Open hhopen opened 1 month ago
You can configure the spiffe-oidc-discovery-provider here: https://github.com/spiffe/helm-charts-hardened/blob/spire-0.20.0/charts/spire/charts/spire-server/values.yaml#L582
You can override the spiffeIDTemplate directly in that section, or any of the other settings for the discovery provider.
It uses the labels already on the discovery provider for workload selection/configuration.
Mixing the discovery provider and default configs together can cause issues which is why we separated the config.
When using podSelector for issuing Spiffe ID's it is not possible to set required label name and value in spiffe-oidc-discovery-provider.
E g: spire-server: controllerManager: enabled: true identities: clusterSPIFFEIDs: default: spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/reg/{{ index .PodMeta.Labels \"example.com/regulation\" }}/ns/{{ .PodMeta.Namespace }}" podSelector: matchExpressions:
When using the example above the provider won't come up: time="2024-05-28T11:58:22Z" level=warning msg="Failed to fetch JWKS from the Workload API" error="rpc error: code = PermissionDenied desc = no identity issued"
A possible fix is to enable functionality to add labels to the spiffe-oidc-discovery-provider. See the diff below.