From df7e26cc429e212a6fd195541dda678019db0694 Mon Sep 17 00:00:00 2001 From: Lionel Jouin Date: Wed, 17 Apr 2024 15:34:32 +0200 Subject: [PATCH] Update to newer Spire version --- docs/demo/deployments/spire/README.md | 24 - .../demo/deployments/spire/agent-account.yaml | 6 - .../deployments/spire/agent-cluster-role.yaml | 25 - .../deployments/spire/agent-daemonset.yaml | 79 -- docs/demo/deployments/spire/agent.conf | 34 - .../k8s-workload-registrar-cluster-role.yaml | 29 - .../spire/k8s-workload-registrar-crd.yaml | 107 --- .../spire/k8s-workload-registrar-service.yaml | 15 - ...trar-validating-webhook-configuration.yaml | 22 - .../spire/k8s-workload-registrar.conf | 11 - .../demo/deployments/spire/kustomization.yaml | 37 - docs/demo/deployments/spire/readme.md | 12 + .../deployments/spire/server-account.yaml | 6 - .../spire/server-cluster-role.yaml | 35 - .../deployments/spire/server-service.yaml | 19 - .../deployments/spire/server-statefulset.yaml | 86 -- docs/demo/deployments/spire/server.conf | 47 - .../spire/spire-bundle-configmap.yaml | 6 - docs/demo/deployments/spire/spire-crds.yaml | 446 ++++++++++ .../deployments/spire/spire-namespace.yaml | 5 - docs/demo/deployments/spire/spire.yaml | 842 ++++++++++++++++++ docs/demo/deployments/spire/values.yaml | 14 + docs/demo/scripts/kind/Makefile | 7 +- 23 files changed, 1318 insertions(+), 596 deletions(-) delete mode 100644 docs/demo/deployments/spire/README.md delete mode 100644 docs/demo/deployments/spire/agent-account.yaml delete mode 100644 docs/demo/deployments/spire/agent-cluster-role.yaml delete mode 100644 docs/demo/deployments/spire/agent-daemonset.yaml delete mode 100644 docs/demo/deployments/spire/agent.conf delete mode 100644 docs/demo/deployments/spire/k8s-workload-registrar-cluster-role.yaml delete mode 100644 docs/demo/deployments/spire/k8s-workload-registrar-crd.yaml delete mode 100644 docs/demo/deployments/spire/k8s-workload-registrar-service.yaml delete mode 100644 docs/demo/deployments/spire/k8s-workload-registrar-validating-webhook-configuration.yaml delete mode 100644 docs/demo/deployments/spire/k8s-workload-registrar.conf delete mode 100644 docs/demo/deployments/spire/kustomization.yaml create mode 100644 docs/demo/deployments/spire/readme.md delete mode 100644 docs/demo/deployments/spire/server-account.yaml delete mode 100644 docs/demo/deployments/spire/server-cluster-role.yaml delete mode 100644 docs/demo/deployments/spire/server-service.yaml delete mode 100644 docs/demo/deployments/spire/server-statefulset.yaml delete mode 100644 docs/demo/deployments/spire/server.conf delete mode 100644 docs/demo/deployments/spire/spire-bundle-configmap.yaml create mode 100644 docs/demo/deployments/spire/spire-crds.yaml delete mode 100644 docs/demo/deployments/spire/spire-namespace.yaml create mode 100644 docs/demo/deployments/spire/spire.yaml create mode 100644 docs/demo/deployments/spire/values.yaml diff --git a/docs/demo/deployments/spire/README.md b/docs/demo/deployments/spire/README.md deleted file mode 100644 index d12ae3ce..00000000 --- a/docs/demo/deployments/spire/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# Spire - -## Run - -To apply spire deployments following the next command: -```bash -kubectl apply -k https://github.com/networkservicemesh/deployments-k8s/examples/spire?ref=1e3e6693f062cb1bc212bbe020bb7d20acaf9373 -``` - -Wait for PODs status ready: -```bash -kubectl wait -n spire --timeout=2m --for=condition=ready pod -l app=spire-agent -``` -```bash -kubectl wait -n spire --timeout=1m --for=condition=ready pod -l app=spire-server -``` - -## Cleanup - -Delete ns: -```bash -kubectl delete crd spiffeids.spiffeid.spiffe.io -kubectl delete ns spire -``` diff --git a/docs/demo/deployments/spire/agent-account.yaml b/docs/demo/deployments/spire/agent-account.yaml deleted file mode 100644 index 4e5794c8..00000000 --- a/docs/demo/deployments/spire/agent-account.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire diff --git a/docs/demo/deployments/spire/agent-cluster-role.yaml b/docs/demo/deployments/spire/agent-cluster-role.yaml deleted file mode 100644 index b79564de..00000000 --- a/docs/demo/deployments/spire/agent-cluster-role.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: -- apiGroups: [""] - resources: ["pods", "nodes", "nodes/proxy"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-agent - namespace: spire -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io diff --git a/docs/demo/deployments/spire/agent-daemonset.yaml b/docs/demo/deployments/spire/agent-daemonset.yaml deleted file mode 100644 index 7f47d240..00000000 --- a/docs/demo/deployments/spire/agent-daemonset.yaml +++ /dev/null @@ -1,79 +0,0 @@ ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - template: - metadata: - namespace: spire - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - initContainers: - - name: init - # This is a small image with wait-for-it, choose whatever image - # you prefer that waits for a service to be up. This image