Adding support for downstream in SpiffeID resource (#2885)

Signed-off-by: Liam Decker <[email protected]>

support/k8s/k8s-workload-registrar/mode-crd/README.md

@@ -455,6 +455,7 @@ spec:
     podName: my-pod-name
   spiffeId: spiffe://example.org/my-spiffe-id
   parentId: spiffe://example.org/spire/server
+  downstream: false
 ```
 
 The supported selectors are:
@@ -470,6 +471,7 @@ The supported selectors are:
 
 Notes: 
 * Specifying DNS Names is optional
+* Specifying downstream is optional
 * The metadata.namespace and selector.namespace must match
 
 ## CRD Security Considerations

support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go

@@ -50,6 +50,7 @@ type SpiffeIDSpec struct {
 	ParentId      string   `json:"parentId"`
 	SpiffeId      string   `json:"spiffeId"`
 	Selector      Selector `json:"selector"`
+	Downstream    bool     `json:"downstream,omitempty"`
 	DnsNames      []string `json:"dnsNames,omitempty"`
 	FederatesWith []string `json:"federatesWith,omitempty"`
 }

support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml

@@ -49,6 +49,8 @@ spec:
                 type: array
               parentId:
                 type: string
+              downstream:
+                type: boolean
               selector:
                 properties:
                   arbitrary:

support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller.go

@@ -282,6 +282,7 @@ func entryFromCRD(crd *spiffeidv1beta1.SpiffeID) (*types.Entry, error) {
 		Selectors:     crd.TypesSelector(),
 		DnsNames:      crd.Spec.DnsNames,
 		FederatesWith: crd.Spec.FederatesWith,
+		Downstream:    crd.Spec.Downstream,
 	}, nil
 }
 
@@ -301,7 +302,8 @@ func entryEqual(existing, current *types.Entry) bool {
 	return equalStringSlice(existing.DnsNames, current.DnsNames) &&
 		selectorSetsEqual(existing.Selectors, current.Selectors) &&
 		spiffeIDEqual(existing.SpiffeId, current.SpiffeId) &&
-		spiffeIDEqual(existing.ParentId, current.ParentId)
+		spiffeIDEqual(existing.ParentId, current.ParentId) &&
+		existing.Downstream == current.Downstream
 }
 
 func spiffeIDEqual(existing, current *types.SPIFFEID) bool {

support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller_test.go

@@ -78,6 +78,7 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 			Selector: spiffeidv1beta1.Selector{
 				Namespace: SpiffeIDNamespace,
 			},
+			Downstream: true,
 		},
 	}
 	err = s.k8sClient.Create(ctx, spiffeID)
@@ -99,12 +100,14 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 	})
 	s.Require().NoError(err)
 	s.Require().NotNil(entry)
+	s.Require().True(entry.Downstream)
 	s.Require().Equal(makeID(s.trustDomain, "%s", SpiffeIDName), stringFromID(entry.SpiffeId))
 
 	// Update SPIFFE ID
 	createdSpiffeID.Spec.SpiffeId = makeID(s.trustDomain, "%s/%s", SpiffeIDName, "new")
 	createdSpiffeID.Spec.ParentId = makeID(s.trustDomain, "%s/%s/%s", "spire", "server", "new")
 	createdSpiffeID.Spec.Selector.PodName = "test"
+	createdSpiffeID.Spec.Downstream = false
 	err = s.k8sClient.Update(ctx, createdSpiffeID)
 	s.Require().NoError(err)
 	_, err = s.r.Reconcile(ctx, ctrl.Request{NamespacedName: spiffeIDLookupKey})
@@ -118,6 +121,7 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 	s.Require().NotNil(entry)
 	s.Require().Equal(createdSpiffeID.Spec.SpiffeId, stringFromID(entry.SpiffeId))
 	s.Require().Equal(createdSpiffeID.Spec.ParentId, stringFromID(entry.ParentId))
+	s.Require().False(createdSpiffeID.Spec.Downstream)
 	s.Require().Equal(createdSpiffeID.Spec.Selector.PodName, "test")
 }