Added ClusterStaticEntry support (#174)

Signed-off-by: Andrew Harding <[email protected]>
spiffe · Jul 7, 2023 · 9ae90ef · 9ae90ef
1 parent 5925ab8
commit 9ae90ef
Show file tree

Hide file tree

Showing 37 changed files with 1,079 additions and 139 deletions.
diff --git a/.kubebuilder-hist b/.kubebuilder-hist
@@ -4,3 +4,4 @@ v3.2.0: .scripts/kubebuilder create api --resource --controller --group spire --
 v3.2.0: .scripts/kubebuilder create api --group spire --version v1alpha1 --kind ControllerManagerConfig --resource --controller=false --make=false
 v3.2.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterFederatedTrustDomain --version v1alpha1 --group spire
 v3.2.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterSPIFFEID --version v1alpha1 --group spire
+v3.3.0: .scripts/kubebuilder create api --resource --controller --group spire --version v1alpha1 --namespaced=false --kind ClusterStaticEntry
diff --git a/PROJECT b/PROJECT
@@ -34,4 +34,12 @@ resources:
   kind: ControllerManagerConfig
   path: github.com/spiffe/spire-controller-manager/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: spiffe.io
+  group: spire
+  kind: ClusterStaticEntry
+  path: github.com/spiffe/spire-controller-manager/api/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/README.md b/README.md
@@ -24,6 +24,14 @@ The [ClusterFederatedTrustDomain](docs/clusterfederatedtrustdomain-crd.md)
 resource is a cluster scoped CRD that describes a federation relationship for
 the cluster.
 
+### ClusterStaticEntry
+
+The [ClusterStaticEntry](docs/clusterstaticentry-crd.md) resource is a cluster
+scoped CRD that describes a static SPIRE registration entry. It is typically
+used for registering workloads that do not run in the Kubernetes cluster but
+otherwise need to be part of the trust domain (e.g. downstream nested SPIRE
+servers).
+
 ### Reconciliation
 
 #### Workload Registration
@@ -33,12 +41,14 @@ controllers against the following resources:
 
 - [Pods](https://kubernetes.io/docs/concepts/workloads/pods/)
 - [ClusterSPIFFEID](docs/clusterspiffeid-crd.md)
+- [ClusterStaticEntry](docs/clusterstaticentry-crd.md)
 
 When changes are detected on these resources, a workload reconciliation process
 is triggered. This process determines which SPIRE entries should exist based on
-the existing Pods and ClusterSPIFFEID resources which apply to those pods. It
-creates, updates, and deletes entries on SPIRE server as appropriate to match
-the declared state.
+the existing Pods and ClusterSPIFFEID resources which apply to those pods, as
+well as static entries declared via ClusterStaticEntry resources. The
+reconciliation process creates, updates, and deletes entries on SPIRE server as
+appropriate to match the declared state.
 
 #### Federation
 
@@ -64,6 +74,27 @@ The [demo](demo) includes [sample configuration](demo/config/cluster1) for
 deploying the SPIRE Controller Manager, SPIRE, and the SPIFFE CSI driver,
 including requisite RBAC and Webhook configuration.
 
+## Compatibility
+
+The SPIRE APIs used by the SPIRE Controller Manager are generally stable and
+supported since at least SPIRE v1.0. However, the API has gained support for
+additional entry fields beyond what was supported in SPIRE v1.0. Notably, these
+include both the `jwt_svid_ttl` and the `hint` fields. The ClusterStaticEntry
+CRD allows these fields to be set, however, a SPIRE server that does not
+support these fields will not retain them. This means if these fields are set
+on a ClusterStaticEntry with an older version of SPIRE, the SPIRE Controller
+Manager will continously try to reconcile SPIRE server. In order to use these
+fields, you must be on a version of SPIRE Server which supports them.
+
+At the moment, SPIRE Controller Manager will silently try and reconcile these
+fields over and over. Future updates may cause the SPIRE Controller Manager
+to fail when an unsupporting SPIRE Server is encounted while these fields
+are set.
+
+The `hint` field is supported as of SPIRE 1.6.3.
+
+The `jwt_svid_ttl` field is supported as of SPIRE 1.5.0.
+
 ## Demo
 
