Entry ID Prefix (#287)

* Add Entry ID Prefix support Signed-off-by: Kevin Fox <[email protected]> * Mulitcluster test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Implement cleanup setting too Signed-off-by: Kevin Fox <[email protected]> * Fix test Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> * Bump up test container Signed-off-by: Kevin Fox <[email protected]> * Swith to testing with nightly Signed-off-by: Kevin Fox <[email protected]> * Fix value name Signed-off-by: Kevin Fox <[email protected]> * Fix docs Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]>
spiffe · Apr 10, 2024 · a852864 · a852864
1 parent 6cd706a
commit a852864
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 23 deletions.
diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -251,12 +251,13 @@ Now you can interact with the Spire agent socket from your own application. The
 
 ### Spire server parameters
 
-| Name                                     | Description                                                               | Value         |
-| ---------------------------------------- | ------------------------------------------------------------------------- | ------------- |
-| `spire-server.enabled`                   | Flag to enable Spire server                                               | `true`        |
-| `spire-server.nameOverride`              | Overrides the name of Spire server pods                                   | `server`      |
-| `spire-server.kind`                      | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
-| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's                             | `true`        |
+| Name                                              | Description                                                               | Value         |
+| ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- |
+| `spire-server.enabled`                            | Flag to enable Spire server                                               | `true`        |
+| `spire-server.nameOverride`                       | Overrides the name of Spire server pods                                   | `server`      |
+| `spire-server.kind`                               | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
+| `spire-server.controllerManager.enabled`          | Enable controller manager and provision CRD's                             | `true`        |
+| `spire-server.externalControllerManagers.enabled` | Enable external controller manager support                                | `true`        |
 
 ### Spire agent parameters
 

diff --git a/tests/integration/psat/kind-config.yaml → ...s/integration/psat/child-kind-config.yaml b/tests/integration/psat/kind-config.yaml → ...s/integration/psat/child-kind-config.yaml
@@ -4,4 +4,4 @@ networking:
   apiServerAddress: "172.17.0.1"
   apiServerPort: 7443
   podSubnet: "10.245.0.0/16"
-  serviceSubnet: "10.97.0.0/12"
+  serviceSubnet: "10.97.0.0/16"
diff --git a/tests/integration/psat/other-kind-config.yaml b/tests/integration/psat/other-kind-config.yaml
@@ -0,0 +1,7 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  apiServerAddress: "172.17.0.1"
+  apiServerPort: 5443
+  podSubnet: "10.246.0.0/16"
+  serviceSubnet: "10.98.0.0/16"
diff --git a/tests/integration/psat/run-tests.sh b/tests/integration/psat/run-tests.sh
@@ -50,26 +50,40 @@ trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT
 #  --values "${DEPS}/spire-root-server-values.yaml" \
 #  --wait
 
-kind create cluster --name other --kubeconfig "${SCRIPTPATH}/kubeconfig" --config "${SCRIPTPATH}/kind-config.yaml"
-md5sum "${SCRIPTPATH}/kubeconfig"
-wc -l "${SCRIPTPATH}/kubeconfig"
-KCB64="$(base64 < "${SCRIPTPATH}/kubeconfig" | tr '\n' ' ' | sed 's/ //g')"
-
-helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig" --install --create-namespace --namespace spire-mgmt spire-crds charts/spire-crds
-kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" apply -f "${SCRIPTPATH}/sodp-clusterspiffeid.yaml"
-helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig" --install --namespace spire-mgmt --values "${SCRIPTPATH}/child-values.yaml" \
+kind create cluster --name child --kubeconfig "${SCRIPTPATH}/kubeconfig-child" --config "${SCRIPTPATH}/child-kind-config.yaml"
+md5sum "${SCRIPTPATH}/kubeconfig-child"
+wc -l "${SCRIPTPATH}/kubeconfig-child"
+CHILD_KCB64="$(base64 < "${SCRIPTPATH}/kubeconfig-child" | tr '\n' ' ' | sed 's/ //g')"
+
+helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig-child" --install --create-namespace --namespace spire-mgmt spire-crds charts/spire-crds
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-child" apply -f "${SCRIPTPATH}/sodp-clusterspiffeid.yaml"
+helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig-child" --install --namespace spire-mgmt --values "${SCRIPTPATH}/child-values.yaml" \
   spire charts/spire
-kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" create configmap -n spire-system spire-bundle-upstream
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-child" create configmap -n spire-system spire-bundle-upstream
+
+kind create cluster --name other --kubeconfig "${SCRIPTPATH}/kubeconfig-other" --config "${SCRIPTPATH}/other-kind-config.yaml"
+md5sum "${SCRIPTPATH}/kubeconfig-other"
+wc -l "${SCRIPTPATH}/kubeconfig-other"
+OTHER_KCB64="$(base64 < "${SCRIPTPATH}/kubeconfig-other" | tr '\n' ' ' | sed 's/ //g')"
+
+helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig-other" --install --create-namespace --namespace spire-mgmt spire-crds charts/spire-crds
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-other" apply -f "${SCRIPTPATH}/sodp-clusterspiffeid.yaml"
+helm upgrade --kubeconfig "${SCRIPTPATH}/kubeconfig-other" --install --namespace spire-mgmt --values "${SCRIPTPATH}/child-values.yaml" \
+  spire charts/spire
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-other" create configmap -n spire-system spire-bundle-upstream
 
 helm upgrade --install --create-namespace --namespace spire-mgmt --values "${SCRIPTPATH}/values.yaml" \
-  --wait spire charts/spire --set "spire-server.kubeConfigs.other.kubeConfigBase64=$KCB64"
+  --wait spire charts/spire \
+  --set "spire-server.kubeConfigs.child.kubeConfigBase64=${CHILD_KCB64}" \
+  --set "spire-server.kubeConfigs.other.kubeConfigBase64=${OTHER_KCB64}"
 helm test --namespace spire-mgmt spire
-kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" get configmap -n spire-system spire-bundle-upstream
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-child" get configmap -n spire-system spire-bundle-upstream
+kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig-other" get configmap -n spire-system spire-bundle-upstream
 
 ENTRIES="$(kubectl exec -i -n spire-server spire-server-0 -- spire-server entry show)"
 
-if [[ "$ENTRIES" == "Found 0 entries" ]]; then
-	echo "$ENTRIES"
+if [[ "${ENTRIES}" == "Found 0 entries" ]]; then
+	echo "${ENTRIES}"
 	exit 1
 fi
 
diff --git a/tests/integration/psat/values.yaml b/tests/integration/psat/values.yaml
@@ -15,9 +15,16 @@ spire-server:
   controllerManager:
     reconcile:
       clusterSPIFFEIDs: false
-      clusterStaticEntries: false
-  externalControllerManagers:
-    enabled: true
+      clusterStaticEntries: true
+      clusterFederatedTrustDomains: true
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          enabled: false
+        oidc-discovery-provider:
+          enabled: false
+        test-keys:
+          enabled: false
 
 spiffe-oidc-discovery-provider:
   enabled: false