From 61e32d45046cc4a42ed981c7e7334616c3ca69bb Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Fri, 27 Mar 2026 14:06:45 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Align=20configMapKey=20default?= =?UTF-8?q?=20to=20bundle.spiffe=20across=20Helm=20and=20make=20deploy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Helm chart defaulted to "bundle.crt" (ZTWIM PEM format) while the Go binary flag defaults to "bundle.spiffe" (SPIFFE JSON format), causing silent behavioral divergence between the two deployment paths. "bundle.spiffe" is the SPIFFE spec-native format, a superset of PEM (includes X.509 roots and JWT keys), and the default for the SPIRE hardened Helm chart used on Kind and OCP fallback paths. The x5c provider auto-detects both formats at load time so no parsing change is needed. Updated the comment to document the ZTWIM override path. Assisted-By: Claude (Anthropic AI) Signed-off-by: ChristianZaccaria --- charts/kagenti-operator/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/kagenti-operator/values.yaml b/charts/kagenti-operator/values.yaml index 3b69510..27b17c5 100644 --- a/charts/kagenti-operator/values.yaml +++ b/charts/kagenti-operator/values.yaml @@ -95,11 +95,12 @@ signatureVerification: enforceNetworkPolicies: false # SPIRE trust domain (required when enabled) spireTrustDomain: "" - # SPIRE trust bundle ConfigMap (PEM from ZTWIM/SPIRE or SPIFFE JSON from BundlePublisher) + # Key within the SPIRE trust bundle ConfigMap. Matches the SPIRE hardened Helm chart default + # and the binary flag default. Override to "bundle.crt" only for older ZTWIM deployments. spireTrustBundle: configMapName: "spire-bundle" configMapNamespace: "" - configMapKey: "bundle.crt" + configMapKey: "bundle.spiffe" refreshInterval: "5m" # How far before SVID expiry to trigger proactive workload restart svidExpiryGracePeriod: "30m"