From 19854c49acb35187282faed959edadf929438a2f Mon Sep 17 00:00:00 2001 From: unufree Date: Mon, 18 Sep 2023 21:40:47 +0300 Subject: [PATCH 1/5] Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/aws_kms Signed-off-by: unufree --- .../spire-server/templates/configmap.yaml | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 33c70c554..1fea3197a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -89,19 +89,19 @@ plugins: {{- if eq (.enabled | toString) "true" }} {{- $keyManagerUsed = add1 $keyManagerUsed }} KeyManager: - - aws_kms: - plugin_data: - region: {{ .region | quote }} - key_metadata_file: "/run/spire/data/aws-kms-key-metadata" - {{- if ne .accessKeyID "" }} - access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" - {{- end }} - {{- if ne .secretAccessKey "" }} - secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" - {{- end }} - {{- if or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "") }} - key_policy_file: "/run/spire/data/aws-kms-key-policy.json" - {{- end }} + aws_kms: + plugin_data: + region: {{ .region | quote }} + key_metadata_file: "/run/spire/data/aws-kms-key-metadata" + {{- if ne .accessKeyID "" }} + access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" + {{- end }} + {{- if ne .secretAccessKey "" }} + secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" + {{- end }} + {{- if or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "") }} + key_policy_file: "/run/spire/data/aws-kms-key-policy.json" + {{- end }} {{- end }} {{- end }} @@ -193,23 +193,23 @@ plugins: {{- if eq (.enabled | toString) "true" }} {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }} UpstreamAuthority: - - aws_pca: - plugin_data: - region: {{ .region | quote }} - certificate_authority_arn: {{ .certificateAuthorityARN | quote }} - ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }} - {{- if ne .signingAlgorithm "" }} - signing_algorithm: {{ .signingAlgorithm | quote }} - {{- end }} - {{- if ne .assumeRoleARN "" }} - assume_role_arn: {{ .assumeRoleARN | quote }} - {{- end }} - {{- if ne .endpoint "" }} - endpoint: {{ .endpoint | quote }} - {{- end }} - {{- if ne .supplementalBundlePath "" }} - supplemental_bundle_path: {{ .supplementalBundlePath | quote }} - {{- end }} + aws_pca: + plugin_data: + region: {{ .region | quote }} + certificate_authority_arn: {{ .certificateAuthorityARN | quote }} + ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }} + {{- if ne .signingAlgorithm "" }} + signing_algorithm: {{ .signingAlgorithm | quote }} + {{- end }} + {{- if ne .assumeRoleARN "" }} + assume_role_arn: {{ .assumeRoleARN | quote }} + {{- end }} + {{- if ne .endpoint "" }} + endpoint: {{ .endpoint | quote }} + {{- end }} + {{- if ne .supplementalBundlePath "" }} + supplemental_bundle_path: {{ .supplementalBundlePath | quote }} + {{- end }} {{- end }} {{- end }} {{- if gt $upstreamAuthorityUsed 1 }} From 2b40037262852577178d648766908522b1f81a12 Mon Sep 17 00:00:00 2001 From: unufree Date: Tue, 19 Sep 2023 22:41:16 +0300 Subject: [PATCH 2/5] Add unit test Signed-off-by: unufree --- tests/unit/spire_test.go | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index d22c0b8f4..e5e593615 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -71,4 +71,38 @@ spire-server: Expect(notes).Should(ContainSubstring("join_token")) }) }) -}) + Describe("spire-server.keyManager.aws_kms", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + keyManager: + awsKMS: + enabled: true + region: us-west-2 + plugin_data: {} + disk: + enabled: false +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-server/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("\"aws_kms\": {")) + }) + + }) + Describe("spire-server.UpstreamAuthority.aws_pca", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + upstreamAuthority: + awsPCA: + enabled: true + region: us-west-2 + plugin_data: {} +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-server/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("\"aws_pca\": {")) + }) + + }) +}) \ No newline at end of file From d6c9679e20b6d7dc1f3e84c71f44e5bf2aaf6adb Mon Sep 17 00:00:00 2001 From: unufr33 <129618334+unufr33@users.noreply.github.com> Date: Tue, 19 Sep 2023 22:50:18 +0300 Subject: [PATCH 3/5] Update tests/unit/spire_test.go Co-authored-by: Faisal Memon Signed-off-by: unufr33 <129618334+unufr33@users.noreply.github.com> --- tests/unit/spire_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index e5e593615..dcda7a863 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -103,6 +103,5 @@ spire-server: notes := objs["spire/charts/spire-server/templates/configmap.yaml"] Expect(notes).Should(ContainSubstring("\"aws_pca\": {")) }) - }) }) \ No newline at end of file From e0faaee17092c1966ede60a256ed8eeae0271ca5 Mon Sep 17 00:00:00 2001 From: unufr33 <129618334+unufr33@users.noreply.github.com> Date: Tue, 19 Sep 2023 22:50:32 +0300 Subject: [PATCH 4/5] Update tests/unit/spire_test.go Co-authored-by: Faisal Memon Signed-off-by: unufr33 <129618334+unufr33@users.noreply.github.com> --- tests/unit/spire_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index dcda7a863..791d0a9ce 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -87,7 +87,6 @@ spire-server: notes := objs["spire/charts/spire-server/templates/configmap.yaml"] Expect(notes).Should(ContainSubstring("\"aws_kms\": {")) }) - }) Describe("spire-server.UpstreamAuthority.aws_pca", func() { It("plugin set ok", func() { From 929b207d959fa9c7986cb3f401a09f38ebec0377 Mon Sep 17 00:00:00 2001 From: unufree Date: Tue, 19 Sep 2023 23:01:08 +0300 Subject: [PATCH 5/5] Execute gofmt Signed-off-by: unufree --- tests/unit/spire_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index 791d0a9ce..4db554cef 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -16,7 +16,7 @@ func ValueStringRender(chart *helmchart.Chart, values string) (map[string]string return nil, err } ro := helmutil.ReleaseOptions{Name: "spire", Namespace: "spire-server", Revision: 1, IsUpgrade: false, IsInstall: true} - v, err = helmutil.ToRenderValues(chart, v, ro, helmutil.DefaultCapabilities); + v, err = helmutil.ToRenderValues(chart, v, ro, helmutil.DefaultCapabilities) if err != nil { return nil, err } @@ -86,7 +86,7 @@ spire-server: Expect(err).Should(Succeed()) notes := objs["spire/charts/spire-server/templates/configmap.yaml"] Expect(notes).Should(ContainSubstring("\"aws_kms\": {")) - }) + }) }) Describe("spire-server.UpstreamAuthority.aws_pca", func() { It("plugin set ok", func() { @@ -101,6 +101,6 @@ spire-server: Expect(err).Should(Succeed()) notes := objs["spire/charts/spire-server/templates/configmap.yaml"] Expect(notes).Should(ContainSubstring("\"aws_pca\": {")) - }) + }) }) -}) \ No newline at end of file +})