From de92fcc7a8fa636acf8f6b455d458ccd6e2db833 Mon Sep 17 00:00:00 2001 From: Alexandre Alvino Date: Sun, 17 Jul 2022 10:38:43 -0300 Subject: [PATCH 1/2] Adds spire-1.1.1 helm charts Signed-off-by: Alexandre Alvino --- mithrilctl/.DS_Store | Bin 0 -> 6148 bytes mithrilctl/helm/.DS_Store | Bin 0 -> 6148 bytes mithrilctl/helm/spire/.DS_Store | Bin 0 -> 6148 bytes mithrilctl/helm/spire/spire-agent/.helmignore | 23 + mithrilctl/helm/spire/spire-agent/Chart.yaml | 6 + .../spire/spire-agent/templates/NOTES.txt | 22 + .../spire/spire-agent/templates/_helpers.tpl | 62 +++ .../spire-agent/templates/configmaps.yaml | 61 +++ .../spire-agent/templates/daemonset.yaml | 164 +++++++ .../helm/spire/spire-agent/templates/hpa.yaml | 28 ++ .../spire/spire-agent/templates/ingress.yaml | 61 +++ .../spire/spire-agent/templates/roles.yaml | 23 + .../spire-agent/templates/serviceaccount.yaml | 5 + .../templates/tests/test-connection.yaml | 15 + .../helm/spire/spire-agent/values-test.yaml | 116 +++++ mithrilctl/helm/spire/spire-agent/values.yaml | 117 +++++ .../helm/spire/spire-server/.helmignore | 23 + mithrilctl/helm/spire/spire-server/Chart.yaml | 6 + .../spire/spire-server/templates/NOTES.txt | 22 + .../spire/spire-server/templates/_helpers.tpl | 62 +++ .../spire-server/templates/configmaps.yaml | 94 ++++ .../spire-server/templates/controller.yaml | 436 ++++++++++++++++++ .../spire/spire-server/templates/hpa.yaml | 28 ++ .../spire/spire-server/templates/ingress.yaml | 61 +++ .../spire-server/templates/namespace.yaml | 4 + .../spire/spire-server/templates/roles.yaml | 44 ++ .../spire/spire-server/templates/service.yaml | 35 ++ .../templates/serviceaccount.yaml | 5 + .../spire-server/templates/statefulset.yaml | 86 ++++ .../templates/tests/test-connection.yaml | 15 + .../helm/spire/spire-server/values-test.yaml | 164 +++++++ .../helm/spire/spire-server/values.yaml | 173 +++++++ 32 files changed, 1961 insertions(+) create mode 100644 mithrilctl/.DS_Store create mode 100644 mithrilctl/helm/.DS_Store create mode 100644 mithrilctl/helm/spire/.DS_Store create mode 100644 mithrilctl/helm/spire/spire-agent/.helmignore create mode 100644 mithrilctl/helm/spire/spire-agent/Chart.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/NOTES.txt create mode 100644 mithrilctl/helm/spire/spire-agent/templates/_helpers.tpl create mode 100644 mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/daemonset.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/hpa.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/ingress.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/roles.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/serviceaccount.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/templates/tests/test-connection.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/values-test.yaml create mode 100644 mithrilctl/helm/spire/spire-agent/values.yaml create mode 100644 mithrilctl/helm/spire/spire-server/.helmignore create mode 100644 mithrilctl/helm/spire/spire-server/Chart.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/NOTES.txt create mode 100644 mithrilctl/helm/spire/spire-server/templates/_helpers.tpl create mode 100644 mithrilctl/helm/spire/spire-server/templates/configmaps.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/controller.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/hpa.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/ingress.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/namespace.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/roles.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/service.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/serviceaccount.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/statefulset.yaml create mode 100644 mithrilctl/helm/spire/spire-server/templates/tests/test-connection.yaml create mode 100644 mithrilctl/helm/spire/spire-server/values-test.yaml create mode 100644 mithrilctl/helm/spire/spire-server/values.yaml diff --git a/mithrilctl/.DS_Store b/mithrilctl/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..09868e10b819ee9bbc7fe84f0778de7564e829de GIT binary patch literal 6148 zcmeHK!AiqG5Z!I7O(;SS3VI88E!tK}EnZ@+2d_r-pi&bPY%tB1HZ_M*$X$QPAMtl| zW_MH2>PZkOGcfx$vojm!ZP>{$#&~z?HyEoj#tcxzf(gSng6pVDQqYznAjdthrkmUa}fM-`?0~WA|4ZobalKNS(w@rjxEazQ(5uAtEoIyWV9Or2XpViHH+7jDxWZ2>k$DZmz=E7im{aV}BxJ z9kpPXhS{&~%x2A2yJj^HI`f(}Yt#=rHLKlf&gZ7FwYz_G-hYgSv3OS8bNDc&Y-r5k z1tyDxo}6(UiTD9*xqt3QNDL4I#J~zNpszZkvVyr$O2hy$@H+S5Z>*NO({YS3VK`cTC}Z{Dqdo&2d_r-pi&!CG#Im`NzI`Ya@QB~MSLBd z+1*N|dJ~Z{12f-db|%Su8+J2{G476oCSx{Z%mPI$RKa{BIFGs@1>-3Ka&?cvNhELm zNcs!0dsZoey0uRj;*XUWj4^s7IN!X#}p-gu!