Add aws_pca to the spire-server (#404)

This change allows aws_pca to be configured via values of this chart. __Requires 1.7.1 version__ per [bug](spiffe/spire#4351) - this will not work until 1.7.1 is released. --------- Signed-off-by: Petr McAllister <petr.mcallister@gmail.com> Signed-off-by: Petr McAllister <petr@tetrate.io> Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov> Co-authored-by: Marco Franssen <marco.franssen@gmail.com> Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov>
spiffe · Jul 27, 2023 · 9f4d4ac · 9f4d4ac
1 parent af13f1f
commit 9f4d4ac
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 0 deletions.
diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -421,6 +421,14 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.tornjak.startupProbe.successThreshold | int | `1` |  |
 | spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` |  |
 | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
+| spire-server.upstreamAuthority.awsPCA.assumeRoleARN | Optional | `""` | ARN of an IAM role to assume |
+| spire-server.upstreamAuthority.awsPCA.caSigningTemplateARN | string | `""` | See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. |
+| spire-server.upstreamAuthority.awsPCA.certificateAuthorityARN | string | `""` | ARN of the "upstream" CA certificate |
+| spire-server.upstreamAuthority.awsPCA.enabled | bool | `false` |  |
+| spire-server.upstreamAuthority.awsPCA.endpoint | string | `""` | See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. |
+| spire-server.upstreamAuthority.awsPCA.region | string | `""` | AWS Region to use |
+| spire-server.upstreamAuthority.awsPCA.signingAlgorithm | string | `""` | See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. |
+| spire-server.upstreamAuthority.awsPCA.supplementalBundlePath | Optional | `""` | Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. |
 | spire-server.upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA |
 | spire-server.upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. |
 | spire-server.upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` |  |

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -220,6 +220,14 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | tornjak.startupProbe.successThreshold | int | `1` |  |
 | tornjak.startupProbe.timeoutSeconds | int | `5` |  |
 | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
+| upstreamAuthority.awsPCA.assumeRoleARN | Optional | `""` | ARN of an IAM role to assume |
+| upstreamAuthority.awsPCA.caSigningTemplateARN | string | `""` | See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. |
+| upstreamAuthority.awsPCA.certificateAuthorityARN | string | `""` | ARN of the "upstream" CA certificate |
+| upstreamAuthority.awsPCA.enabled | bool | `false` |  |
+| upstreamAuthority.awsPCA.endpoint | string | `""` | See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. |
+| upstreamAuthority.awsPCA.region | string | `""` | AWS Region to use |
+| upstreamAuthority.awsPCA.signingAlgorithm | string | `""` | See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. |
+| upstreamAuthority.awsPCA.supplementalBundlePath | Optional | `""` | Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. |
 | upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA |
 | upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. |
 | upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` |  |

diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -99,6 +99,30 @@ plugins:
           workload_api_socket: "/run/spire/upstream_agent/spire-agent.sock"
   {{- end }}
   {{- end }}
+
+  {{- with .Values.upstreamAuthority.awsPCA }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }}
+  UpstreamAuthority:
+    - aws_pca:
+        plugin_data:
+          region: {{ .region | quote }}
+          certificate_authority_arn: {{ .certificateAuthorityARN | quote }}
+          ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }}
+          {{- if ne .signingAlgorithm "" }}
+          signing_algorithm: {{ .signingAlgorithm | quote }}
+          {{- end }}          
+          {{- if ne .assumeRoleARN "" }}
+          assume_role_arn: {{ .assumeRoleARN | quote }}
+          {{- end }}          
+          {{- if ne .endpoint "" }}
+          endpoint: {{ .endpoint | quote }}
+          {{- end }}          
+          {{- if ne .supplementalBundlePath "" }}
+          supplemental_bundle_path: {{ .supplementalBundlePath  | quote }}
+          {{- end }}          
+  {{- end }}
+  {{- end }}  
 {{- if gt $upstreamAuthorityUsed 1 }}
 {{- fail "You can only enable a single Upstream Authority." }}
 {{- end }}

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -188,6 +188,25 @@ upstreamAuthority:
         certificate: ""
         key: ""
         bundle: ""
+  awsPCA:
+    enabled: false
+    # -- AWS Region to use
+    region: ""
+    # -- ARN of the "upstream" CA certificate
+    certificateAuthorityARN: ""
+    # -- (Optional) ARN of an IAM role to assume
+    assumeRoleARN: ""
+    # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. 
+    # -- See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values.
+    caSigningTemplateARN: ""
+    # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. 
+    # -- See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values.
+    signingAlgorithm: ""
+    # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. 
+    # -- See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information.
+    endpoint: ""
+    # -- (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle.
+    supplementalBundlePath: ""
   certManager:
     enabled: false
     rbac: