add ability to configure issuer at runtime

This commit allows users to specify the name of a ConfigMap which should
be watched for issuer configuration. Importantly, this allows for
csi-driver-spiffe to be installed at the same time as cert-manager
without needing an issuer to already exist

The ConfigMap is currently assumed in the helm chart to be in the same
namespace as the csi-driver-spiffe DaemonSet

Signed-off-by: Ashley Davis <[email protected]>

deploy/charts/csi-driver-spiffe/README.md

@@ -94,6 +94,15 @@ Verbosity of cert-manager-csi-driver logging.
 > ```
 
 Duration requested for requested certificates.
+#### **app.runtimeIssuanceConfigMap** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.  
+
+The "issuer.name", "issuer.kind" and "issuer.group" keys must be present in the ConfigMap for it to be used.
 #### **app.extraCertificateRequestAnnotations** ~ `unknown`
 > Default value:
 > ```yaml

deploy/charts/csi-driver-spiffe/templates/daemonset.yaml

@@ -83,6 +83,8 @@ spec:
             - --node-id=$(NODE_ID)
             - --endpoint=$(CSI_ENDPOINT)
             - --data-root=csi-data-dir
+            - "--runtime-issuance-config-map-name={{.Values.app.runtimeIssuanceConfigMap}}"
+            - "--runtime-issuance-config-map-namespace={{.Release.Namespace}}"
           {{- if .Values.app.extraCertificateRequestAnnotations }}
             - --extra-certificate-request-annotations={{ .Values.app.extraCertificateRequestAnnotations }}
           {{- end }}

deploy/charts/csi-driver-spiffe/templates/role.yaml

@@ -1,3 +1,21 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
+rules:
+{{- if .Values.app.runtimeIssuanceConfigMap }}
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+  resourceNames: ["{{.Values.app.runtimeIssuanceConfigMap}}"]
+{{- end }}
+
+
+---
+
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

deploy/charts/csi-driver-spiffe/templates/rolebinding.yaml

@@ -1,3 +1,21 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
+  namespace: {{ .Release.Namespace }}
+
+---
+
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

deploy/charts/csi-driver-spiffe/values.schema.json

@@ -48,6 +48,9 @@
         "name": {
           "$ref": "#/$defs/helm-values.app.name"
         },
+        "runtimeIssuanceConfigMap": {
+          "$ref": "#/$defs/helm-values.app.runtimeIssuanceConfigMap"
+        },
         "trustDomain": {
           "$ref": "#/$defs/helm-values.app.trustDomain"
         }
@@ -430,6 +433,11 @@
       "description": "The name for the CSI driver installation.",
       "type": "string"
     },
+    "helm-values.app.runtimeIssuanceConfigMap": {
+      "default": "",
+      "description": "Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.\n\nThe \"issuer.name\", \"issuer.kind\" and \"issuer.group\" keys must be present in the ConfigMap for it to be used.",
+      "type": "string"
+    },
     "helm-values.app.trustDomain": {
       "default": "cluster.local",
       "description": "The Trust Domain for this driver.",

deploy/charts/csi-driver-spiffe/values.yaml

@@ -25,7 +25,7 @@ image:
     #   driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
     # +docs:property=image.digest.driver
     # driver: sha256:...
-    
+
     # Target csi-driver approver digest. Override any tag, if set.
     # For example:
     #   approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
@@ -47,6 +47,14 @@ app:
   logLevel: 1 # 1-5
   # Duration requested for requested certificates.
   certificateRequestDuration: 1h
+
+  # Name of a ConfigMap in the installation namespace to watch, providing
+  # runtime configuration of an issuer to use.
+  #
+  # The "issuer.name", "issuer.kind" and "issuer.group" keys must be present in
+  # the ConfigMap for it to be used.
+  runtimeIssuanceConfigMap: ""
+
   # List of annotations to add to certificate requests
   #
   # For example:
@@ -192,7 +200,7 @@ app:
           # Create Prometheus ServiceMonitor resource for cert-manager-csi-driver-spiffe approver.
           enabled: false
           # The value for the "prometheus" label on the ServiceMonitor. This allows
-          # for multiple Prometheus instances selecting difference ServiceMonitors 
+          # for multiple Prometheus instances selecting difference ServiceMonitors
           # using label selectors.
           prometheusInstance: default
           # The interval that the Prometheus will scrape for metrics.

internal/csi/app/app.go

@@ -71,7 +71,10 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				TrustDomain:                   opts.CertManager.TrustDomain,
 				CertificateRequestAnnotations: opts.CertManager.CertificateRequestAnnotations,
 				CertificateRequestDuration:    opts.CertManager.CertificateRequestDuration,
-				IssuerRef:                     opts.CertManager.IssuerRef,
+				IssuerRef:                     &opts.CertManager.IssuerRef,
+
+				IssuanceConfigMapName:      opts.CertManager.IssuanceConfigMapName,
+				IssuanceConfigMapNamespace: opts.CertManager.IssuanceConfigMapNamespace,
 
 				CertificateFileName: opts.Volume.CertificateFileName,
 				KeyFileName:         opts.Volume.KeyFileName,

internal/csi/app/options/options.go

@@ -56,6 +56,12 @@ type OptionsDriver struct {
 
 // OptionsCertManager is options specific to cert-manager CertificateRequests.
 type OptionsCertManager struct {
+	// IssuanceConfigMapName is the name of a ConfigMap to watch for configuration options. The ConfigMap is expected to be in the same namespace as the csi-driver-spiffe pod.
+	IssuanceConfigMapName string
+
+	// IssuanceConfigMapNamespace is the namespace where the runtime configuration ConfigMap is located
+	IssuanceConfigMapNamespace string
+
 	// TrustDomain is the trust domain of this SPIFFE PKI. The TrustDomain will
 	// appear in signed certificate's URI SANs.
 	TrustDomain string
@@ -113,6 +119,10 @@ func (o *Options) addDriverFlags(fs *pflag.FlagSet) {
 }
 
 func (o *Options) addCertManagerFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&o.CertManager.IssuanceConfigMapName, "runtime-issuance-config-map-name", "", "Name of a ConfigMap to watch at runtime for issuer details. If such a ConfigMap is found, overrides issuer-name, issuer-kind and issuer-group")
+
+	fs.StringVar(&o.CertManager.IssuanceConfigMapNamespace, "runtime-issuance-config-map-namespace", "", "Namespace for ConfigMap to be watched at runtime for issuer details")
+
 	fs.StringVar(&o.CertManager.TrustDomain, "trust-domain", "cluster.local",
 		"The trust domain that will be requested for on created CertificateRequests.")
 	fs.DurationVar(&o.CertManager.CertificateRequestDuration, "certificate-request-duration", time.Hour,