 [Link](demo)

diff --git a/api/v1alpha1/clusterstaticentry_types.go b/api/v1alpha1/clusterstaticentry_types.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2023 SPIRE Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
+type ClusterStaticEntrySpec struct {
+	SPIFFEID      string          `json:"spiffeID"`
+	ParentID      string          `json:"parentID"`
+	Selectors     []string        `json:"selectors"`
+	FederatesWith []string        `json:"federatesWith,omitempty"`
+	X509SVIDTTL   metav1.Duration `json:"x509SVIDTTL,omitempty"`
+	JWTSVIDTTL    metav1.Duration `json:"jwtSVIDTTL,omitempty"`
+	DNSNames      []string        `json:"dnsNames,omitempty"`
+	Hint          string          `json:"hint,omitempty"`
+	Admin         bool            `json:"admin,omitempty"`
+	Downstream    bool            `json:"downstream,omitempty"`
+}
+
+// ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
+type ClusterStaticEntryStatus struct {
+	// If the static entry rendered properly.
+	Rendered bool `json:"rendered"`
+
+	// If the static entry was masked by another entry.
+	Masked bool `json:"masked"`
+
+	// If the static entry was successfully created/updated.
+	Set bool `json:"set"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// ClusterStaticEntry is the Schema for the clusterstaticentries API
+type ClusterStaticEntry struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterStaticEntrySpec   `json:"spec,omitempty"`
+	Status ClusterStaticEntryStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterStaticEntryList contains a list of ClusterStaticEntry
+type ClusterStaticEntryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterStaticEntry `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ClusterStaticEntry{}, &ClusterStaticEntryList{})
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml b/config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml
@@ -0,0 +1,91 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.1
+  creationTimestamp: null
+  name: clusterstaticentries.spire.spiffe.io
+spec:
+  group: spire.spiffe.io
+  names:
+    kind: ClusterStaticEntry
+    listKind: ClusterStaticEntryList
+    plural: clusterstaticentries
+    singular: clusterstaticentry
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterStaticEntry is the Schema for the clusterstaticentries
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
+            properties:
+              admin:
+                type: boolean
+              dnsNames:
+                items:
+                  type: string
+                type: array
+              downstream:
+                type: boolean
+              federatesWith:
+                items:
+                  type: string
+                type: array
+              hint:
+                type: string
+              jwtSVIDTTL:
+                type: string
+              parentID:
+                type: string
+              selectors:
+                items:
+                  type: string
+                type: array
+              spiffeID:
+                type: string
+              x509SVIDTTL:
+                type: string
+            required:
+            - parentID
+            - selectors
+            - spiffeID
+            type: object
+          status:
+            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
+            properties:
+              masked:
+                description: If the static entry was masked by another entry.
+                type: boolean
+              rendered:
+                description: If the static entry rendered properly.
+                type: boolean
+              set:
+                description: If the static entry was successfully created/updated.
+                type: boolean
+            required:
+            - masked
+            - rendered
+            - set
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
 - bases/spire.spiffe.io_clusterspiffeids.yaml
 - bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml
 - bases/spire.spiffe.io_controllermanagerconfigs.yaml
+- bases/spire.spiffe.io_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -13,13 +14,15 @@ patchesStrategicMerge:
 #- patches/webhook_in_clusterspiffeids.yaml
 #- patches/webhook_in_clusterfederatedtrustdomains.yaml
 #- patches/webhook_in_controllermanagerconfigs.yaml
+#- patches/webhook_in_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_clusterspiffeids.yaml
 #- patches/cainjection_in_clusterfederatedtrustdomains.yaml
 #- patches/cainjection_in_controllermanagerconfigs.yaml
+#- patches/cainjection_in_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.