is built - # from https://github.com/lqhl/wait-for-it - image: gcr.io/spiffe-io/wait-for-it - imagePullPolicy: IfNotPresent - args: ["-t", "30", "spire-server:8081"] - containers: - - name: spire-agent - image: gcr.io/spiffe-io/spire-agent:1.2.2 - args: ["-config", "/run/spire/config/agent.conf"] - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: false - - name: spire-token - mountPath: /var/run/secrets/tokens - livenessProbe: - exec: - command: - - /opt/spire/bin/spire-agent - - healthcheck - - -socketPath - - /run/spire/sockets/agent.sock - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - exec: - command: ["/opt/spire/bin/spire-agent", "healthcheck", "-socketPath", "/run/spire/sockets/agent.sock", "--shallow"] - initialDelaySeconds: 5 - periodSeconds: 5 - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-agent-socket - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server diff --git a/docs/demo/deployments/spire/agent.conf b/docs/demo/deployments/spire/agent.conf deleted file mode 100644 index 21b27b09..00000000 --- a/docs/demo/deployments/spire/agent.conf +++ /dev/null @@ -1,34 +0,0 @@ -agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "example.org" -} - -plugins { - NodeAttestor "k8s_psat" { - plugin_data { - # NOTE: Change this to your cluster name - cluster = "nsm-cluster" - } - } - - KeyManager "memory" { - plugin_data {} - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - } - } - WorkloadAttestor "unix" { - plugin_data {} - } -} diff --git a/docs/demo/deployments/spire/k8s-workload-registrar-cluster-role.yaml b/docs/demo/deployments/spire/k8s-workload-registrar-cluster-role.yaml deleted file mode 100644 index c8e09794..00000000 --- a/docs/demo/deployments/spire/k8s-workload-registrar-cluster-role.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: k8s-workload-registrar-role -rules: - - apiGroups: [""] - resources: ["endpoints", "nodes", "pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spiffeid.spiffe.io"] - resources: ["spiffeids"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["spiffeid.spiffe.io"] - resources: ["spiffeids/status"] - verbs: ["get", "patch", "update"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: k8s-workload-registrar-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-workload-registrar-role -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire diff --git a/docs/demo/deployments/spire/k8s-workload-registrar-crd.yaml b/docs/demo/deployments/spire/k8s-workload-registrar-crd.yaml deleted file mode 100644 index 5dd18a60..00000000 --- a/docs/demo/deployments/spire/k8s-workload-registrar-crd.yaml +++ /dev/null @@ -1,107 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.4 - name: spiffeids.spiffeid.spiffe.io -spec: - group: spiffeid.spiffe.io - names: - kind: SpiffeID - listKind: SpiffeIDList - plural: spiffeids - singular: spiffeid - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - description: SpiffeID is the Schema for the spiffeid API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SpiffeIDSpec defines the desired state of SpiffeID - properties: - dnsNames: - items: - type: string - type: array - federatesWith: - items: - type: string - type: array - parentId: - type: string - selector: - properties: - arbitrary: - description: Arbitrary selectors - items: - type: string - type: array - containerImage: - description: Container image to match for this spiffe ID - type: string - containerName: - description: Container name to match for this spiffe ID - type: string - namespace: - description: Namespace to match for this spiffe ID - type: string - nodeName: - description: Node name to match for this spiffe ID - type: string - podLabel: - additionalProperties: - type: string - description: Pod label name/value to match for this spiffe ID - type: object - podName: - description: Pod name to match for this spiffe ID - type: string - podUid: - description: Pod UID to match for this spiffe ID - type: string - serviceAccount: - description: ServiceAccount to match for this spiffe ID - type: string - cluster: - description: The k8s_psat cluster name - type: string - agent_node_uid: - description: UID of the node - type: string - type: object - spiffeId: - type: string - required: - - parentId - - selector - - spiffeId - type: object - status: - description: SpiffeIDStatus defines the observed state of SpiffeID - properties: - entryId: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' - type: string - type: object - type: object diff --git a/docs/demo/deployments/spire/k8s-workload-registrar-service.yaml b/docs/demo/deployments/spire/k8s-workload-registrar-service.yaml deleted file mode 100644 index e72048fe..00000000 --- a/docs/demo/deployments/spire/k8s-workload-registrar-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: k8s-workload-registrar - namespace: spire -spec: - type: ClusterIP - ports: - - name: webhook - protocol: TCP - port: 443 - targetPort: 9443 - selector: - app: spire-server diff --git a/docs/demo/deployments/spire/k8s-workload-registrar-validating-webhook-configuration.yaml b/docs/demo/deployments/spire/k8s-workload-registrar-validating-webhook-configuration.yaml deleted file mode 100644 index 2653e865..00000000 --- a/docs/demo/deployments/spire/k8s-workload-registrar-validating-webhook-configuration.