Add CA subject to Helm values

This is required by Helm recommendations. We provide a default CA subject, and this can be overridden using custom Helm values.
cofide · Jan 3, 2025 · b58b48f · b58b48f
1 parent f9dd2d5
commit b58b48f
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 2 deletions.
diff --git a/internal/pkg/config/testdata/config/full.yaml b/internal/pkg/config/testdata/config/full.yaml
@@ -20,10 +20,10 @@ trust_zones:
             spire:
                 caSubject:
                     commonName: cn.example.com
-                    country: UK
                     organization: acme-org
         spire-server:
             logLevel: INFO
+            nameOverride: custom-server-name
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
       profile: kubernetes
       external_server: false

diff --git a/internal/pkg/test/fixtures/fixtures.go b/internal/pkg/test/fixtures/fixtures.go
@@ -46,15 +46,18 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 			ev := map[string]any{
 				"global": map[string]any{
 					"spire": map[string]any{
+						// Modify multiple values in the same map.
 						"caSubject": map[string]any{
-							"country":      "UK",
 							"organization": "acme-org",
 							"commonName":   "cn.example.com",
 						},
 					},
 				},
 				"spire-server": map[string]any{
+					// Modify an existing value.
 					"logLevel": "INFO",
+					// Customise a new value.
+					"nameOverride": "custom-server-name",
 				},
 			}
 			value, err := structpb.NewStruct(ev)

diff --git a/pkg/provider/helm/values.go b/pkg/provider/helm/values.go
@@ -23,13 +23,20 @@ type HelmValuesGenerator struct {
 type globalValues struct {
 	deleteHooks                   bool
 	installAndUpgradeHooksEnabled bool
+	spireCASubject                caSubject
 	spireClusterName              string
 	spireJwtIssuer                string
 	spireNamespacesCreate         bool
 	spireRecommendationsEnabled   bool
 	spireTrustDomain              string
 }
 
+type caSubject struct {
+	commonName   string
+	country      string
+	organization string
+}
+
 type spireAgentValues struct {
 	agentConfig        trustprovider.TrustProviderAgentConfig
 	fullnameOverride   string
@@ -73,6 +80,11 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) {
 	}
 
 	gv := globalValues{
+		spireCASubject: caSubject{
+			commonName:   "cofide.io",
+			country:      "UK",
+			organization: "Cofide",
+		},
 		spireClusterName:              g.trustZone.GetKubernetesCluster(),
 		spireJwtIssuer:                g.trustZone.GetJwtIssuer(),
 		spireNamespacesCreate:         true,
@@ -244,6 +256,7 @@ func (g *globalValues) generateValues() (map[string]any, error) {
 	values := map[string]any{
 		"global": map[string]any{
 			"spire": map[string]any{
+				"caSubject":   g.spireCASubject.generateValues(),
 				"clusterName": g.spireClusterName,
 				"namespaces": map[string]any{
 					"create": g.spireNamespacesCreate,
@@ -279,6 +292,15 @@ func (g *globalValues) generateValues() (map[string]any, error) {
 	return values, nil
 }
 
+// generateValues generates the global.spire.caSubject Helm values map.
+func (c *caSubject) generateValues() map[string]any {
+	return map[string]any{
+		"country":      c.country,
+		"organization": c.organization,
+		"commonName":   c.commonName,
+	}
+}
+
 // generateValues generates the spire-agent Helm values map.
 func (s *spireAgentValues) generateValues() (map[string]any, error) {
 	if s.fullnameOverride == "" {

diff --git a/pkg/provider/helm/values_test.go b/pkg/provider/helm/values_test.go
@@ -46,6 +46,11 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 						"enabled": false,
 					},
 					"spire": Values{
+						"caSubject": Values{
+							"commonName":   "cofide.io",
+							"country":      "UK",
+							"organization": "Cofide",
+						},
 						"clusterName": "local1",
 						"namespaces": Values{
 							"create": true,
@@ -256,6 +261,11 @@ func TestHelmValuesGenerator_GenerateValues_success(t *testing.T) {
 						"enabled": false,
 					},
 					"spire": Values{
+						"caSubject": Values{
+							"commonName":   "cofide.io",
+							"country":      "UK",
+							"organization": "Cofide",
+						},
 						"clusterName": "local4",
 						"namespaces": Values{
 							"create": true,
@@ -397,6 +407,11 @@ func TestHelmValuesGenerator_GenerateValues_AdditionalValues(t *testing.T) {
 						"enabled": false,
 					},
 					"spire": Values{
+						"caSubject": Values{
+							"commonName":   "cofide.io",
+							"country":      "UK",
+							"organization": "Cofide",
+						},
 						"clusterName": "local1",
 						"namespaces": Values{
 							"create": true,
@@ -987,6 +1002,11 @@ func TestGlobalValues_GenerateValues(t *testing.T) {
 			want: map[string]any{
 				"global": map[string]any{
 					"spire": map[string]any{
+						"caSubject": Values{
+							"commonName":   "",
+							"country":      "",
+							"organization": "",
+						},
 						"clusterName": "local1",
 						"namespaces": Values{
 							"create": false,
@@ -1016,6 +1036,11 @@ func TestGlobalValues_GenerateValues(t *testing.T) {
 			want: map[string]any{
 				"global": map[string]any{
 					"spire": map[string]any{
+						"caSubject": Values{
+							"commonName":   "",
+							"country":      "",
+							"organization": "",
+						},
 						"clusterName": "local1",
 						"namespaces": Values{
 							"create": false,
@@ -1045,6 +1070,11 @@ func TestGlobalValues_GenerateValues(t *testing.T) {
 			want: map[string]any{
 				"global": map[string]any{
 					"spire": map[string]any{
+						"caSubject": Values{
+							"commonName":   "",
+							"country":      "",
+							"organization": "",
+						},
 						"clusterName": "local1",
 						"jwtIssuer":   "https://tz1.example.com",
 						"namespaces": Values{