Fix jwtIssuer to allow for Uris including scheme

charts/spire/README.md

@@ -112,7 +112,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | global.spire.bundleConfigMap | string | `""` | Override all instances of bundleConfigMap |
 | global.spire.clusterName | string | `"example-cluster"` |  |
 | global.spire.image.registry | string | `""` | Override all Spire image registries at once |
-| global.spire.jwtIssuer | string | `"oidc-discovery.example.org"` | Set the jwt issuer |
+| global.spire.jwtIssuer | string | `"https://oidc-discovery.example.org"` | Set the jwt issuer |
 | global.spire.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers |
 | spiffe-csi-driver.enabled | bool | `true` | Enables deployment of CSI driver |
 | spiffe-oidc-discovery-provider.enabled | bool | `false` | Enables deployment of OIDC discovery provider |
@@ -191,7 +191,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` |  |
-| spiffe-oidc-discovery-provider.jwtIssuer | string | `"oidc-discovery.example.org"` |  |
+| spiffe-oidc-discovery-provider.jwtIssuer | string | `"https://oidc-discovery.example.org"` |  |
 | spiffe-oidc-discovery-provider.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
 | spiffe-oidc-discovery-provider.livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | spiffe-oidc-discovery-provider.nameOverride | string | `""` |  |
@@ -361,7 +361,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | spire-server.ingress.tls | list | `[]` |  |
 | spire-server.initContainers | list | `[]` |  |
-| spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| spire-server.jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain |
 | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -66,7 +66,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | insecureScheme.nginx.resources | object | `{}` |  |
-| jwtIssuer | string | `"oidc-discovery.example.org"` |  |
+| jwtIssuer | string | `"https://oidc-discovery.example.org"` |  |
 | livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | nameOverride | string | `""` |  |

charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml

@@ -8,7 +8,8 @@ domains:
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
-  {{- $jwtIssuer := include "spire-lib.jwt-issuer" . }}
+  {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
+  {{- $jwtIssuer := (default $uri.path $uri.host) }}
   {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
 
 {{- if .Values.insecureScheme.enabled }}

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -107,7 +107,7 @@ insecureScheme:
       #   cpu: 100m
       #   memory: 64Mi
 
-jwtIssuer: oidc-discovery.example.org
+jwtIssuer: https://oidc-discovery.example.org
 
 config:
   # -- The log level, valid values are "debug", "info", "warn", and "error"

charts/spire/charts/spire-server/README.md

@@ -159,7 +159,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | ingress.tls | list | `[]` |  |
 | initContainers | list | `[]` |  |
-| jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain |
 | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

charts/spire/charts/spire-server/values.yaml

@@ -132,7 +132,7 @@ dataStore:
 # -- The log level, valid values are "debug", "info", "warn", and "error"
 logLevel: info
 # -- The JWT issuer domain
-jwtIssuer: oidc-discovery.example.org
+jwtIssuer: https://oidc-discovery.example.org
 
 # -- Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`)
 clusterName: example-cluster
@@ -196,13 +196,13 @@ upstreamAuthority:
     certificateAuthorityARN: ""
     # -- (Optional) ARN of an IAM role to assume
     assumeRoleARN: ""
-    # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. 
+    # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only.
     # -- See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values.
     caSigningTemplateARN: ""
-    # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. 
+    # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default.
     # -- See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values.
     signingAlgorithm: ""
-    # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. 
+    # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint.
     # -- See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information.
     endpoint: ""
     # -- (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle.

charts/spire/values.yaml

@@ -9,7 +9,7 @@ global:
     # -- The trust domain to be used for the SPIFFE identifiers
     trustDomain: example.org
     # -- Set the jwt issuer
-    jwtIssuer: oidc-discovery.example.org
+    jwtIssuer: https://oidc-discovery.example.org
     # -- Override all instances of bundleConfigMap
     bundleConfigMap: ""