Merge pull request #141 from SgtCoDFish/runtimeconfiguration

Allow runtime configuration of issuers
cert-manager · May 16, 2024 · 288f033 · 288f033
2 parents c41e87f + a7f2470
commit 288f033
Show file tree

Hide file tree

Showing 14 changed files with 978 additions and 12 deletions.
diff --git a/deploy/charts/csi-driver-spiffe/README.md b/deploy/charts/csi-driver-spiffe/README.md
@@ -94,6 +94,15 @@ Verbosity of cert-manager-csi-driver logging.
 > ```
 
 Duration requested for requested certificates.
+#### **app.runtimeIssuanceConfigMap** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.  
+
+The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in the ConfigMap for it to be used.
 #### **app.extraCertificateRequestAnnotations** ~ `unknown`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/csi-driver-spiffe/templates/daemonset.yaml b/deploy/charts/csi-driver-spiffe/templates/daemonset.yaml
@@ -83,6 +83,8 @@ spec:
             - --node-id=$(NODE_ID)
             - --endpoint=$(CSI_ENDPOINT)
             - --data-root=csi-data-dir
+            - "--runtime-issuance-config-map-name={{.Values.app.runtimeIssuanceConfigMap}}"
+            - "--runtime-issuance-config-map-namespace={{.Release.Namespace}}"
           {{- if .Values.app.extraCertificateRequestAnnotations }}
             - --extra-certificate-request-annotations={{ .Values.app.extraCertificateRequestAnnotations }}
           {{- end }}

diff --git a/deploy/charts/csi-driver-spiffe/templates/role.yaml b/deploy/charts/csi-driver-spiffe/templates/role.yaml
@@ -1,3 +1,21 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
+rules:
+{{- if .Values.app.runtimeIssuanceConfigMap }}
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+  resourceNames: ["{{.Values.app.runtimeIssuanceConfigMap}}"]
+{{- end }}
+
+
+---
+
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/deploy/charts/csi-driver-spiffe/templates/rolebinding.yaml b/deploy/charts/csi-driver-spiffe/templates/rolebinding.yaml
@@ -1,3 +1,21 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+
+---
+
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/deploy/charts/csi-driver-spiffe/values.schema.json b/deploy/charts/csi-driver-spiffe/values.schema.json
@@ -65,6 +65,9 @@
         "name": {
           "$ref": "#/$defs/helm-values.app.name"
         },
+        "runtimeIssuanceConfigMap": {
+          "$ref": "#/$defs/helm-values.app.runtimeIssuanceConfigMap"
+        },
         "trustDomain": {
           "$ref": "#/$defs/helm-values.app.trustDomain"
         }
@@ -447,6 +450,11 @@
       "description": "The name for the CSI driver installation.",
       "type": "string"
     },
+    "helm-values.app.runtimeIssuanceConfigMap": {
+      "default": "",
+      "description": "Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.\n\nThe \"issuer-name\", \"issuer-kind\" and \"issuer-group\" keys must be present in the ConfigMap for it to be used.",
+      "type": "string"
+    },
     "helm-values.app.trustDomain": {
       "default": "cluster.local",
       "description": "The Trust Domain for this driver.",

diff --git a/deploy/charts/csi-driver-spiffe/values.yaml b/deploy/charts/csi-driver-spiffe/values.yaml
@@ -48,6 +48,14 @@ app:
   logLevel: 1 # 1-5
   # Duration requested for requested certificates.
   certificateRequestDuration: 1h
+
+  # Name of a ConfigMap in the installation namespace to watch, providing
+  # runtime configuration of an issuer to use.
+  #
+  # The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in
+  # the ConfigMap for it to be used.
+  runtimeIssuanceConfigMap: ""
+
   # List of annotations to add to certificate requests
   #
   # For example:

diff --git a/internal/csi/app/app.go b/internal/csi/app/app.go
@@ -71,7 +71,10 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				TrustDomain:                   opts.CertManager.TrustDomain,
 				CertificateRequestAnnotations: opts.CertManager.CertificateRequestAnnotations,
 				CertificateRequestDuration:    opts.CertManager.CertificateRequestDuration,
-				IssuerRef:                     opts.CertManager.IssuerRef,
+				IssuerRef:                     &opts.CertManager.IssuerRef,
+
+				IssuanceConfigMapName:      opts.CertManager.IssuanceConfigMapName,
+				IssuanceConfigMapNamespace: opts.CertManager.IssuanceConfigMapNamespace,
 
 				CertificateFileName: opts.Volume.CertificateFileName,
 				KeyFileName:         opts.Volume.KeyFileName,

diff --git a/internal/csi/app/options/options.go b/internal/csi/app/options/options.go
@@ -56,6 +56,12 @@ type OptionsDriver struct {
 
 // OptionsCertManager is options specific to cert-manager CertificateRequests.
 type OptionsCertManager struct {
+	// IssuanceConfigMapName is the name of a ConfigMap to watch for configuration options. The ConfigMap is expected to be in the same namespace as the csi-driver-spiffe pod.
+	IssuanceConfigMapName string
+
+	// IssuanceConfigMapNamespace is the namespace where the runtime configuration ConfigMap is located
+	IssuanceConfigMapNamespace string
+
 	// TrustDomain is the trust domain of this SPIFFE PKI. The TrustDomain will
 	// appear in signed certificate's URI SANs.
 	TrustDomain string
@@ -113,6 +119,10 @@ func (o *Options) addDriverFlags(fs *pflag.FlagSet) {
 }
 
 func (o *Options) addCertManagerFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&o.CertManager.IssuanceConfigMapName, "runtime-issuance-config-map-name", "", "Name of a ConfigMap to watch at runtime for issuer details. If such a ConfigMap is found, overrides issuer-name, issuer-kind and issuer-group")
+
+	fs.StringVar(&o.CertManager.IssuanceConfigMapNamespace, "runtime-issuance-config-map-namespace", "", "Namespace for ConfigMap to be watched at runtime for issuer details")
+
 	fs.StringVar(&o.CertManager.TrustDomain, "trust-domain", "cluster.local",
 		"The trust domain that will be requested for on created CertificateRequests.")
 	fs.DurationVar(&o.CertManager.CertificateRequestDuration, "certificate-request-duration", time.Hour,