Add external spire-controller-managers

Only one external controller manager is supported at a time until spiffe/spire#4898 is resolved. Signed-off-by: Kevin Fox <[email protected]>
spiffe · Mar 12, 2024 · ce2baae · ce2baae
1 parent df5f05e
commit ce2baae
Show file tree

Hide file tree

Showing 7 changed files with 288 additions and 92 deletions.
diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -275,6 +275,21 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `controllerManager.validatingWebhookConfiguration.enabled`                                   | Disable only when you have another chart instance on the k8s cluster with webhooks enabled.                                                                                                                                                                                                                                                                          | `true`                                                                                         |
 | `controllerManager.validatingWebhookConfiguration.failurePolicy`                             | Action when identity is not issued                                                                                                                                                                                                                                                                                                                                   | `Fail`                                                                                         |
 | `controllerManager.cacheNamespaces`                                                          | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces.                                                                                                                                                                                                                                                   | `{}`                                                                                           |
+| `externalControllerManagers.enabled`                                                         | Flag to enable external controller managers                                                                                                                                                                                                                                                                                                                          | `false`                                                                                        |
+| `externalControllerManagers.defaults.reconcile.clusterSPIFFEIDs`                             | Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server                                                                                                                                                                                                                                                                                               | `true`                                                                                         |
+| `externalControllerManagers.defaults.reconcile.clusterStaticEntries`                         | Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server                                                                                                                                                                                                                                                                                           | `false`                                                                                        |
+| `externalControllerManagers.defaults.reconcile.clusterFederatedTrustDomains`                 | Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server                                                                                                                                                                                                                                                                                   | `false`                                                                                        |
+| `externalControllerManagers.defaults.className`                                              | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs.                                                                                                                                                                                     | `""`                                                                                           |
+| `externalControllerManagers.defaults.watchClassless`                                         | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true.                                                                                                                                                                | `false`                                                                                        |
+| `externalControllerManagers.defaults.parentIDTemplate`                                       | The template that is used to register workloads.                                                                                                                                                                                                                                                                                                                     | `spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}`      |
+| `externalControllerManagers.defaults.expandEnv`                                              | Set to true to enable environment variable substitution of config file options                                                                                                                                                                                                                                                                                       | `false`                                                                                        |
+| `externalControllerManagers.defaults.extraEnv`                                               | Extra environment variables to add to the controller manager                                                                                                                                                                                                                                                                                                         | `[]`                                                                                           |
+| `externalControllerManagers.defaults.resources`                                              | Resource requests and limits for controller manager                                                                                                                                                                                                                                                                                                                  | `{}`                                                                                           |
+| `externalControllerManagers.defaults.securityContext`                                        | Security context                                                                                                                                                                                                                                                                                                                                                     | `{}`                                                                                           |
+| `externalControllerManagers.defaults.configMap.annotations`                                  | Annotations to add to the Controller Manager ConfigMap                                                                                                                                                                                                                                                                                                               | `{}`                                                                                           |
+| `externalControllerManagers.defaults.ignoreNamespaces`                                       | These namespaces are ignored by controller manager                                                                                                                                                                                                                                                                                                                   | `[]`                                                                                           |
+| `externalControllerManagers.defaults.cacheNamespaces`                                        | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces.                                                                                                                                                                                                                                                   | `{}`                                                                                           |
+| `externalControllerManagers.clusters`                                                        | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
 | `tools.kubectl.image.registry`                                                               | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `docker.io`                                                                                    |
 | `tools.kubectl.image.repository`                                                             | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `rancher/kubectl`                                                                              |
 | `tools.kubectl.image.pullPolicy`                                                             | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |

