domains can not include URIs fixes #424

    use a real URI for the production example as a test case for this

Signed-off-by: Drew Wells <dwells@infoblox.com>

charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml

@@ -8,7 +8,8 @@ domains:
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
-  {{- $jwtIssuer := include "spire-lib.jwt-issuer" . }}
+  {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
+  {{- $jwtIssuer := (default $uri.path $uri.host) }}
   {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
 
 {{- if .Values.insecureScheme.enabled }}

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -107,7 +107,7 @@ insecureScheme:
       #   cpu: 100m
       #   memory: 64Mi
 
-jwtIssuer: oidc-discovery.example.org
+jwtIssuer: https://oidc-discovery.example.org
 
 config:
   # -- The log level, valid values are "debug", "info", "warn", and "error"

charts/spire/charts/spire-server/values.yaml

@@ -132,7 +132,7 @@ dataStore:
 # -- The log level, valid values are "debug", "info", "warn", and "error"
 logLevel: info
 # -- The JWT issuer domain
-jwtIssuer: oidc-discovery.example.org
+jwtIssuer: https://oidc-discovery.example.org
 
 # -- Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`)
 clusterName: example-cluster
@@ -196,13 +196,13 @@ upstreamAuthority:
     certificateAuthorityARN: ""
     # -- (Optional) ARN of an IAM role to assume
     assumeRoleARN: ""
-    # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. 
+    # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only.
     # -- See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values.
     caSigningTemplateARN: ""
-    # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. 
+    # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default.
     # -- See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values.
     signingAlgorithm: ""
-    # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. 
+    # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint.
     # -- See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information.
     endpoint: ""
     # -- (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle.

charts/spire/values.yaml

@@ -9,7 +9,7 @@ global:
     # -- The trust domain to be used for the SPIFFE identifiers
     trustDomain: example.org
     # -- Set the jwt issuer
-    jwtIssuer: oidc-discovery.example.org
+    jwtIssuer: https://oidc-discovery.example.org
     # -- Override all instances of bundleConfigMap
     bundleConfigMap: ""