feat(helm): make chart names, SPIFFE identity, and authz overridable#1881
Open
ianderson-nvidia wants to merge 1 commit into
Open
feat(helm): make chart names, SPIFFE identity, and authz overridable#1881ianderson-nvidia wants to merge 1 commit into
ianderson-nvidia wants to merge 1 commit into
Conversation
ianderson-nvidia
force-pushed
the
cert_dns_uri_configurable
branch
from
30ceb00 to
bb6a929
Compare
Every `nico-` string the charts emit is now an overridable value that defaults to nico, so the umbrella chart ships pure nico yet can be flipped to the legacy carbide/forge world. This is needed because the carbide/forge -> nico rename (NVIDIA#1532) moved the API's SPIFFE validation to nico while machine-cert issuance is still on forge, so a deployment may need to present a carbide/forge identity until that migration completes. Resource naming: - `nameOverride` (per subchart, default = chart name `nico-<svc>`) now drives every emitted resource name, label, selector, serviceAccountName, ConfigMap/Certificate name. Chart directories, `Chart.yaml` names, and the `nico-<svc>.X` helper identifiers stay nico. Certificate identity: - The `certificateSpec` helper takes a `svcName` arg (the name helper) and `certificate.serviceName` defaults to it, so `nameOverride` alone also flips commonName/dnsNames/SPIFFE-URI; this is backwards compatible since the default still renders nico. Adds `certificate.spiffeServiceName` and `certificate.identityNamespace` to decouple the SPIFFE `/sa/` name and namespace from the k8s service. Cross-references and authz: - Clients reach the API via `apiServiceName` (default `nico-api`) in nico-dns/pxe/dhcp/ssh-console-rs. - The API and bmc-proxy auth config files are rendered with `tpl` rather than shipped verbatim, so `spiffe_trust_domain` tracks `global.spiffe.trustDomain`, the SPIFFE base-path namespace comes from `auth.namespace`, the casbin principals from `auth.principals.*`, and the bmc-proxy principal from `auth.apiPrincipal`. Whole-file replacement via `configFiles.*` is unchanged (that branch is not `tpl`-rendered). Binary-read names (env vars, the Kea `nico-api-url` param, config keys, the `/opt/nico` and `/etc/nico` runtime paths, and the dual `*-config.toml` ConfigMap data keys) are deliberately left intact so the chart keeps working with either the nico or carbide image variant. Adds helm-unittest coverage asserting both the nico default render and the carbide/forge override for naming, certificate SANs, the `apiServiceName` cross-refs, and the authz config.
ianderson-nvidia
force-pushed
the
cert_dns_uri_configurable
branch
from
bb6a929 to
94d421f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Every
nico-string the charts emit is now an overridable value that defaults to nico, so the umbrella chart ships pure nico yet can be flipped to the legacy carbide/forge world.This is needed because the carbide/forge -> nico rename (#1532) moved the API's SPIFFE validation to nico while machine-cert issuance is still on forge, so a deployment may need to present a carbide/forge identity until that migration completes.
Resource naming:
nameOverride(per subchart, default = chart namenico-<svc>) now drives every emitted resource name, label, selector, serviceAccountName, ConfigMap/Certificate name. Chart directories,Chart.yamlnames, and thenico-<svc>.Xhelper identifiers stay nico.Certificate identity:
certificateSpechelper takes asvcNamearg (the name helper) andcertificate.serviceNamedefaults to it, sonameOverridealone also flips commonName/dnsNames/SPIFFE-URI; this is backwards compatible since the default still renders nico. Addscertificate.spiffeServiceNameandcertificate.identityNamespaceto decouple the SPIFFE/sa/name and namespace from the k8s service.Cross-references and authz:
apiServiceName(defaultnico-api) in nico-dns/pxe/dhcp/ssh-console-rs.tplrather than shipped verbatim, sospiffe_trust_domaintracksglobal.spiffe.trustDomain, the SPIFFE base-path namespace comes fromauth.namespace, the casbin principals fromauth.principals.*, and the bmc-proxy principal fromauth.apiPrincipal. Whole-file replacement viaconfigFiles.*is unchanged (that branch is nottpl-rendered).Binary-read names (env vars, the Kea
nico-api-urlparam, config keys, the/opt/nicoand/etc/nicoruntime paths, and the dual*-config.tomlConfigMap data keys) are deliberately left intact so the chart keeps working with either the nico or carbide image variant.Adds helm-unittest coverage asserting both the nico default render and the carbide/forge override for naming, certificate SANs, the
apiServiceNamecross-refs, and the authz config.Description
Type of Change
Related Issues (Optional)
Breaking Changes
Testing
Additional Notes