Enable Helm chart recommendations, use 3-namespace deployment

internal/pkg/config/testdata/config/full.yaml

@@ -18,10 +18,12 @@ trust_zones:
       extra_helm_values:
         global:
             spire:
-                namespaces:
-                    create: true
+                caSubject:
+                    commonName: cn.example.com
+                    organization: acme-org
         spire-server:
             logLevel: INFO
+            nameOverride: custom-server-name
       bundle_endpoint_profile: BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE
       profile: kubernetes
       external_server: false

internal/pkg/test/fixtures/fixtures.go

@@ -46,13 +46,18 @@ var trustZoneFixtures map[string]*trust_zone_proto.TrustZone = map[string]*trust
 			ev := map[string]any{
 				"global": map[string]any{
 					"spire": map[string]any{
-						"namespaces": map[string]any{
-							"create": true,
+						// Modify multiple values in the same map.
+						"caSubject": map[string]any{
+							"organization": "acme-org",
+							"commonName":   "cn.example.com",
 						},
 					},
 				},
 				"spire-server": map[string]any{
+					// Modify an existing value.
 					"logLevel": "INFO",
+					// Customise a new value.
+					"nameOverride": "custom-server-name",
 				},
 			}
 			value, err := structpb.NewStruct(ev)

internal/pkg/trustprovider/trustprovider.go

@@ -36,27 +36,18 @@ func (tp *TrustProvider) GetValues() error {
 	switch tp.Kind {
 	case "kubernetes":
 		tp.AgentConfig = TrustProviderAgentConfig{
-			WorkloadAttestor:        KubernetesTrustProvider,
-			WorkloadAttestorEnabled: true,
+			WorkloadAttestor: KubernetesTrustProvider,
 			WorkloadAttestorConfig: map[string]any{
-				"enabled":                     true,
-				"skipKubeletVerification":     true,
-				"disableContainerSelectors":   true,
-				"useNewContainerLocator":      false,
-				"verboseContainerLocatorLogs": false,
+				"enabled":                   true,
+				"disableContainerSelectors": true,
 			},
-			NodeAttestor:        kubernetesPsat,
-			NodeAttestorEnabled: true,
+			NodeAttestor: kubernetesPsat,
 		}
 		tp.ServerConfig = TrustProviderServerConfig{
-			NodeAttestor:        kubernetesPsat,
-			NodeAttestorEnabled: true,
+			NodeAttestor: kubernetesPsat,
 			NodeAttestorConfig: map[string]any{
-				"enabled":                 true,
-				"serviceAccountAllowList": []string{"spire:spire-agent"},
-				"audience":                []string{"spire-server"},
-				"allowedNodeLabelKeys":    []string{},
-				"allowedPodLabelKeys":     []string{},
+				"enabled":  true,
+				"audience": []string{"spire-server"},
 			},
 		}
 	default:
@@ -66,17 +57,14 @@ func (tp *TrustProvider) GetValues() error {
 }
 
 type TrustProviderAgentConfig struct {
-	WorkloadAttestor        string         `yaml:"workloadAttestor"`
-	WorkloadAttestorEnabled bool           `yaml:"workloadAttestorEnabled"`
-	WorkloadAttestorConfig  map[string]any `yaml:"workloadAttestorConfig"`
-	NodeAttestor            string         `yaml:"nodeAttestor"`
-	NodeAttestorEnabled     bool           `yaml:"nodeAttestorEnabled"`
+	WorkloadAttestor       string
+	WorkloadAttestorConfig map[string]any
+	NodeAttestor           string
 }
 
 type TrustProviderServerConfig struct {
-	NodeAttestor        string         `yaml:"nodeAttestor"`
-	NodeAttestorEnabled bool           `yaml:"nodeAttestorEnabled"`
-	NodeAttestorConfig  map[string]any `yaml:"nodeAttestorConfig"`
+	NodeAttestor       string
+	NodeAttestorConfig map[string]any
 }
 
 // GetTrustProviderKindFromProfile returns the valid kind of trust provider for the

internal/pkg/workload/workload.go

@@ -77,12 +77,15 @@ func GetRegisteredWorkloads(ctx context.Context, kubeConfig string, kubeContext
 // GetUnregisteredWorkloads will discover workloads in a Kubernetes cluster that are not (yet) registered
 func GetUnregisteredWorkloads(ctx context.Context, kubeCfgFile string, kubeContext string, secretDiscovery bool, checkSpire bool) ([]Workload, error) {
 	// Includes the initial Kubernetes namespaces.
-	ignoredNamespaces := map[string]int{
-		"kube-node-lease":    1,
-		"kube-public":        2,
-		"kube-system":        3,
-		"local-path-storage": 4,
-		"spire":              5,
+	ignoredNamespaces := map[string]bool{
+		"kube-node-lease":    true,
+		"kube-public":        true,
+		"kube-system":        true,
+		"local-path-storage": true,
+		"spire":              true,
+		"spire-server":       true,
+		"spire-system":       true,
+		"spire-mgmt":         true,
 	}
 
 	client, err := kubeutil.NewKubeClientFromSpecifiedContext(kubeCfgFile, kubeContext)

pkg/provider/helm/helm.go

@@ -34,7 +34,8 @@ const (
 	SPIRECRDsChartName    = "spire-crds"
 	SPIRECRDsChartVersion = "0.4.0"
 
-	SPIRENamespace = "spire"
+	// Kubernetes namespace in which Helm charts and CRDs will be installed.
+	SPIREManagementNamespace = "spire-mgmt"
 )
 
