🐛 fix(VSecM Helm Charts): remove ability to not use SCM (#1064)

This PR removes the useClusterSpiffeIDs and useSpireControllerManager options from the helm charts. SPIRE helm charts use SPIRE Controller Manager, and disabling it is nontrivial. Also, ClusterSPIFFEIDs are the best way to manage SPIFFEIDs in a Kubernetes cluster. — If we find a use case where these options are necessary, or if there is a need from the community, we can modify the code to let SPIRE install without SPIRE Controller Manager and bring those flags back. Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
vmware-tanzu · Jul 9, 2024 · a4e31f7 · a4e31f7
1 parent 88507d5
commit a4e31f7
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 27 deletions.
diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md
@@ -15,7 +15,13 @@ weight = 11
 
 ## Recent Updates
 
-TBD
+* Removed `useClusterSpiffeIds` and `useSpireControllerManager` from helm charts
+  options. SPIRE helm charts use SPIRE Controller Manager, and disabling it
+  is nontrivial. Also, ClusterSPIFFEIDs are the best way to manage SPIFFEIDs
+  in a Kubernetes cluster. — If we find a use case where these options are
+  necessary, or if there is a need from the community, we can modify the
+  code to let SPIRE install without SPIRE Controller Manager and bring those
+  flags back.
 
 ## [0.26.1] - 2024-07-07
 

diff --git a/helm-charts/0.26.2/README.md b/helm-charts/0.26.2/README.md
@@ -110,7 +110,6 @@ The sections below are autogenerated from chart source code:
 | global.deployKeystone | bool | `true` | Deploy the Keystone VSecM component. VSecM Keystone is a lightweight Pod that is initialized only after VSecM Sentinel completes it `initCommand` initialization sequence. |
 | global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. |
 | global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be  deployed. This is useful when SPIRE is already deployed in the cluster. |
-| global.deploySpireControllerManager | bool | `true` | Deploy SPIRE Controller Manager. SPIRE Controller Manager is required for ClusterSPIFFEIDs to function. If something else on your system assigns ClusterSPIFFEIDs to your workloads, or if you want to manually manage your SPIRE Server registration entries, you can set this flag to `false`. |
 | global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. |
 | global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.26.2"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.26.2"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.26.2"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.26.2"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. |
 | global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. |
@@ -131,7 +130,6 @@ The sections below are autogenerated from chart source code:
 | global.spire.serverNamespace | string | `"spire-server"` | It is best to keep the SPIRE server namespace separate from other SPIRE components for an added layer of security. |
 | global.spire.serverPort | int | `443` | The SPIRE Server port. This is the port where the SPIRE Server will listen for incoming connections. This is the port of the SPIRE server k8s Service. |
 | global.spire.trustDomain | string | `"vsecm.com"` | The trust domain is the root of the SPIFFE ID hierarchy. It is used to identify the trust domain of a workload. If you use anything other than the default `vsecm.com`, you must also update the relevant environment variables that does SPIFFE ID validation.  To prevent accidental collisions (two trust domains select identical names), operators are advised to select trust domain names which are highly likely to be globally unique. Even though a trust domain name is not a DNS name, using a registered domain name as a suffix of a trust domain name, when available, will reduce chances of an accidental collision; for example, if a trust domain operator owns the domain name `example.com`, then using a trust domain name such as `apps.example.com` would likely not produce a collision. When trust domain names are automatically generated without operator input, randomly generating a unique name (such as a UUID) is strongly advised.  All SPIFFE IDs shall be prefixed with `spiffe://<trustDomain>` unless you have an advanced custom setup. |
-| global.useClusterSpiffeIds | bool | `true` | Setting this `false` will skip ClusterSPIFFEID creation for VSecM  components. All ClusterSPIFFEID templates will merely be ignored during helm installation. Keeping this `true`, while `deploySpireControllerManager` is `false` will cause the helm installation to fail. |
 | global.vsecm.keystoneSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` |  |
 | global.vsecm.namespace | string | `"vsecm-system"` |  |
 | global.vsecm.safeEndpointUrl | string | `"https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"` |  |

diff --git a/helm-charts/0.26.2/charts/keystone/templates/Identity.yaml b/helm-charts/0.26.2/charts/keystone/templates/Identity.yaml
@@ -8,8 +8,6 @@
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
 
-{{- if .Values.global.useClusterSpiffeIds }}
-
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
@@ -26,5 +24,3 @@ spec:
   workloadSelectorTemplates:
     - "k8s:ns:{{ .Values.global.vsecm.namespace }}"
     - "k8s:sa:{{ include "keystone.serviceAccountName" . }}"
-
-{{- end }}
diff --git a/helm-charts/0.26.2/charts/safe/templates/Identity.yaml b/helm-charts/0.26.2/charts/safe/templates/Identity.yaml
@@ -8,8 +8,6 @@
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
 
-{{- if .Values.global.useClusterSpiffeIds }}
-
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
@@ -26,5 +24,3 @@ spec:
   workloadSelectorTemplates:
     - "k8s:ns:{{ .Values.global.vsecm.namespace }}"
     - "k8s:sa:{{ include "safe.serviceAccountName" . }}"
-
-  {{- end }}
diff --git a/helm-charts/0.26.2/charts/sentinel/templates/Identity.yaml b/helm-charts/0.26.2/charts/sentinel/templates/Identity.yaml
@@ -8,8 +8,6 @@
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
 
-{{- if .Values.global.useClusterSpiffeIds }}
-
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
@@ -26,5 +24,3 @@ spec:
   workloadSelectorTemplates:
     - "k8s:ns:{{ .Values.global.vsecm.namespace }}"
     - "k8s:sa:{{ include "sentinel.serviceAccountName" . }}"
-
-{{- end }}
diff --git a/helm-charts/0.26.2/values-custom.yaml b/helm-charts/0.26.2/values-custom.yaml
@@ -38,8 +38,6 @@
 
 global:
   deploySpire: true
-  deploySpireControllerManager: true
-  useClusterSpiffeIds: true
   deployKeystone: true
   deploySentinel: true
   baseImage: distroless

diff --git a/helm-charts/0.26.2/values.yaml b/helm-charts/0.26.2/values.yaml
@@ -16,16 +16,6 @@ global:
   # -- Deploy SPIRE components. If set to false, SPIRE components will not be 
   # deployed. This is useful when SPIRE is already deployed in the cluster.
   deploySpire: true
-  # -- Deploy SPIRE Controller Manager. SPIRE Controller Manager is required
-  # for ClusterSPIFFEIDs to function. If something else on your system assigns
-  # ClusterSPIFFEIDs to your workloads, or if you want to manually manage your
-  # SPIRE Server registration entries, you can set this flag to `false`.
-  deploySpireControllerManager: true
-  # -- Setting this `false` will skip ClusterSPIFFEID creation for VSecM 
-  # components. All ClusterSPIFFEID templates will merely be ignored during
-  # helm installation. Keeping this `true`, while `deploySpireControllerManager`
-  # is `false` will cause the helm installation to fail.
-  useClusterSpiffeIds: true
 
   # -- Deploy the Keystone VSecM component. VSecM Keystone is a lightweight
   # Pod that is initialized only after VSecM Sentinel completes it