{Dz8+m zidD0&y?dE?X+Iq&Zhv%%S7%a2{%qX$&%;61v)7Jfoc6RpVdn<4j-qI zRf98lfx%o!Pu?hwWPAtSS;j1qkQg8ah=HYIz-)3>ZKr_CU%1w*GbvpQkiE|9*8g)A3rupFJ$=q}( zTsus}p9V9wd0Y-!3a}-6 zcDs@IIF;zs5?74kbmnW+ zHG!?8(@|_^J|}iAaYHG#JM-1bQ5wgLsX!{wRp8L4WA*G>Ca`rhI`c*+=0QNZq@@DCp}-qG Ct|~_W literal 0 HcmV?d00001 diff --git a/mithrilctl/helm/spire/spire-agent/.helmignore b/mithrilctl/helm/spire/spire-agent/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/mithrilctl/helm/spire/spire-agent/Chart.yaml b/mithrilctl/helm/spire/spire-agent/Chart.yaml new file mode 100644 index 00000000..ae5e87c7 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: spire-agent +type: application +version: 1.1.1 diff --git a/mithrilctl/helm/spire/spire-agent/templates/NOTES.txt b/mithrilctl/helm/spire/spire-agent/templates/NOTES.txt new file mode 100644 index 00000000..496ece95 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "spire-agent.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "spire-agent.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "spire-agent.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "spire-agent.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/mithrilctl/helm/spire/spire-agent/templates/_helpers.tpl b/mithrilctl/helm/spire/spire-agent/templates/_helpers.tpl new file mode 100644 index 00000000..288effe3 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "spire-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "spire-agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "spire-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "spire-agent.labels" -}} +helm.sh/chart: {{ include "spire-agent.chart" . }} +{{ include "spire-agent.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "spire-agent.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spire-agent.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "spire-agent.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "spire-agent.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml b/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml new file mode 100644 index 00000000..204b2012 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml @@ -0,0 +1,61 @@ +# ConfigMap containing the SPIRE agent configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "{{ .Values.configmaps.agentConfig.socketPath }}" + trust_bundle_path = "{{ .Values.configmaps.agentConfig.notifier.trustBundlePath }}" + trust_domain = "{{ .Values.configmaps.agentConfig.trustDomain }}" + {{ if eq .Values.configmaps.agentConfig.federates true }} + + sds = { + default_bundle_name = "null" + default_all_bundles_name = "ROOTCA" + } + + {{ end }} + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "{{ .Values.clusterName }}" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } diff --git a/mithrilctl/helm/spire/spire-agent/templates/daemonset.yaml b/mithrilctl/helm/spire/spire-agent/templates/daemonset.yaml new file mode 100644 index 00000000..4b468999 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/daemonset.yaml @@ -0,0 +1,164 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} + labels: + app: {{ .Values.name }} +spec: + selector: + matchLabels: + app: {{ .Values.name }} + template: + metadata: + namespace: {{ .Values.namespace }} + labels: + app: {{ .Values.name }} + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: {{ .Values.name }} + initContainers: + - name: init + # This is a small image with wait-for-it, choose whatever image + # you prefer that waits for a service to be up. This image is built + # from https://github.com/lqhl/wait-for-it + image: gcr.io/spiffe-io/wait-for-it + args: ["-t", "30", "spire-server:8081"] + containers: + - name: {{ .Values.name }} + image: gcr.io/spiffe-io/{{ .Values.tag }} + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + - name: spire-agent-socket-dir + mountPath: {{ .Values.socketPath }} + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: {{ .Values.name }} + - name: spire-bundle + configMap: + name: {{ .Values.configmaps.notifier.bundleName }} + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + # This volume is used to share the workload api socket between the + # CSI driver and SPIRE agent + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/socket-dir + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" +spec: + # We only support ephemeral, inline volumes. We don't need a controller to + # provision and attach volumes. + attachRequired: false + + # We want the pod information so that the CSI driver can verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # We don't want (or need) K8s to change ownership on the contents of the mount + # when it is moutned into the pod, since the Workload API is completely open + # (i.e. 0777). + # Note, this was added in Kubernetes 1.19, so omit + fsGroupPolicy: None + + # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 + volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta + - Ephemeral diff --git a/mithrilctl/helm/spire/spire-agent/templates/hpa.yaml b/mithrilctl/helm/spire/spire-agent/templates/hpa.yaml new file mode 100644 index 00000000..3ebd37dc --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "spire-agent.fullname" . }} + labels: + {{- include "spire-agent.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "spire-agent.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-agent/templates/ingress.yaml b/mithrilctl/helm/spire/spire-agent/templates/ingress.yaml new file mode 100644 index 00000000..9a116ebb --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "spire-agent.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "spire-agent.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-agent/templates/roles.yaml b/mithrilctl/helm/spire/spire-agent/templates/roles.yaml new file mode 100644 index 00000000..ba071a71 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/roles.yaml @@ -0,0 +1,23 @@ +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: + - apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] +--- +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-agent/templates/serviceaccount.yaml b/mithrilctl/helm/spire/spire-agent/templates/serviceaccount.yaml new file mode 100644 index 00000000..8669243e --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-agent/templates/tests/test-connection.yaml b/mithrilctl/helm/spire/spire-agent/templates/tests/test-connection.yaml new file mode 100644 index 00000000..3b5e38d8 --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "spire-agent.fullname" . }}-test-connection" + labels: + {{- include "spire-agent.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "spire-agent.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/mithrilctl/helm/spire/spire-agent/values-test.yaml b/mithrilctl/helm/spire/spire-agent/values-test.yaml new file mode 100644 index 00000000..da5bbecd --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/values-test.yaml @@ -0,0 +1,116 @@ +# Default values for spire-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +namespace: spire +name: spire-agent +trustDomain: "domain.test" +clusterName: demo-cluster +tag: spire-agent:1.1.1 +socketPath: "/run/secrets/workload-spiffe-uds" + +configmaps: + notifier: + bundleName: trust-bundle + agentConfig: + socketPath: "/run/secrets/workload-spiffe-uds/socket" + trustDomain: "domain.test" + notifier: + configMap: "trust-bundle" + trustBundlePath: "/run/spire/bundle/root-cert.pem" + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +roles: + clusterRole: + name: spire-agent-cluster-role + rules: + - apiGroups: [ "" ] + resources: [ "pods","nodes","nodes/proxy" ] + verbs: [ "get" ] + clusterRoleBinding: + name: spire-agent-cluster-role-binding + subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire + roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-agent/values.yaml b/mithrilctl/helm/spire/spire-agent/values.yaml new file mode 100644 index 00000000..90b903ab --- /dev/null +++ b/mithrilctl/helm/spire/spire-agent/values.yaml @@ -0,0 +1,117 @@ +# Default values for spire-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +namespace: spire +name: spire-agent +trustDomain: "example.org" +clusterName: demo-cluster +tag: spire-agent:1.1.1 +socketPath: "/run/secrets/workload-spiffe-uds" + +configmaps: + notifier: + bundleName: trust-bundle + agentConfig: + socketPath: "/run/secrets/workload-spiffe-uds/socket" + trustDomain: "example.org" + federates: false + notifier: + configMap: "trust-bundle" + trustBundlePath: "/run/spire/bundle/root-cert.pem" + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +roles: + clusterRole: + name: spire-agent-cluster-role + rules: + - apiGroups: [ "" ] + resources: [ "pods","nodes","nodes/proxy" ] + verbs: [ "get" ] + clusterRoleBinding: + name: spire-agent-cluster-role-binding + subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire + roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-server/.helmignore b/mithrilctl/helm/spire/spire-server/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/mithrilctl/helm/spire/spire-server/Chart.yaml b/mithrilctl/helm/spire/spire-server/Chart.yaml new file mode 100644 index 00000000..7bf628e6 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: spire-server +type: application +version: 1.1.1 diff --git a/mithrilctl/helm/spire/spire-server/templates/NOTES.txt b/mithrilctl/helm/spire/spire-server/templates/NOTES.txt new file mode 100644 index 00000000..10f8def8 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.serviceSpire.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "spire-server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.serviceSpire.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "spire-server.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "spire-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.serviceSpire.ports }} +{{- else if contains "ClusterIP" .Values.serviceSpire.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "spire-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/mithrilctl/helm/spire/spire-server/templates/_helpers.tpl b/mithrilctl/helm/spire/spire-server/templates/_helpers.tpl new file mode 100644 index 00000000..c68b4813 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "spire-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "spire-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "spire-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "spire-server.labels" -}} +helm.sh/chart: {{ include "spire-server.chart" . }} +{{ include "spire-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "spire-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spire-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "spire-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "spire-server.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml b/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml new file mode 100644 index 00000000..2902fd81 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml @@ -0,0 +1,94 @@ +# ConfigMap containing the latest trust bundle for the trust domain. It is +# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount +# this config map and use the certificate to bootstrap trust with the SPIRE +# server during attestation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.configmaps.notifier.bundleName }} + namespace: {{ .Values.namespace }} +--- +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + socket_path = "{{ .Values.configmaps.serverConfig.socketPath }}" + trust_domain = "{{ .Values.configmaps.serverConfig.trustDomain }}" + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + ca_key_type = "rsa-2048" + {{ if eq .Values.configmaps.serverConfig.federates true }} + + federation { + bundle_endpoint { + address = "{{ .Values.configmaps.serverConfig.federation.bundleEndpoint.address }}" + port = {{ .Values.configmaps.serverConfig.federation.bundleEndpoint.port }} + } + {{ range $index, $member := .Values.configmaps.serverConfig.federation.federations }} + federates_with "{{ $member.federatesWith }}" { + bundle_endpoint_url = "{{ $member.bundleEndpointUrl }}" + bundle_endpoint_profile "{{ $member.bundleEndpointProfile.profile }}" { + endpoint_spiffe_id = "{{ $member.bundleEndpointProfile.endpointSpiffeId }}" + } + } + {{ end }} + } + + {{ end }} + default_svid_ttl = "{{ .Values.configmaps.serverConfig.ttl }}" + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "{{ .Values.clusterName }}" = { + use_token_review_api_validation = true + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "{{ .Values.namespace }}" + config_map = "{{ .Values.configmaps.serverConfig.notifier.configMap }}" + config_map_key = "{{ .Values.configmaps.serverConfig.notifier.configMapKey }}" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-server/templates/controller.yaml b/mithrilctl/helm/spire/spire-server/templates/controller.yaml new file mode 100644 index 00000000..1b3d3406 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/controller.yaml @@ -0,0 +1,436 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager-config + namespace: {{ .Values.namespace }} +data: + spireControllerManagerConfig.