Merge pull request #60 from spiffe/oidc-ingress

spiffe · Mar 16, 2023 · fae12af · fae12af
2 parents eaed7c9 + 6322a9a
commit fae12af
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 2 deletions.
diff --git a/.github/tests/spire-oidc-insecure/pre-install.sh b/.github/tests/spire-oidc-insecure/pre-install.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+helm install ingress-nginx ingress-nginx --version 4.5.2 --repo https://kubernetes.github.io/ingress-nginx -n "$scenario" --set controller.extraArgs.enable-ssl-passthrough=
+kubectl wait --namespace ingress-nginx   --for=condition=ready pod   --selector=app.kubernetes.io/component=controller -n "$scenario"
diff --git a/.github/tests/spire-oidc-insecure/values.yaml b/.github/tests/spire-oidc-insecure/values.yaml
@@ -6,7 +6,16 @@ spiffe-oidc-discovery-provider:
 
   config:
     domains:
-      - oidc-discovery.example.org
+      - ingress-nginx-controller
 
     acme:
       tosAccepted: false
+
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+    - host: ingress-nginx-controller
+      paths:
+        - path: /
+          pathType: Prefix
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@@ -34,6 +34,13 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | image.repository | string | `"spiffe/oidc-discovery-provider"` |  |
 | image.version | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
+| ingress.annotations | object | `{}` |  |
+| ingress.className | string | `""` |  |
+| ingress.enabled | bool | `false` |  |
+| ingress.hosts[0].host | string | `"oidc-discovery.example.org"` |  |
+| ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
+| ingress.tls | list | `[]` |  |
 | insecureScheme.enabled | bool | `false` |  |
 | insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` |  |
 | insecureScheme.nginx.image.registry | string | `"docker.io"` |  |

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }}
+{{- $port := .Values.service.port }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
+  labels:
+    {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $port }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml
@@ -29,4 +29,12 @@ spec:
       args: ['-O', '/dev/null', '{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/.well-known/openid-configuration']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
+    {{- if .Values.ingress.enabled }}
+    - name: wget-ingress
+      image: busybox
+      command: ['wget']
+      args: ['-O', '/dev/null', '{{ index .Values.config.domains 0 }}/.well-known/openid-configuration']
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+    {{- end }}
   restartPolicy: Never
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -112,7 +112,7 @@ tolerations: []
 
 affinity: {}
 
-trustDomain: "example.org"
+trustDomain: example.org
 
 telemetry:
   prometheus:
@@ -137,3 +137,21 @@ telemetry:
         # limits:
         #   cpu: 100m
         #   memory: 64Mi
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  hosts:
+    - host: oidc-discovery.example.org
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - oidc-discovery.example.org