 // Type assertion that HelmSPIREProvider implements the Provider interface.
@@ -261,7 +262,7 @@ func newInstall(cfg *action.Configuration, chart string, version string) *action
 	install := action.NewInstall(cfg)
 	install.Version = version
 	install.ReleaseName = chart
-	install.Namespace = SPIRENamespace
+	install.Namespace = SPIREManagementNamespace
 	install.CreateNamespace = true
 	return install
 }
@@ -308,7 +309,7 @@ func installChart(ctx context.Context, cfg *action.Configuration, client *action
 
 func newUpgrade(cfg *action.Configuration, version string) *action.Upgrade {
 	upgrade := action.NewUpgrade(cfg)
-	upgrade.Namespace = SPIRENamespace
+	upgrade.Namespace = SPIREManagementNamespace
 	upgrade.Version = version
 	upgrade.ReuseValues = true
 	return upgrade

pkg/provider/helm/values.go

@@ -23,18 +23,25 @@ type HelmValuesGenerator struct {
 type globalValues struct {
 	deleteHooks                   bool
 	installAndUpgradeHooksEnabled bool
+	spireCASubject                caSubject
 	spireClusterName              string
-	spireCreateRecommendations    bool
 	spireJwtIssuer                string
+	spireNamespacesCreate         bool
+	spireRecommendationsEnabled   bool
 	spireTrustDomain              string
 }
 
+type caSubject struct {
+	commonName   string
+	country      string
+	organization string
+}
+
 type spireAgentValues struct {
-	agentConfig        trustprovider.TrustProviderAgentConfig
-	fullnameOverride   string
-	logLevel           string
-	sdsConfig          map[string]any
-	spireServerAddress string
+	agentConfig      trustprovider.TrustProviderAgentConfig
+	fullnameOverride string
+	logLevel         string
+	sdsConfig        map[string]any
 }
 
 type spireServerValues struct {
@@ -72,9 +79,15 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) {
 	}
 
 	gv := globalValues{
+		spireCASubject: caSubject{
+			commonName:   "cofide.io",
+			country:      "UK",
+			organization: "Cofide",
+		},
 		spireClusterName:              g.trustZone.GetKubernetesCluster(),
-		spireCreateRecommendations:    true,
 		spireJwtIssuer:                g.trustZone.GetJwtIssuer(),
+		spireNamespacesCreate:         true,
+		spireRecommendationsEnabled:   true,
 		spireTrustDomain:              g.trustZone.TrustDomain,
 		installAndUpgradeHooksEnabled: false,
 		deleteHooks:                   false,
@@ -91,11 +104,10 @@ func (g *HelmValuesGenerator) GenerateValues() (map[string]any, error) {
 	}
 
 	sav := spireAgentValues{
-		fullnameOverride:   "spire-agent",
-		logLevel:           "DEBUG",
-		agentConfig:        tp.AgentConfig,
-		sdsConfig:          sdsConfig,
-		spireServerAddress: "spire-server.spire",
+		fullnameOverride: "spire-agent",
+		logLevel:         "DEBUG",
+		agentConfig:      tp.AgentConfig,
+		sdsConfig:        sdsConfig,
 	}
 	spireAgentValues, err := sav.generateValues()
 	if err != nil {
@@ -242,9 +254,13 @@ func (g *globalValues) generateValues() (map[string]any, error) {
 	values := map[string]any{
 		"global": map[string]any{
 			"spire": map[string]any{
+				"caSubject":   g.spireCASubject.generateValues(),
 				"clusterName": g.spireClusterName,
+				"namespaces": map[string]any{
+					"create": g.spireNamespacesCreate,
+				},
 				"recommendations": map[string]any{
-					"create": g.spireCreateRecommendations,
+					"enabled": g.spireRecommendationsEnabled,
 				},
 				"trustDomain": g.spireTrustDomain,
 			},
@@ -274,6 +290,15 @@ func (g *globalValues) generateValues() (map[string]any, error) {
 	return values, nil
 }
 
+// generateValues generates the global.spire.caSubject Helm values map.
+func (c *caSubject) generateValues() map[string]any {
+	return map[string]any{
+		"country":      c.country,
+		"organization": c.organization,
+		"commonName":   c.commonName,
+	}
+}
+
 // generateValues generates the spire-agent Helm values map.
 func (s *spireAgentValues) generateValues() (map[string]any, error) {
 	if s.fullnameOverride == "" {
@@ -308,23 +333,16 @@ func (s *spireAgentValues) generateValues() (map[string]any, error) {
 		return nil, fmt.Errorf("agentConfig.WorkloadAttestorConfig value is empty")
 	}
 
-	if s.spireServerAddress == "" {
-		return nil, fmt.Errorf("spireServerAddress value is empty")
-	}
-
 	return map[string]any{
 		"spire-agent": map[string]any{
 			"fullnameOverride": s.fullnameOverride,
 			"logLevel":         s.logLevel,
 			"nodeAttestor": map[string]any{
 				s.agentConfig.NodeAttestor: map[string]any{
-					"enabled": s.agentConfig.NodeAttestorEnabled,
+					"enabled": true,
 				},
 			},
 			"sds": s.sdsConfig,
-			"server": map[string]any{
-				"address": s.spireServerAddress,
-			},
 			"workloadAttestors": map[string]any{
 				s.agentConfig.WorkloadAttestor: s.agentConfig.WorkloadAttestorConfig,
 			},