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: {{ .Values.namespace }} + clusterName: {{ .Values.clusterName }} + trustDomain: {{ .Values.trustDomain }} + ignoreNamespaces: ["kube-system", "kube-public", "local-path-storage", "spire"] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targetted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targetted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + - jsonPath: .spec.bundleEndpointProfile + name: Endpoint Profile + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the initial contents of the bundle + for the referenced trust domain. This field is optional. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true +--- +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: {{ .Values.namespace }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: + - kind: ServiceAccount + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: + - kind: ServiceAccount + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: {{ .Values.namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: {{ .Values.namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None diff --git a/mithrilctl/helm/spire/spire-server/templates/hpa.yaml b/mithrilctl/helm/spire/spire-server/templates/hpa.yaml new file mode 100644 index 00000000..51217498 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "spire-server.fullname" . }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "spire-server.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-server/templates/ingress.yaml b/mithrilctl/helm/spire/spire-server/templates/ingress.yaml new file mode 100644 index 00000000..aac6f6ad --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "spire-server.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/mithrilctl/helm/spire/spire-server/templates/namespace.yaml b/mithrilctl/helm/spire/spire-server/templates/namespace.yaml new file mode 100644 index 00000000..77db5f9f --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.namespace }} diff --git a/mithrilctl/helm/spire/spire-server/templates/roles.yaml b/mithrilctl/helm/spire/spire-server/templates/roles.yaml new file mode 100644 index 00000000..fdea49ac --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/roles.yaml @@ -0,0 +1,44 @@ +# Required cluster role to allow spire-server to query k8s API server +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.roles.clusterRole.name }} + namespace: {{ .Values.namespace }} +rules: +{{ .Values.roles.clusterRole.rules | toYaml | indent 4 }} +--- +# Binds above cluster role to spire-server service account +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.roles.clusterRoleBinding.name }} + namespace: {{ .Values.namespace }} +subjects: +{{ .Values.roles.clusterRoleBinding.subjects | toYaml | indent 2 }} +roleRef: + kind: {{ .Values.roles.clusterRoleBinding.roleRef.kind }} + name: {{ .Values.roles.clusterRoleBinding.roleRef.name }} + apiGroup: {{ .Values.roles.clusterRoleBinding.roleRef.apiGroup }} +--- +# Role for the SPIRE server +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.namespace }} + name: {{ .Values.roles.role.name }} +rules: +{{ .Values.roles.role.rules | toYaml | indent 2 }} +--- +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.roles.roleBinding.name }} + namespace: {{ .Values.namespace }} +subjects: +{{ .Values.roles.roleBinding.subjects | toYaml | indent 2 }} +roleRef: + kind: {{ .Values.roles.roleBinding.roleRef.kind }} + name: {{ .Values.roles.roleBinding.roleRef.name }} + apiGroup: {{ .Values.roles.roleBinding.roleRef.apiGroup }} diff --git a/mithrilctl/helm/spire/spire-server/templates/service.yaml b/mithrilctl/helm/spire/spire-server/templates/service.yaml new file mode 100644 index 00000000..cda02bd3 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/service.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} +spec: + type: {{ .Values.serviceSpire.type }} + ports: +{{ .Values.serviceSpire.ports | toYaml | indent 4 }} + selector: + app: {{ .Values.name }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.serviceBundleEndpoint.name }} + namespace: {{ .Values.namespace }} +spec: + type: {{ .Values.serviceBundleEndpoint.type }} + ports: +{{ .Values.serviceBundleEndpoint.ports | toYaml | indent 4 }} + selector: + app: {{ .Values.name }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.serviceControllerWebhook.name }} + namespace: {{ .Values.namespace }} +spec: + type: {{ .Values.serviceControllerWebhook.type }} + ports: +{{ .Values.serviceControllerWebhook.ports | toYaml | indent 4 }} + selector: + app: {{ .Values.name }} diff --git a/mithrilctl/helm/spire/spire-server/templates/serviceaccount.yaml b/mithrilctl/helm/spire/spire-server/templates/serviceaccount.yaml new file mode 100644 index 00000000..9d8ca720 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} diff --git a/mithrilctl/helm/spire/spire-server/templates/statefulset.yaml b/mithrilctl/helm/spire/spire-server/templates/statefulset.yaml new file mode 100644 index 00000000..0a180b86 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/statefulset.