Skip to content

Commit

Permalink
Merge pull request #93 from /issues/92
Browse files Browse the repository at this point in the history 
Disable the default clusterSPIFFEID
  • Loading branch information
@markgoddard
markgoddard authored Dec 16, 2024
2 parents 8030689 + 3eaa125 commit b246438
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 32 deletions.
47 changes: 18 additions & 29 deletions pkg/provider/helm/values.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,45 +125,34 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) {
return nil, fmt.Errorf("failed to get controllerManager map from spireServer: %w", err)
}

// Enables the default ClusterSPIFFEID CR by default.
controllerManager["identities"] = map[string]any{
"clusterSPIFFEIDs": map[string]any{
"default": map[string]any{
"enabled": true,
},
},
}

identities, err := getOrCreateNestedMap(controllerManager, "identities")
if err != nil {
return nil, fmt.Errorf("failed to get identities map from controllerManager: %w", err)
}

if len(g.trustZone.AttestationPolicies) > 0 {
csids, err := getOrCreateNestedMap(identities, "clusterSPIFFEIDs")
csids, err := getOrCreateNestedMap(identities, "clusterSPIFFEIDs")
if err != nil {
return nil, fmt.Errorf("failed to get clusterSPIFFEIDs map from identities: %w", err)
}

// Disables the default ClusterSPIFFEID CR.
csids["default"] = map[string]any{
"enabled": false,
}

// Adds the attestation policies as ClusterSPIFFEID CRs to be reconciled by the spire-controller-manager.
for _, binding := range g.trustZone.AttestationPolicies {
policy, err := g.source.GetAttestationPolicy(binding.Policy)
if err != nil {
return nil, fmt.Errorf("failed to get clusterSPIFFEIDs map from identities: %w", err)
return nil, err
}

// Disables the default ClusterSPIFFEID CR.
csids["default"] = map[string]any{
"enabled": false,
clusterSPIFFEIDs, err := attestationpolicy.NewAttestationPolicy(policy).GetHelmConfig(g.source, binding)
if err != nil {
return nil, err
}

// Adds the attestation policies as ClusterSPIFFEID CRs to be reconciled by the spire-controller-manager.
for _, binding := range g.trustZone.AttestationPolicies {
policy, err := g.source.GetAttestationPolicy(binding.Policy)
if err != nil {
return nil, err
}

clusterSPIFFEIDs, err := attestationpolicy.NewAttestationPolicy(policy).GetHelmConfig(g.source, binding)
if err != nil {
return nil, err
}

csids[policy.Name] = clusterSPIFFEIDs
}
csids[policy.Name] = clusterSPIFFEIDs
}

// Adds the federations as ClusterFederatedTrustDomain CRs to be reconciled by the spire-controller-manager.
Expand Down
6 changes: 3 additions & 3 deletions pkg/provider/helm/values_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
"identities": Values{
"clusterSPIFFEIDs": Values{
"default": Values{
"enabled": true,
"enabled": false,
},
},
},
Expand Down Expand Up @@ -293,7 +293,7 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
"identities": Values{
"clusterSPIFFEIDs": Values{
"default": Values{
"enabled": true,
"enabled": false,
},
},
},
Expand Down Expand Up @@ -430,7 +430,7 @@ func TestHelmValuesGenerator_GenerateValues_AdditionalValues(t *testing.T) {
"identities": Values{
"clusterSPIFFEIDs": Values{
"default": Values{
"enabled": true,
"enabled": false,
},
},
"clusterFederatedTrustDomains": Values{
Expand Down

0 comments on commit b246438

Please sign in to comment.