From f5d770e794d3e2fa23aba790aac2d2ae4cdba87c Mon Sep 17 00:00:00 2001
From: Liam Decker <ldecker@indeed.com>
Date: Fri, 25 Mar 2022 14:16:35 -0500
Subject: [PATCH] Adding support for downstream in SpiffeID resource

Signed-off-by: Liam Decker <ldecker@indeed.com>
---
 support/k8s/k8s-workload-registrar/mode-crd/README.md         | 2 ++
 .../mode-crd/api/spiffeid/v1beta1/spiffeid_types.go           | 1 +
 .../mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml         | 2 ++
 .../mode-crd/controllers/spiffeid_controller.go               | 4 +++-
 .../mode-crd/controllers/spiffeid_controller_test.go          | 4 ++++
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md
index 7117919ad5..3a13b69b3b 100644
--- a/support/k8s/k8s-workload-registrar/mode-crd/README.md
+++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md
@@ -455,6 +455,7 @@ spec:
     podName: my-pod-name
   spiffeId: spiffe://example.org/my-spiffe-id
   parentId: spiffe://example.org/spire/server
+  downstream: false
 ```
 
 The supported selectors are:
@@ -470,6 +471,7 @@ The supported selectors are:
 
 Notes: 
 * Specifying DNS Names is optional
+* Specifying downstream is optional
 * The metadata.namespace and selector.namespace must match
 
 ## CRD Security Considerations
diff --git a/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go b/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go
index f28f703ff0..939e4a70b6 100644
--- a/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go
+++ b/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go
@@ -50,6 +50,7 @@ type SpiffeIDSpec struct {
 	ParentId      string   `json:"parentId"`
 	SpiffeId      string   `json:"spiffeId"`
 	Selector      Selector `json:"selector"`
+	Downstream    bool     `json:"downstream,omitempty"`
 	DnsNames      []string `json:"dnsNames,omitempty"`
 	FederatesWith []string `json:"federatesWith,omitempty"`
 }
diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml
index e9aa777cc7..bb385f3122 100644
--- a/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml
+++ b/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml
@@ -49,6 +49,8 @@ spec:
                 type: array
               parentId:
                 type: string
+              downstream:
+                type: boolean
               selector:
                 properties:
                   arbitrary:
diff --git a/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller.go b/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller.go
index de0580f22f..9ab2afb14b 100644
--- a/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller.go
+++ b/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller.go
@@ -282,6 +282,7 @@ func entryFromCRD(crd *spiffeidv1beta1.SpiffeID) (*types.Entry, error) {
 		Selectors:     crd.TypesSelector(),
 		DnsNames:      crd.Spec.DnsNames,
 		FederatesWith: crd.Spec.FederatesWith,
+		Downstream:    crd.Spec.Downstream,
 	}, nil
 }
 
@@ -301,7 +302,8 @@ func entryEqual(existing, current *types.Entry) bool {
 	return equalStringSlice(existing.DnsNames, current.DnsNames) &&
 		selectorSetsEqual(existing.Selectors, current.Selectors) &&
 		spiffeIDEqual(existing.SpiffeId, current.SpiffeId) &&
-		spiffeIDEqual(existing.ParentId, current.ParentId)
+		spiffeIDEqual(existing.ParentId, current.ParentId) &&
+		existing.Downstream == current.Downstream
 }
 
 func spiffeIDEqual(existing, current *types.SPIFFEID) bool {
diff --git a/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller_test.go b/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller_test.go
index e81247128a..880fb380f3 100644
--- a/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller_test.go
+++ b/support/k8s/k8s-workload-registrar/mode-crd/controllers/spiffeid_controller_test.go
@@ -78,6 +78,7 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 			Selector: spiffeidv1beta1.Selector{
 				Namespace: SpiffeIDNamespace,
 			},
+			Downstream: true,
 		},
 	}
 	err = s.k8sClient.Create(ctx, spiffeID)
@@ -99,12 +100,14 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 	})
 	s.Require().NoError(err)
 	s.Require().NotNil(entry)
+	s.Require().True(entry.Downstream)
 	s.Require().Equal(makeID(s.trustDomain, "%s", SpiffeIDName), stringFromID(entry.SpiffeId))
 
 	// Update SPIFFE ID
 	createdSpiffeID.Spec.SpiffeId = makeID(s.trustDomain, "%s/%s", SpiffeIDName, "new")
 	createdSpiffeID.Spec.ParentId = makeID(s.trustDomain, "%s/%s/%s", "spire", "server", "new")
 	createdSpiffeID.Spec.Selector.PodName = "test"
+	createdSpiffeID.Spec.Downstream = false
 	err = s.k8sClient.Update(ctx, createdSpiffeID)
 	s.Require().NoError(err)
 	_, err = s.r.Reconcile(ctx, ctrl.Request{NamespacedName: spiffeIDLookupKey})
@@ -118,6 +121,7 @@ func (s *SpiffeIDControllerTestSuite) TestCreateSpiffeID() {
 	s.Require().NotNil(entry)
 	s.Require().Equal(createdSpiffeID.Spec.SpiffeId, stringFromID(entry.SpiffeId))
 	s.Require().Equal(createdSpiffeID.Spec.ParentId, stringFromID(entry.ParentId))
+	s.Require().False(createdSpiffeID.Spec.Downstream)
 	s.Require().Equal(createdSpiffeID.Spec.Selector.PodName, "test")
 }