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.name }} + namespace: {{ .Values.namespace }} + labels: + app: {{ .Values.name }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.name }} + serviceName: {{ .Values.name }} + template: + metadata: + namespace: {{ .Values.namespace }} + labels: + app: {{ .Values.name }} + spec: + serviceAccountName: {{ .Values.name }} + shareProcessNamespace: true + containers: + - name: {{ .Values.name }} + image: gcr.io/spiffe-io/{{ .Values.tag }} + args: ["-config", "/run/spire/config/server.conf"] + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: spire-registration-socket + mountPath: /run/spire/sockets + readOnly: false + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:0.2.1 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + args: + - "--config=spireControllerManagerConfig.yaml" + volumeMounts: + - name: spire-registration-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spireControllerManagerConfig.yaml + subPath: spireControllerManagerConfig.yaml + volumes: + - name: spire-config + configMap: + name: {{ .Values.name }} + - name: spire-registration-socket + hostPath: + path: /run/spire/server-sockets + type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: spire + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/mithrilctl/helm/spire/spire-server/templates/tests/test-connection.yaml b/mithrilctl/helm/spire/spire-server/templates/tests/test-connection.yaml new file mode 100644 index 00000000..be823d1d --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "spire-server.fullname" . }}-test-connection" + labels: + {{- include "spire-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "spire-server.fullname" . }}:{{ .Values.serviceSpire.ports }}'] + restartPolicy: Never diff --git a/mithrilctl/helm/spire/spire-server/values-test.yaml b/mithrilctl/helm/spire/spire-server/values-test.yaml new file mode 100644 index 00000000..21eb6ad0 --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/values-test.yaml @@ -0,0 +1,164 @@ +# Default values for spire-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +namespace: spire +name: spire-server +trustDomain: "domain.test" +clusterName: demo-cluster +tag: spire-server:1.1.1 + +configmaps: + notifier: + bundleName: trust-bundle + serverConfig: + socketPath: "/run/spire/sockets/api.sock" + trustDomain: "domain.test" + federatesWith: "example.org" + federatesWithServer: 192.168.0.16:4001 + ttl: "1h" + notifier: + configMap: "trust-bundle" + configMapKey: "root-cert.pem" + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +serviceSpire: + type: NodePort + ports: + - name: api + port: 8081 + targetPort: 8081 + protocol: TCP + +serviceBundleEndpoint: + name: spire-server-bundle-endpoint + type: NodePort + ports: + - name: api + port: 8443 + protocol: TCP + +serviceControllerWebhook: + name: spire-controller-manager-webhook-service + type: NodePort + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + +# selector: +# app: spire-server + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +roles: + clusterRole: + name: spire-server-cluster-role + rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: [ "get" ] + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "tokenreviews" ] + verbs: [ "get", "create" ] + clusterRoleBinding: + name: spire-server-cluster-role-binding + subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + role: + name: spire-server-role + rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get" ] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + resourceNames: [ "trust-bundle" ] + verbs: [ "get", "patch" ] + roleBinding: + name: spire-server-role-binding + subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-server/values.yaml b/mithrilctl/helm/spire/spire-server/values.yaml new file mode 100644 index 00000000..11d30e4c --- /dev/null +++ b/mithrilctl/helm/spire/spire-server/values.yaml @@ -0,0 +1,173 @@ +# Default values for