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: k8s-workload-registrar - labels: - spiffe.io/webhook: "true" -webhooks: - - name: k8s-workload-registrar.spire.svc - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: k8s-workload-registrar - namespace: spire - path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid" - rules: - - apiGroups: ["spiffeid.spiffe.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["spiffeids"] - scope: Namespaced - sideEffects: None diff --git a/docs/demo/deployments/spire/k8s-workload-registrar.conf b/docs/demo/deployments/spire/k8s-workload-registrar.conf deleted file mode 100644 index cb81e060..00000000 --- a/docs/demo/deployments/spire/k8s-workload-registrar.conf +++ /dev/null @@ -1,11 +0,0 @@ -log_level = "debug" -trust_domain = "example.org" -agent_socket_path = "/run/spire/sockets/agent.sock" -server_socket_path = "/tmp/spire-server/private/api.sock" -cluster = "nsm-cluster" -pod_controller = true -add_svc_dns_names = true -mode = "crd" -webhook_enabled = true -identity_template = "ns/{{.Pod.Namespace}}/sa/{{.Pod.ServiceAccount}}" -#identity_template_label = "spiffe.io/spiffe-id" \ No newline at end of file diff --git a/docs/demo/deployments/spire/kustomization.yaml b/docs/demo/deployments/spire/kustomization.yaml deleted file mode 100644 index 7623e480..00000000 --- a/docs/demo/deployments/spire/kustomization.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: spire - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- name: spire-server - namespace: spire - files: - - server.conf -- name: spire-agent - namespace: spire - files: - - agent.conf -- name: k8s-workload-registrar - namespace: spire - files: - - k8s-workload-registrar.conf - -resources: -- k8s-workload-registrar-crd.yaml -- spire-namespace.yaml -- agent-account.yaml -- agent-cluster-role.yaml -- agent-daemonset.yaml -- server-account.yaml -- server-cluster-role.yaml -- server-service.yaml -- server-statefulset.yaml -- spire-bundle-configmap.yaml -- k8s-workload-registrar-cluster-role.yaml -- k8s-workload-registrar-service.yaml -- k8s-workload-registrar-validating-webhook-configuration.yaml diff --git a/docs/demo/deployments/spire/readme.md b/docs/demo/deployments/spire/readme.md new file mode 100644 index 00000000..a07d150a --- /dev/null +++ b/docs/demo/deployments/spire/readme.md @@ -0,0 +1,12 @@ +# Spire yaml generation + +The yaml files have been generated with these commands: +``` +helm install -n spire --create-namespace my-spire-crds spiffe/spire-crds --version 0.4.0 --dry-run +helm install -n spire --create-namespace my-spire spiffe/spire --version 0.20.0 -f docs/demo/deployments/spire/values.yaml --dry-run +``` + +`"webhook_label": "spiffe.io/webhook",` has been added to Notifier.k8sbundle.plugin_data in the spire-server configmap. +This ticket would solve the problem: https://github.com/spiffe/helm-charts-hardened/issues/47 + +`"mutatingwebhookconfigurations"` next to the validatingwebhookconfigurations resource has been added to the spire-controller-manager ClusterRole. diff --git a/docs/demo/deployments/spire/server-account.yaml b/docs/demo/deployments/spire/server-account.yaml deleted file mode 100644 index 98d811ce..00000000 --- a/docs/demo/deployments/spire/server-account.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire diff --git a/docs/demo/deployments/spire/server-cluster-role.yaml b/docs/demo/deployments/spire/server-cluster-role.yaml deleted file mode 100644 index 03c59a50..00000000 --- a/docs/demo/deployments/spire/server-cluster-role.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# ClusterRole to allow spire-server node attestor to query Token Review API -# and to be able to push certificate bundles to a configmap -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-trust-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["patch", "get", "list"] -- apiGroups: [""] - resources: ["pods", "nodes"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-server service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-trust-role-binding -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: ClusterRole - name: spire-server-trust-role - apiGroup: rbac.authorization.k8s.io diff --git a/docs/demo/deployments/spire/server-service.yaml b/docs/demo/deployments/spire/server-service.yaml deleted file mode 100644 index ca919d8e..00000000 --- a/docs/demo/deployments/spire/server-service.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: LoadBalancer - ports: - - name: spire-server - port: 8081 - targetPort: 8081 - protocol: TCP - - name: spire-federation - port: 8443 - targetPort: 8443 - protocol: TCP - selector: - app: spire-server diff --git a/docs/demo/deployments/spire/server-statefulset.yaml b/docs/demo/deployments/spire/server-statefulset.yaml deleted file mode 100644 index 4ebf6673..00000000 --- a/docs/demo/deployments/spire/server-statefulset.