Skip to content

Direct support for connect as a datasource for k8s psat node attestor #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alec-w merged 2 commits into from
Feb 25, 2026
Merged

Direct support for connect as a datasource for k8s psat node attestor #24

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
61cec7c
feat: Add connect datasource for k8s psat node attestor
alec-w Feb 10, 2026
874df0d
Use already defined var to check if connect data source enabled for k…
alec-w Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spire
description: >
A Helm chart for deploying the complete Cofide SPIRE stack including: spire-server, spire-agent, spiffe-csi-driver, and spiffe-oidc-discovery-provider.
type: application
version: 0.26.0-cofide.11
version: 0.26.0-cofide.12
appVersion: "1.12.4"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
home: https://github.com/cofide/spiffe-helm-charts-hardened/tree/main/charts/spire
Expand Down
2 changes: 2 additions & 0 deletions charts/spire/charts/spire-server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `nodeAttestor.externalK8sPSAT.defaults.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` |
| `nodeAttestor.externalK8sPSAT.defaults.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` |
| `nodeAttestor.externalK8sPSAT.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
| `nodeAttestor.connectK8sPSAT.enabled` | Enable PSAT k8s nodeattestor with Connect datasource. Cannot be enabled simultaneously with the k8sPSAT or externalK8sPSAT node attestors. | `false` |
| `nodeAttestor.connectK8sPSAT.pollInterval` | Frequency with which to poll Connect to build plugin config. | `10s` |
| `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` |
| `nodeAttestor.httpChallenge.enabled` | Enable the http_challenge nodeattesto | `false` |
| `nodeAttestor.httpChallenge.allowedDNSPatterns` | A list of regular expressions to match to the hostname being attested. If none match, attestation will fail. If a blank list, all hostnames are allowed. | `[]` |
Expand Down
15 changes: 13 additions & 2 deletions charts/spire/charts/spire-server/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,11 +142,21 @@ plugins:
{{- end }}
disable_migration: {{ .Values.dataStore.sql.disableMigration }}

{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.connectK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
NodeAttestor:
{{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }}
{{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }}
{{- $k8sPSATEnabled := .Values.nodeAttestor.k8sPSAT.enabled -}}
{{- $externalK8sPSATEnabled := .Values.nodeAttestor.externalK8sPSAT.enabled -}}
{{- $connectK8sPSATEnabled := .Values.nodeAttestor.connectK8sPSAT.enabled -}}
{{- if and $connectK8sPSATEnabled (or $k8sPSATEnabled $externalK8sPSATEnabled) }}
{{- fail "nodeAttestor.connectK8sPSAT cannot be enabled at the same time as nodeAttestor.k8sPSAT or nodeAttestor.externalK8sPSAT" -}}
{{- end -}}
{{- if or $connectK8sPSATEnabled $k8sPSATEnabled (and $externalK8sPSATEnabled (gt (len $clusters) 0) ) }}
k8s_psat:
{{- if eq (.Values.nodeAttestor.connectK8sPSAT.enabled | toString) "true" }}
plugin_data_cofide_connect: true
plugin_data_cofide_connect_poll_interval: {{ .Values.nodeAttestor.connectK8sPSAT.pollInterval }}
{{- else }}
plugin_data:
clusters:
{{- with .Values.nodeAttestor.k8sPSAT }}
Expand Down Expand Up @@ -182,6 +192,7 @@ plugins:
{{ if hasKey $clusterSettings "allowedPodLabelKeys" }}{{ toYaml $clusterSettings.allowedPodLabelKeys | nindent 14 }}{{ else }}{{ toYaml $clusterDefaults.allowedPodLabelKeys | nindent 14 }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.nodeAttestor.joinToken }}
{{- if eq (.enabled | toString) "true" }}
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-server/templates/roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ roleRef:
name: {{ include "spire-lib.bundle-configmap" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- if and .Values.nodeAttestor.k8sPSAT.enabled }}
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.connectK8sPSAT.enabled }}
---
# ClusterRole to allow spire-server node attestor to query Token Review API
kind: ClusterRole
Expand Down
5 changes: 5 additions & 0 deletions charts/spire/charts/spire-server/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -969,6 +969,11 @@ nodeAttestor:
# kubeConfigName: foo
# serviceAccountAllowList: ["other-ns:other-agent"]
# clusterb: {}
connectK8sPSAT:
## @param nodeAttestor.connectK8sPSAT.enabled Enable PSAT k8s nodeattestor with Connect datasource. Cannot be enabled simultaneously with the k8sPSAT or externalK8sPSAT node attestors.
enabled: false
## @param nodeAttestor.connectK8sPSAT.pollInterval Frequency with which to poll Connect to build plugin config.
pollInterval: 10s
joinToken:
## @param nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
enabled: false
Expand Down
Loading