option to set KeyManager memory in spire server (#444)

spiffe · Aug 12, 2023 · e60f528 · e60f528
1 parent a167ce6
commit e60f528
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 0 deletions.
diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -362,6 +362,8 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.ingress.tls | list | `[]` |  |
 | spire-server.initContainers | list | `[]` |  |
 | spire-server.jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain |
+| spire-server.keyManager.disk.enabled | bool | `true` |  |
+| spire-server.keyManager.memory.enabled | bool | `false` |  |
 | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -160,6 +160,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | ingress.tls | list | `[]` |  |
 | initContainers | list | `[]` |  |
 | jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain |
+| keyManager.disk.enabled | bool | `true` |  |
+| keyManager.memory.enabled | bool | `false` |  |
 | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -1,5 +1,6 @@
 {{- define "spire-server.yaml-config" -}}
 {{- $upstreamAuthorityUsed := 0 }}
+{{- $keyManagerUsed := 0 }}
 {{- $root := . }}
 server:
   bind_address: "0.0.0.0"
@@ -47,10 +48,28 @@ plugins:
   {{- end }}
   {{- end }}
 
+  {{- with .Values.keyManager.disk }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $keyManagerUsed = add1 $keyManagerUsed }}
   KeyManager:
     - disk:
         plugin_data:
           keys_path: "/run/spire/data/keys.json"
+  {{- end }}
+  {{- end }}
+
+  {{- with .Values.keyManager.memory }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $keyManagerUsed = add1 $keyManagerUsed }}
+  KeyManager:
+    - memory:
+        plugin_data:
+  {{- end }}
+  {{- end }}
+
+{{- if gt $keyManagerUsed 1 }}
+{{- fail "You can only enable a single KeyManager" }}
+{{- end }}
 
   Notifier:
     - k8sbundle:

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -175,6 +175,12 @@ ca_subject:
   organization: Example
   common_name: example.org
 
+keyManager:
+  disk:
+    enabled: true
+  memory:
+    enabled: false
+
 upstreamAuthority:
   disk:
     enabled: false