diff --git a/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl b/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl
@@ -0,0 +1,142 @@
+{{- define "spire-controller-manager.containers" }}
+{{-   $root := . }}
+{{-   $settings := dict }}
+{{-   $defaults := .Values.controllerManager }}
+{{-   $webhooksEnabled := .Values.controllerManager.validatingWebhookConfiguration.enabled }}
+{{-   $startPort := 8082 }}
+{{-   $reconcileFederation := 0 }}
+{{-   $reconcileEntries := 0 }}
+{{-   if eq (.Values.controllerManager.enabled | toString) "true" }}
+{{-     if .Values.controllerManager.reconcile.clusterFederatedTrustDomains }}
+{{-       $reconcileFederation = add $reconcileFederation 1 }}
+{{-     end }}
+{{-     if or .Values.controllerManager.reconcile.clusterSPIFFEIDs .Values.controllerManager.reconcile.clusterStaticEntries }}
+{{-       $reconcileEntries = add $reconcileEntries 1 }}
+{{-     end }}
+{{-     include "spire-controller-manager.container" (dict "Values" .Values "Chart" .Chart "startPort" $startPort "suffix" "" "settings" $settings "defaults" $defaults "webhooksEnabled" $webhooksEnabled) }}
+{{-   end }}
+{{-   if .Values.externalControllerManagers.enabled }}
+{{-     $clusters := default .Values.kubeConfigs .Values.externalControllerManagers.clusters }}
+{{-     $clusterDefaults := .Values.externalControllerManagers.defaults }}
+{{-     range $name, $_ := $clusters }}
+{{-       $clusterSettings := dict }}
+{{-       if hasKey $root.Values.externalControllerManagers.clusters $name }}
+{{-         $clusterSettings = index $root.Values.externalControllerManagers.clusters $name }}
+{{-       end }}
+{{-       $suffix := printf "-%s" $name }}
+{{-       $startPort = add $startPort 2 }}
+{{-       $kubeConfig := $name }}
+{{-       if hasKey $clusterSettings "kubeConfigName" }}
+{{-         $kubeConfig = $clusterSettings.kubeConfigName }}
+{{-       end }}
+{{-       $reconcile := dict }}
+{{-       if hasKey $clusterSettings "reconcile" }}
+{{-         $reconcile = $clusterSettings.reconcile }}
+{{-       end }}
+{{-       if and (hasKey $reconcile "clusterFederatedTrustDomains") $reconcile.clusterFederatedTrustDomains }}
+{{-         $reconcileFederation = add $reconcileFederation 1 }}
+{{-       else if $clusterDefaults.reconcile.clusterFederatedTrustDomains }}
+{{-         $reconcileFederation = add $reconcileFederation 1 }}
+{{-       end }}
+{{-       if gt $reconcileFederation 1 }}
+{{-         fail "You can only have one controller-manager with reconcile.clusterFederatedTrustDomains set to true" }}
+{{-       end }}
+{{-       $entryFound := false }}
+{{-       if and (hasKey $reconcile "clusterSPIFFEIDs") $reconcile.clusterSPIFFEIDs }}
+{{-         $entryFound = true }}
+{{-       else if $clusterDefaults.reconcile.clusterSPIFFEIDs }}
+{{-         $entryFound = true }}
+{{-       end }}
+{{-       if and (hasKey $reconcile "clusterStaticEntries") $reconcile.clusterStaticEntries }}
+{{-         $entryFound = true }}
+{{-       else if $clusterDefaults.reconcile.clusterStaticEntries }}
+{{-         $entryFound = true }}
+{{-       end }}
+{{-       if $entryFound }}
+{{-         $reconcileEntries = add $reconcileEntries 1 }}
+{{-       end }}
+{{-       if gt $reconcileEntries 1 }}
+{{-         fail "You can only have one controller-manager reconciling entries with either reconcile.clusterSPIFFEIDs or clusterStaticEntries" }}
+{{-       end }}
+{{-       include "spire-controller-manager.container" (dict "Values" $root.Values "Chart" $root.Chart "startPort" $startPort "suffix" $suffix "settings" $clusterSettings "defaults" $clusterDefaults "webhooksEnabled" false "kubeConfig" $kubeConfig ) }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+{{- define "spire-controller-manager.container" }}
+{{-   $promPort := .startPort }}
+{{-   $healthPort := add .startPort 1 }}
+{{-   $extraEnv := .defaults.extraEnv }}
+{{-   if hasKey .settings "extraEnv" }}
+{{-     $extraEnv = .settings.extraEnv }}
+{{-   end }}
+{{-   $expandEnv := .defaults.expandEnv }}
+{{-   if hasKey .settings "expandEnv" }}
+{{-     $extraEnv = .settings.expandEnv }}
+{{-   end }}
+{{-   $securityContext := .defaults.securityContext }}
+{{-   if hasKey .settings "securityContext" }}
+{{-     $securityContext = mergeOverwrite .defaults.securityContext .settings.securityContext }}
+{{-   end }}
+- name: spire-controller-manager{{ .suffix }}
+  securityContext:
+    {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" $securityContext) | nindent 4 }}
+  image: {{ template "spire-lib.image" (dict "appVersion" .Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }}
+  imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }}
+  args:
+    {{- if hasKey . "kubeConfig" }}
+    - --kubeconfig=/kubeconfigs/{{ .kubeConfig }}
+    {{- end }}
+    - --config=controller-manager-config{{ .suffix }}.yaml
+    {{- if $expandEnv }}
+    - --expand-env
+    {{- end }}
+  env:
+    - name: ENABLE_WEBHOOKS
+      value: {{ .webhooksEnabled | toString | quote }}
+  {{- if gt (len $extraEnv) 0 }}
+  {{-   $extraEnv | toYaml | nindent 4 }}
+  {{- end }}
+  ports:
+    {{- if .webhooksEnabled }}
+    - name: https
+      containerPort: 9443
+      protocol: TCP
+    {{- end }}
+    - containerPort: {{ $healthPort }}
+      name: healthz
+    {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }}
+    - containerPort: {{ $promPort }}
+      name: prom-cm{{ .suffix }}
+    {{- end }}
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: healthz
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: healthz
+  resources:
+    {{- toYaml .Values.controllerManager.resources | nindent 4 }}
+  volumeMounts:
+    - name: spire-server-socket
+      mountPath: /tmp/spire-server/private
+      readOnly: true
+    - name: controller-manager-config
+      mountPath: /controller-manager-config{{ .suffix }}.yaml
+      subPath: controller-manager-config{{ .suffix }}.yaml
+      readOnly: true
+    {{- with .kubeConfig }}
+    - name: kubeconfigs
+      mountPath: /kubeconfigs/{{ . }}
+      subPath: {{ . }}
+      readOnly: true
+    {{- end }}
+    - name: spire-controller-manager-tmp
+      mountPath: /tmp
+      subPath: {{ printf "spire-controller-manager%s" .suffix }}
+      readOnly: false
+    {{- if gt (len .Values.extraVolumeMounts) 0 }}
+    {{- toYaml .Values.extraVolumeMounts | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl
@@ -258,8 +258,12 @@ The code below determines what connection type should be used.
 {{- end -}}
 
 {{- define "spire-server.controller-manager-class-name" -}}
-{{-   if .Values.controllerManager.className }}
-{{-     .Values.controllerManager.className }}
+{{-   if and (hasKey . "settings") (hasKey .settings "className") }}
+{{-       .settings.className }}
+{{-   else if and (hasKey . "defaults") .defaults.className }}
+{{-       .defaults.className }}
+{{-   else if .Values.controllerManager.className }}
+{{-       .Values.controllerManager.className }}
 {{-   else }}
 {{-     .Release.Namespace }}-{{ default .Release.Name .Values.crNameOverride }}
 {{-   end -}}