Rebase

Signed-off-by: Kevin Fox <[email protected]>
spiffe · Sep 11, 2023 · 459a382 · 459a382
1 parent 9ad2ed5
commit 459a382
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 2 deletions.
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- include "spire-lib.strict-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
 {{- define "spiffe-oidc-discovery-provider.yaml-config" -}}
 {{- $oidcSocket := .oidcSocket }}

diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml
@@ -1,3 +1,5 @@
+{{- include "spire-lib.strict-check" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
+{{- include "spire-lib.strict-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- define "spire-agent.yaml-config" -}}
 agent:
   data_dir: "/run/spire"

diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -1,3 +1,5 @@
+{{- include "spire-lib.strict-check" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
+{{- include "spire-lib.strict-check" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- range $type, $tvals := .Values.customPlugins }}
 {{-   if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
 {{-     fail (printf "Unknown plugin type specified: %s" $type) }}

diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl
@@ -107,3 +107,18 @@ rules:
 {{- end }}
 {{- include "spire-lib.image" $root }}
 {{- end }}
+
+{{/*
+Take in an array of, '.', a failure string to display, and boolean to to display it,
+if strict checking is enabled and the boolean is true
+*/}}
+{{- define "spire-lib.strict-check" }}
+{{ $root := index . 0 }}
+{{ $message := index . 1 }}
+{{ $condition := index . 2 }}
+{{- if (dig "spire" "strictChecking" false $root.Values.global) }}
+{{- if $condition }}
+{{- fail $message }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
@@ -24,6 +24,9 @@ global:
       ## @param global.spire.image.registry Override all Spire image registries at once
       registry: ""
 
+    # -- Set to false to disable production requirements to enable you to kick the tires with spire without needing a lot of configuration.
+    strictChecking: false
+
   installAndUpgradeHooks:
     ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
     enabled: true

diff --git a/examples/external-mysql/run-tests.sh b/examples/external-mysql/run-tests.sh
@@ -32,7 +32,7 @@ helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO
   --wait
 
 helm upgrade --install --namespace "spire-server" \
-  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
 helm test --namespace "spire-server" spire
 

diff --git a/examples/external-postgresql/run-tests.sh b/examples/external-postgresql/run-tests.sh
@@ -32,7 +32,7 @@ helm upgrade --install postgresql postgresql --version "$VERSION_POSTGRESQL" --r
   --wait
 
 helm upgrade --install --namespace "spire-server" \
-  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
 helm test --namespace "spire-server" spire
 

diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh
@@ -89,6 +89,11 @@ EOF
 
 helm test --namespace "${ns}" spire
 
+if helm get manifest -n spire-server spire | grep -i example; then
+  echo Global settings did not work. Please fix.
+  exit 1
+fi
+
 print_helm_releases
 print_spire_workload_status "${ns}"
 

diff --git a/examples/production/values.yaml b/examples/production/values.yaml
@@ -2,6 +2,8 @@ global:
   telemetry:
     prometheus:
       enabled: true
+  spire:
+    strictChecking: false
 
 spire-server:
   nodeAttestor: