Add Tornjak manager CRD by Alan-Cha · Pull Request #610 · spiffe/helm-charts-hardened

Alan-Cha · 2025-06-17T19:07:55Z

Built on top of #597

kfox1111 · 2025-07-10T23:39:20Z

This seems to have overlap with 597. Is there anything left todo since that has merged?

Alan-Cha · 2025-07-11T17:45:56Z

+
 > [!IMPORTANT]
 > If audience is set, make sure the Tornjak backend `audience` is set correctly. You can set it using:
 > `--set spire-server.tornjak.config.userManagement.audience=your-audience`
->
+
 > [!TIP]


These sections were not rendering correctly because there's no separation between them.

Alan-Cha · 2025-07-11T17:46:26Z

@kfox1111 I updated the branch. Should be ready for merging now!

kfox1111 · 2025-07-11T18:20:14Z

+          classname = "{{ .Values.controllerManager.className }}"
+        }
+      }
+


hmm....

Is the crd manager functionality disable-able? If so, is it leaving this section out?

Does it use the permissions of the k8s service account in order to manage the crds?

Back when it was under development, Tornjak shared the same pod as the controller manager, and spire server (IIRC). Then, it inherited all of the permissions of the controller manager which is what is necessary. Has this changed?

We support running the spire-server without the controller-manager, so it may not have crd support (I have a server configured this way)... but maybe you require the controller manager to function properly....

So you probably should either add the permissions if you can work without the crd in case its disabled, or error the chart out if you expect crds to be there and the controller manager is disabled?

@Alan-Cha @maia-iyer do you have time to address the comment from @kfox1111

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Alan-Cha force-pushed the 2.1.0-manager branch from a7fc1eb to 78b719a Compare July 11, 2025 17:43

Alan-Cha commented Jul 11, 2025

View reviewed changes

Alan-Cha marked this pull request as ready for review July 11, 2025 17:46

Alan-Cha requested review from edwbuck, faisal-memon, kfox1111, marcofranssen and mrsabath as code owners July 11, 2025 17:46

kfox1111 reviewed Jul 11, 2025

View reviewed changes

Alan-Cha added 7 commits July 30, 2025 10:09

Update to Tornjak 2.1.0

3242230

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Address comments

3145334

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Add Tornjak CRD manager section

3a6ac21

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Add authorizer to Tornjak config

6751f05

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Improve docs

e1be0a5

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Revert doc change

b007f3e

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Configurable Tornjak CRD manager

2a05e82

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Alan-Cha force-pushed the 2.1.0-manager branch from 374c07f to 2a05e82 Compare July 30, 2025 14:09

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Tornjak manager CRD#610

Add Tornjak manager CRD#610
Alan-Cha wants to merge 7 commits into
spiffe:mainfrom
Alan-Cha:2.1.0-manager

Alan-Cha commented Jun 17, 2025

Uh oh!

kfox1111 commented Jul 10, 2025

Uh oh!

Alan-Cha Jul 11, 2025

Uh oh!

Alan-Cha commented Jul 11, 2025

Uh oh!

kfox1111 Jul 11, 2025

Uh oh!

maia-iyer Jul 30, 2025

Uh oh!

kfox1111 Jul 30, 2025

Uh oh!

faisal-memon Jan 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

Alan-Cha commented Jun 17, 2025

Uh oh!

kfox1111 commented Jul 10, 2025

Uh oh!

Alan-Cha Jul 11, 2025

Choose a reason for hiding this comment

Uh oh!

Alan-Cha commented Jul 11, 2025

Uh oh!

kfox1111 Jul 11, 2025

Choose a reason for hiding this comment

Uh oh!

maia-iyer Jul 30, 2025

Choose a reason for hiding this comment

Uh oh!

kfox1111 Jul 30, 2025

Choose a reason for hiding this comment

Uh oh!

faisal-memon Jan 23, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants