spire-oidc does not start if federatesWith contains a down federated endpoint

[drewwells]

Spire oidc logs

Example spiffeid

apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
  name: spire-system-federates
spec:
  federatesWith:
  - non-existent.example.com
  spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{
    .PodSpec.ServiceAccountName }}

Repo Steps:

• Configure clusterspiffeids.spire.spiffe.io with a federatesWith to a down spire federation endpoint
• Attempt to start oidc
• See the above logs and oidc container terminates

Results

Defaulted container "spiffe-oidc-discovery-provider" out of: spiffe-oidc-discovery-provider, nginx
time="2023-08-17T19:03:49Z" level=info msg="Serving HTTP" address=/run/spire/oidc-sockets/spire-oidc-server.sock network=unix
time="2023-08-17T19:03:49Z" level=debug msg="Polling started" interval=10s
time="2023-08-17T19:03:51Z" level=warning msg="Failed to fetch JWKS from the Workload API" error="rpc error: code = PermissionDenied desc = no identity issued"
time="2023-08-17T19:04:01Z" level=warning msg="Failed to fetch JWKS from the Workload API" error="rpc error: code = PermissionDenied desc = no identity issued"

Expected

oidc gives some error that federated endpoint is down, or starts despite missing one federatesWith endpoint.

ref spiffe/helm-charts#454

[drewwells]

Controller Manager should update status of the federation or spiffe id CR with the status of federated workloads. This will help enlighten the user that the warnings in spire are due to federated endpoint failing