Skip to content

🐛 Align configMapKey default to bundle.spiffe across Helm and make deploy#248

Open
ChristianZaccaria wants to merge 1 commit intokagenti:mainfrom
ChristianZaccaria:fix-bundle
Open

🐛 Align configMapKey default to bundle.spiffe across Helm and make deploy#248
ChristianZaccaria wants to merge 1 commit intokagenti:mainfrom
ChristianZaccaria:fix-bundle

Conversation

@ChristianZaccaria
Copy link
Copy Markdown

@ChristianZaccaria ChristianZaccaria commented Mar 27, 2026
edited
Loading

Summary

The Helm chart defaulted signatureVerification.spireTrustBundle.configMapKey
to bundle.crt (ZTWIM PEM format) while the Go binary flag defaults to
bundle.spiffe (SPIFFE JSON format). This silent divergence meant that
helm install and make deploy pointed to different keys in the SPIRE trust
bundle ConfigMap, causing unpredictable behaviour when signature verification
is enabled.

Key changes:

  • Change configMapKey default from bundle.crt to bundle.spiffe in values.yaml
  • bundle.spiffe is the SPIFFE spec-native format (superset of PEM: X.509 roots + JWT keys)
  • Matches the Go binary flag default and the SPIRE hardened Helm chart default (Kind and OCP fallback paths)

@ChristianZaccaria
🐛 Align configMapKey default to bundle.spiffe across Helm and make de…
61e32d4 
…ploy

The Helm chart defaulted to "bundle.crt" (ZTWIM PEM format) while the
Go binary flag defaults to "bundle.spiffe" (SPIFFE JSON format), causing
silent behavioral divergence between the two deployment paths.

"bundle.spiffe" is the SPIFFE spec-native format, a superset of PEM
(includes X.509 roots and JWT keys), and the default for the SPIRE
hardened Helm chart used on Kind and OCP fallback paths. The x5c
provider auto-detects both formats at load time so no parsing change
is needed. Updated the comment to document the ZTWIM override path.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: ChristianZaccaria <christian.zaccaria.cz@gmail.com>
@ChristianZaccaria ChristianZaccaria requested a review from a team as a code owner March 27, 2026 14:11
cwiklik
cwiklik approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@cwiklik cwiklik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Minimal, focused bugfix aligning the Helm chart's configMapKey default from bundle.crt to bundle.spiffe, matching the Go binary flag default. Verified against upstream main: the Go flag at cmd/main.go defaults to "bundle.spiffe" while the Helm chart had "bundle.crt". This eliminates silent behavioral divergence between helm install and make deploy paths.

Areas reviewed: Helm values
Commits: 1 commit, signed-off: yes, proper Assisted-By trailer
CI status: DCO passing

charts/kagenti-operator/values.yaml
# SPIRE trust bundle ConfigMap (PEM from ZTWIM/SPIRE or SPIFFE JSON from BundlePublisher)
# Key within the SPIRE trust bundle ConfigMap. Matches the SPIRE hardened Helm chart default
# and the binary flag default. Override to "bundle.crt" only for older ZTWIM deployments.
spireTrustBundle:
Copy link
Copy Markdown
Collaborator

@cwiklik cwiklik Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Good catch — silent divergence between Helm and make deploy defaults is exactly the kind of subtle bug that causes hard-to-debug behavior. Verified: Go binary at cmd/main.go defaults to "bundle.spiffe". The updated comment documenting the ZTWIM override path is helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwiklik cwiklik cwiklik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChristianZaccaria @cwiklik