Add additional domains to JWT issued items. (#230)

Co-authored-by: Marco Franssen <marco.franssen@gmail.com>

.github/tests/spire-oidc-insecure/values.yaml

@@ -25,7 +25,7 @@ spiffe-oidc-discovery-provider:
     enabled: true
 
   config:
-    domains:
+    additionalDomains:
       - ingress-nginx-controller
 
     acme:

charts/spire/README.md

@@ -112,6 +112,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | global.spire.bundleConfigMap | string | `""` | Override all instances of bundleConfigMap |
 | global.spire.clusterName | string | `"example-cluster"` |  |
 | global.spire.image.registry | string | `""` | Override all Spire image registries at once |
+| global.spire.jwtIssuer | string | `"oidc-discovery.example.org"` | Set the jwt issuer |
 | global.spire.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers |
 | spiffe-csi-driver.enabled | bool | `true` | Enables deployment of CSI driver |
 | spiffe-oidc-discovery-provider.enabled | bool | `false` | Enables deployment of OIDC discovery provider |
@@ -164,8 +165,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-oidc-discovery-provider.config.acme.directoryUrl | string | `"https://acme-v02.api.letsencrypt.org/directory"` |  |
 | spiffe-oidc-discovery-provider.config.acme.emailAddress | string | `"letsencrypt@example.org"` |  |
 | spiffe-oidc-discovery-provider.config.acme.tosAccepted | bool | `false` |  |
-| spiffe-oidc-discovery-provider.config.domains[0] | string | `"localhost"` |  |
-| spiffe-oidc-discovery-provider.config.domains[1] | string | `"oidc-discovery.example.org"` |  |
+| spiffe-oidc-discovery-provider.config.additionalDomains | list | `["localhost"]` | Add additional domains that can be used for oidc discovery |
 | spiffe-oidc-discovery-provider.config.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | spiffe-oidc-discovery-provider.configMap.annotations | object | `{}` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap |
 | spiffe-oidc-discovery-provider.fullnameOverride | string | `""` |  |
@@ -189,6 +189,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` |  |
+| spiffe-oidc-discovery-provider.jwtIssuer | string | `"oidc-discovery.example.org"` |  |
 | spiffe-oidc-discovery-provider.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
 | spiffe-oidc-discovery-provider.livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | spiffe-oidc-discovery-provider.nameOverride | string | `""` |  |

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -41,8 +41,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | config.acme.directoryUrl | string | `"https://acme-v02.api.letsencrypt.org/directory"` |  |
 | config.acme.emailAddress | string | `"letsencrypt@example.org"` |  |
 | config.acme.tosAccepted | bool | `false` |  |
-| config.domains[0] | string | `"localhost"` |  |
-| config.domains[1] | string | `"oidc-discovery.example.org"` |  |
+| config.additionalDomains | list | `["localhost"]` | Add additional domains that can be used for oidc discovery |
 | config.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | configMap.annotations | object | `{}` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap |
 | fullnameOverride | string | `""` |  |
@@ -66,6 +65,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | insecureScheme.nginx.resources | object | `{}` |  |
+| jwtIssuer | string | `"oidc-discovery.example.org"` |  |
 | livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | nameOverride | string | `""` |  |

charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml

@@ -8,9 +8,8 @@ domains:
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
-  {{- if gt (len .Values.config.domains) 0 }}
-  {{- .Values.config.domains | toYaml | nindent 2 }}
-  {{- end }}
+  {{- $jwtIssuer := include "spire-lib.jwt-issuer" . }}
+  {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
 
 {{- if .Values.insecureScheme.enabled }}
 allow_insecure_scheme: {{ .Values.insecureScheme.enabled }}

charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml

@@ -33,7 +33,7 @@ spec:
     - name: curl-ingress
       image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
-      args: ['-s', '-f', 'http://{{ index .Values.config.domains 0 }}/.well-known/openid-configuration']
+      args: ['-s', '-f', 'http://{{ index .Values.config.additionalDomains 0 }}/.well-known/openid-configuration']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
     {{- end }}

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -104,12 +104,14 @@ insecureScheme:
       #   cpu: 100m
       #   memory: 64Mi
 
+jwtIssuer: oidc-discovery.example.org
+
 config:
   # -- The log level, valid values are "debug", "info", "warn", and "error"
   logLevel: info
-  domains:
-    - localhost
-    - oidc-discovery.example.org
+  # -- Add additional domains that can be used for oidc discovery
+  additionalDomains:
+  - localhost
 
   acme:
     tosAccepted: false

charts/spire/charts/spire-server/templates/configmap.yaml

@@ -7,7 +7,7 @@ server:
   trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
   data_dir: "/run/spire/data"
   log_level: {{ .Values.logLevel | quote }}
-  jwt_issuer: {{ .Values.jwtIssuer | quote }}
+  jwt_issuer: {{ include "spire-lib.jwt-issuer" . | quote }}
 
   ca_key_type: {{ .Values.caKeyType | quote }}
   ca_ttl: {{ .Values.caTTL | quote }}

charts/spire/templates/_spire-lib.tpl

@@ -14,6 +14,14 @@
 {{- end }}
 {{- end }}
 
+{{- define "spire-lib.jwt-issuer" }}
+{{- if ne (len (dig "spire" "jwtIssuer" "" .Values.global)) 0 }}
+{{- .Values.global.spire.jwtIssuer }}
+{{- else }}
+{{- .Values.jwtIssuer }}
+{{- end }}
+{{- end }}
+
 {{- define "spire-lib.bundle-configmap" }}
 {{- if ne (len (dig "spire" "bundleConfigMap" "" .Values.global)) 0 }}
 {{- .Values.global.spire.bundleConfigMap }}

charts/spire/values.yaml

@@ -8,6 +8,8 @@ global:
     clusterName: example-cluster
     # -- The trust domain to be used for the SPIFFE identifiers
     trustDomain: example.org
+    # -- Set the jwt issuer
+    jwtIssuer: oidc-discovery.example.org
     # -- Override all instances of bundleConfigMap
     bundleConfigMap: ""
 

examples/production/values.yaml

@@ -71,6 +71,8 @@ spire-agent:
 
 spiffe-oidc-discovery-provider:
   enabled: true
+  config:
+    additionalDomains: []
   insecureScheme:
     enabled: true
   podSecurityContext: