diff --git a/pkg/apis/v1alpha1/types.go b/pkg/apis/v1alpha1/types.go index 3802f8c8..a3b24d14 100644 --- a/pkg/apis/v1alpha1/types.go +++ b/pkg/apis/v1alpha1/types.go @@ -21,6 +21,8 @@ const ( IssuerKindKey = "csi.cert-manager.io/issuer-kind" IssuerGroupKey = "csi.cert-manager.io/issuer-group" + InjectSPIFFEKey = "csi.cert-manager.io/inject-spiffe" + CommonNameKey = "csi.cert-manager.io/common-name" DNSNamesKey = "csi.cert-manager.io/dns-names" IPSANsKey = "csi.cert-manager.io/ip-sans" diff --git a/pkg/requestgen/generator.go b/pkg/requestgen/generator.go index 2ae24a43..27ea980f 100644 --- a/pkg/requestgen/generator.go +++ b/pkg/requestgen/generator.go @@ -57,6 +57,8 @@ func RequestForMetadata(meta metadata.Metadata) (*manager.CertificateRequestBund } } + var uris []*url.URL + commonName, err := expand(meta, attrs[csiapi.CommonNameKey]) if err != nil { return nil, fmt.Errorf("%q: %w", csiapi.CommonNameKey, err) @@ -65,7 +67,7 @@ func RequestForMetadata(meta metadata.Metadata) (*manager.CertificateRequestBund if err != nil { return nil, fmt.Errorf("%q: %w", csiapi.DNSNamesKey, err) } - uris, err := parseURIs(meta, attrs[csiapi.URISANsKey]) + uris, err = parseURIs(meta, attrs[csiapi.URISANsKey]) if err != nil { return nil, fmt.Errorf("%q: %w", csiapi.URISANsKey, err) } @@ -74,6 +76,25 @@ func RequestForMetadata(meta metadata.Metadata) (*manager.CertificateRequestBund return nil, fmt.Errorf("%q: %w", csiapi.IPSANsKey, err) } + _, shouldInjectSPIFFE := attrs[csiapi.InjectSPIFFEKey] + if shouldInjectSPIFFE { + if len(uris) > 0 { + return nil, fmt.Errorf("cannot inject SPIFFE ID (%q) if custom URIs are given with %q", csiapi.InjectSPIFFEKey, csiapi.URISANsKey) + } + + saName := meta.VolumeContext["csi.storage.k8s.io/serviceAccount.name"] + saNamespace := meta.VolumeContext["csi.storage.k8s.io/pod.namespace"] + + // TODO: configurable trust domain + spiffeID := fmt.Sprintf("spiffe://%s/ns/%s/sa/%s", "example.com", saNamespace, saName) + uri, err := url.Parse(spiffeID) + if err != nil { + return nil, fmt.Errorf("internal error crafting X.509 URI, this is a bug, please report on GitHub: %w", err) + } + + uris = []*url.URL{uri} + } + annotations := make(map[string]string) for key, val := range attrs { group, _, found := strings.Cut(key, "/")