.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care.
-    admin: false
-    ## @param controllerManager.identities.downstream Set if this spire instance is a root server and the workloads are downstream servers.
-    downstream: false
-    ## @param controllerManager.identities.autoPopulateDNSNames Auto populate DNS names from services attached to pods
-    autoPopulateDNSNames: false
+    clusterSPIFFEIDs:
+      # NOTE you can add multiple uniquely named entries to create multiple ClusterSPIFFEID objects. See example below.
+      default:
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable this identity for controller manager
+        enabled: true
+
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate Spiffe ID template for identities
+        spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.podSelector [object] Selector for pods to issue identity
+        podSelector: {}
+          # matchLabels:
+          #   spiffe.io/spiffe-id: "true"
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity
+        namespaceSelector: {}
+          # matchLabels:
+          #   spiffe.io/spiffe-id: "true"
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates [array] DNS name template for issued identities
+        dnsNameTemplates: []
+          # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local'
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.federatesWith [array] Other Spire server URLs for identity federation
+        federatesWith: []
+        # - example.io
+        # - example.ai
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID
+        workloadSelectorTemplates: []
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen.
+        ttl: ""
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen.
+        jwtTTL: ""
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care.
+        admin: false
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.downstream Set if this spire instance is a root server and the workloads are downstream servers.
+        downstream: false
+        ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods
+        autoPopulateDNSNames: false
+      # You can specific additional ClusterSPIFFEIDs following this example.
+      # foo:
+      #   labels:
+      #     foo: bar
+      #   spiffeIDTemplate: spiffe://{{ .TrustDomain }}/foo
+      #   namespaceSelector:
+      #     matchLabels:
+      #       foo: bar
+    ## @param controllerManager.identities.clusterStaticEntries Specify additional ClusterStaticEntry objects.
+    clusterStaticEntries: {}
+    # foo:
+    #   labels:
+    #     foo: bar
+    #   parentID: spiffe://example.com/bar
+    #   spiffeID: spiffe://example.com/foo
+    #   selectors:
+    #   - k8s:pod-label:app.kubernetes.io/name:server
+    ## @param controllerManager.identities.clusterFederatedTrustDomains Specify additional ClusterFederatedTrustDomain objects.
+    clusterFederatedTrustDomains: {}
+    # foo:
+    #   labels:
+    #     foo: bar
+    #   bundleEndpointProfile:
+    #     endpointSPIFFEID: spiffe://example.com/foo
+    #     type: https_spiffe
+    #   bundleEndpointURL: https://rootserver.example.com:1234
+    #   trustDomain: example.com
 
   validatingWebhookConfiguration:
     ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued

@@ -11,7 +11,9 @@ spire-server:
   controllerManager:
     enabled: true
     identities:
-      spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+      clusterSPIFFEIDs:
+        default:
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
 
 spiffe-oidc-discovery-provider:
   enabled: true

@@ -2,7 +2,7 @@
 
 set -xe
 
-UPGRADE_VERSION=v0.14.0
+UPGRADE_VERSION=v0.15.1
 UPGRADE_REPO=https://spiffe.github.io/helm-charts-hardened
 
 SCRIPT="$(readlink -f "$0")"