spire-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +namespace: spire +name: spire-server +trustDomain: "example.org" +clusterName: demo-cluster +tag: spire-server:1.1.1 + +configmaps: + notifier: + bundleName: trust-bundle + serverConfig: + socketPath: "/run/spire/sockets/api.sock" + trustDomain: "example.org" + federates: false + federation: + bundleEndpoint: + address: 0.0.0.0 + port: 8443 + federations: + - federatesWith: "domain.test" + bundleEndpointUrl: https://192.168.0.16:4002 + bundleEndpointProfile: + profile: https_spiffe + endpointSpiffeId: spiffe://domain.test/spire/server + ttl: "1h" + notifier: + configMap: "trust-bundle" + configMapKey: "root-cert.pem" + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +serviceSpire: + type: NodePort + ports: + - name: api + port: 8081 + targetPort: 8081 + protocol: TCP + +serviceBundleEndpoint: + name: spire-server-bundle-endpoint + type: NodePort + ports: + - name: api + port: 8443 + protocol: TCP + +serviceControllerWebhook: + name: spire-controller-manager-webhook-service + type: NodePort + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + +# selector: +# app: spire-server + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +roles: + clusterRole: + name: spire-server-cluster-role + rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: [ "get" ] + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "tokenreviews" ] + verbs: [ "get", "create" ] + clusterRoleBinding: + name: spire-server-cluster-role-binding + subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + role: + name: spire-server-role + rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get" ] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + resourceNames: [ "trust-bundle" ] + verbs: [ "get", "patch" ] + roleBinding: + name: spire-server-role-binding + subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file From ca71f29e4b6d90f66c356ee915703881d3f80f45 Mon Sep 17 00:00:00 2001 From: Alexandre Alvino Date: Tue, 19 Jul 2022 11:09:03 -0300 Subject: [PATCH 2/2] Adds charts description and log level parametrization --- mithrilctl/helm/spire/spire-agent/Chart.yaml | 2 +- .../spire-agent/templates/configmaps.yaml | 2 +- .../helm/spire/spire-agent/values-test.yaml | 116 ------------- mithrilctl/helm/spire/spire-agent/values.yaml | 1 + mithrilctl/helm/spire/spire-server/Chart.yaml | 2 +- .../spire-server/templates/configmaps.yaml | 2 +- .../helm/spire/spire-server/values-test.yaml | 164 ------------------ .../helm/spire/spire-server/values.yaml | 1 + 8 files changed, 6 insertions(+), 284 deletions(-) delete mode 100644 mithrilctl/helm/spire/spire-agent/values-test.yaml delete mode 100644 mithrilctl/helm/spire/spire-server/values-test.yaml diff --git a/mithrilctl/helm/spire/spire-agent/Chart.yaml b/mithrilctl/helm/spire/spire-agent/Chart.yaml index ae5e87c7..70e8ca83 100644 --- a/mithrilctl/helm/spire/spire-agent/Chart.yaml +++ b/mithrilctl/helm/spire/spire-agent/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 appVersion: 1.16.0 -description: A Helm chart for Kubernetes +description: A Helm chart for a SPIRE Agent installation with the SPIFFE CSI Driver name: spire-agent type: application version: 1.1.1 diff --git a/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml b/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml index 204b2012..e49ba0e4 100644 --- a/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml +++ b/mithrilctl/helm/spire/spire-agent/templates/configmaps.yaml @@ -8,7 +8,7 @@ data: agent.conf: | agent { data_dir = "/run/spire" - log_level = "DEBUG" + log_level = "{{ .Values.configmaps.agentConfig.logLevel }}" server_address = "spire-server" server_port = "8081" socket_path = "{{ .Values.configmaps.agentConfig.socketPath }}" diff --git a/mithrilctl/helm/spire/spire-agent/values-test.yaml b/mithrilctl/helm/spire/spire-agent/values-test.yaml deleted file mode 100644 index da5bbecd..00000000 --- a/mithrilctl/helm/spire/spire-agent/values-test.yaml +++ /dev/null @@ -1,116 +0,0 @@ -# Default values for spire-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -namespace: spire -name: spire-agent -trustDomain: "domain.test" -clusterName: demo-cluster -tag: spire-agent:1.1.1 -socketPath: "/run/secrets/workload-spiffe-uds" - -configmaps: - notifier: - bundleName: trust-bundle - agentConfig: - socketPath: "/run/secrets/workload-spiffe-uds/socket" - trustDomain: "domain.test" - notifier: - configMap: "trust-bundle" - trustBundlePath: "/run/spire/bundle/root-cert.pem" - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -roles: - clusterRole: - name: spire-agent-cluster-role - rules: - - apiGroups: [ "" ] - resources: [ "pods","nodes","nodes/proxy" ] - verbs: [ "get" ] - clusterRoleBinding: - name: spire-agent-cluster-role-binding - subjects: - - kind: ServiceAccount - name: spire-agent - namespace: spire - roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-agent/values.yaml b/mithrilctl/helm/spire/spire-agent/values.yaml index 90b903ab..f5836a07 100644 --- a/mithrilctl/helm/spire/spire-agent/values.yaml +++ b/mithrilctl/helm/spire/spire-agent/values.yaml @@ -18,6 +18,7 @@ configmaps: notifier: configMap: "trust-bundle" trustBundlePath: "/run/spire/bundle/root-cert.pem" + logLevel: "DEBUG" replicaCount: 1 diff --git a/mithrilctl/helm/spire/spire-server/Chart.yaml b/mithrilctl/helm/spire/spire-server/Chart.yaml index 7bf628e6..af1e2b72 100644 --- a/mithrilctl/helm/spire/spire-server/Chart.yaml +++ b/mithrilctl/helm/spire/spire-server/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 appVersion: 1.16.0 -description: A Helm chart for Kubernetes +description: A Helm chart for a SPIRE Server installation with the controller-manager for automatic workload registration name: spire-server type: application version: 1.1.1 diff --git a/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml b/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml index 2902fd81..256defb2 100644 --- a/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml +++ b/mithrilctl/helm/spire/spire-server/templates/configmaps.yaml @@ -22,7 +22,7 @@ data: socket_path = "{{ .Values.configmaps.serverConfig.socketPath }}" trust_domain = "{{ .Values.configmaps.serverConfig.trustDomain }}" data_dir = "/run/spire/server/data" - log_level = "DEBUG" + log_level = "{{ .Values.configmaps.serverConfig.logLevel }}" ca_key_type = "rsa-2048" {{ if eq .Values.configmaps.serverConfig.federates true }} diff --git a/mithrilctl/helm/spire/spire-server/values-test.yaml b/mithrilctl/helm/spire/spire-server/values-test.yaml deleted file mode 100644 index 21eb6ad0..00000000 --- a/mithrilctl/helm/spire/spire-server/values-test.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# Default values for spire-server. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -namespace: spire -name: spire-server -trustDomain: "domain.test" -clusterName: demo-cluster -tag: spire-server:1.1.1 - -configmaps: - notifier: - bundleName: trust-bundle - serverConfig: - socketPath: "/run/spire/sockets/api.sock" - trustDomain: "domain.test" - federatesWith: "example.org" - federatesWithServer: 192.168.0.16:4001 - ttl: "1h" - notifier: - configMap: "trust-bundle" - configMapKey: "root-cert.pem" - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -serviceSpire: - type: NodePort - ports: - - name: api - port: 8081 - targetPort: 8081 - protocol: TCP - -serviceBundleEndpoint: - name: spire-server-bundle-endpoint - type: NodePort - ports: - - name: api - port: 8443 - protocol: TCP - -serviceControllerWebhook: - name: spire-controller-manager-webhook-service - type: NodePort - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - -# selector: -# app: spire-server - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -roles: - clusterRole: - name: spire-server-cluster-role - rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: [ "get" ] - - apiGroups: [ "authentication.k8s.io" ] - resources: [ "tokenreviews" ] - verbs: [ "get", "create" ] - clusterRoleBinding: - name: spire-server-cluster-role-binding - subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire - roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io - role: - name: spire-server-role - rules: - - apiGroups: [ "" ] - resources: [ "pods" ] - verbs: [ "get" ] - - apiGroups: [ "" ] - resources: [ "configmaps" ] - resourceNames: [ "trust-bundle" ] - verbs: [ "get", "patch" ] - roleBinding: - name: spire-server-role-binding - subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire - roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/mithrilctl/helm/spire/spire-server/values.yaml b/mithrilctl/helm/spire/spire-server/values.yaml index 11d30e4c..2cdb7271 100644 --- a/mithrilctl/helm/spire/spire-server/values.yaml +++ b/mithrilctl/helm/spire/spire-server/values.yaml @@ -28,6 +28,7 @@ configmaps: notifier: configMap: "trust-bundle" configMapKey: "root-cert.pem" + logLevel: "DEBUG" replicaCount: 1