search

spiffe / helm-charts-hardened

Apache License 2.0
12 stars 26 forks source link

Can't set spiffe-oidc-discovery-provider pod labels that matches SpiffeID pod selector #372

Open hhopen opened 1 month ago

hhopen commented 1 month ago

When using podSelector for issuing Spiffe ID's it is not possible to set required label name and value in spiffe-oidc-discovery-provider.

E g: spire-server: controllerManager: enabled: true identities: clusterSPIFFEIDs: default: spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/reg/{{ index .PodMeta.Labels \"example.com/regulation\" }}/ns/{{ .PodMeta.Namespace }}" podSelector: matchExpressions:

When using the example above the provider won't come up: time="2024-05-28T11:58:22Z" level=warning msg="Failed to fetch JWKS from the Workload API" error="rpc error: code = PermissionDenied desc = no identity issued"

A possible fix is to enable functionality to add labels to the spiffe-oidc-discovery-provider. See the diff below.

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
index ed121b9..24ca6ff 100644
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@@ -54,6 +54,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                               |
 | `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                               |
 | `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                              |
+| `podLabels`                                           | Pod labels for Spire OIDC discovery provider                                                                                                                                                                                           | `{}`                                                                              |
 | `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                            |
 | `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                           |
 | `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                              |
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
index 407e39b..c71e775 100644
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
@@ -30,6 +30,9 @@ spec:
         release: {{ .Release.Name }}
         release-namespace: {{ .Release.Namespace }}
         component: oidc-discovery-provider
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
index b43b3df..b2eb863 100644
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -105,6 +105,9 @@ livenessProbe:
 ## @param podAnnotations [object] Pod annotations for Spire OIDC discovery provider
 podAnnotations: {}

+## @param podLabels [object] Pod labels for Spire OIDC discovery provider
+podLabels: {}
+
 # Select from one of the options below to be the source of certificates for OIDC Discovery Provider.
 # If none are enabled, connections won't be TLS encrypted.
 tls:
kfox1111 commented 1 month ago

You can configure the spiffe-oidc-discovery-provider here: https://github.com/spiffe/helm-charts-hardened/blob/spire-0.20.0/charts/spire/charts/spire-server/values.yaml#L582

You can override the spiffeIDTemplate directly in that section, or any of the other settings for the discovery provider.

It uses the labels already on the discovery provider for workload selection/configuration.

Mixing the discovery provider and default configs together can cause issues which is why we separated the config.