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - serviceName: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: gcr.io/spiffe-io/spire-server:1.2.2 - args: - - -config - - /run/spire/config/server.conf - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-registration-socket - mountPath: /tmp - readOnly: false - livenessProbe: - exec: - command: - - /opt/spire/bin/spire-server - - healthcheck - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - exec: - command: ["/opt/spire/bin/spire-server", "healthcheck", "--shallow"] - - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.2.2 - args: - - -config - - /run/spire/config/k8s-workload-registrar.conf - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 9443 - name: webhook - protocol: TCP - volumeMounts: - - mountPath: /run/spire/config - name: k8s-workload-registrar-config - readOnly: true - - mountPath: /run/spire/sockets - name: spire-agent-socket - readOnly: true - - name: spire-registration-socket - mountPath: /tmp - readOnly: false - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-agent-socket - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - - name: k8s-workload-registrar-config - configMap: - name: k8s-workload-registrar - - name: spire-registration-socket - emptyDir: {} diff --git a/docs/demo/deployments/spire/server.conf b/docs/demo/deployments/spire/server.conf deleted file mode 100644 index 9b15a4fc..00000000 --- a/docs/demo/deployments/spire/server.conf +++ /dev/null @@ -1,47 +0,0 @@ -server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "/run/spire/data" - log_level = "DEBUG" - #AWS requires the use of RSA. EC cryptography is not supported - ca_key_type = "rsa-2048" - default_svid_ttl = "1h" - ca_subject = { - country = ["US"], - organization = ["SPIFFE"], - common_name = "", - } -} - -plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - # NOTE: Change this to your cluster name - "nsm-cluster" = { - use_token_review_api_validation = true - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/data/keys.json" - } - } - Notifier "k8sbundle" { - plugin_data { - webhook_label = "spiffe.io/webhook" - } - } -} diff --git a/docs/demo/deployments/spire/spire-bundle-configmap.yaml b/docs/demo/deployments/spire/spire-bundle-configmap.yaml deleted file mode 100644 index 4633e426..00000000 --- a/docs/demo/deployments/spire/spire-bundle-configmap.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire diff --git a/docs/demo/deployments/spire/spire-crds.yaml b/docs/demo/deployments/spire/spire-crds.yaml new file mode 100644 index 00000000..5ab60efd --- /dev/null +++ b/docs/demo/deployments/spire/spire-crds.yaml @@ -0,0 +1,446 @@ +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set the class of controller to handle this object. + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/docs/demo/deployments/spire/spire-namespace.yaml b/docs/demo/deployments/spire/spire-namespace.yaml deleted file mode 100644 index 08c7fd84..00000000 --- a/docs/demo/deployments/spire/spire-namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: spire diff --git a/docs/demo/deployments/spire/spire.yaml b/docs/demo/deployments/spire/spire.yaml new file mode 100644 index 00000000..f6938f36 --- /dev/null +++ b/docs/demo/deployments/spire/spire.yaml @@ -0,0 +1,842 @@ +--- +# Source: spire/charts/spire-agent/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: my-spire-agent + namespace: spire + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: my-spire-server + namespace: spire + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-agent/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-spire-agent + namespace: spire +data: + agent.conf: | + { + "agent": { + "data_dir": "/run/spire", + "log_level": "info", + "retry_bootstrap": true, + "server_address": "my-spire-server.spire", + "server_port": "443", + "socket_path": "/tmp/spire-agent/public/agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "example.org" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "example-cluster" + } + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "disable_container_selectors": false, + "skip_kubelet_verification": true + } + } + } + ] + } + } +--- +# Source: spire/charts/spire-server/templates/bundle-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire +--- +# Source: spire/charts/spire-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-spire-server + namespace: spire +data: + server.conf: | + { + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "connection_string": "/run/spire/data/datastore.sqlite3", + "database_type": "sqlite3" + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/data/keys.json" + } + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": [ + { + "example-cluster": { + "allowed_node_label_keys": [], + "allowed_pod_label_keys": [], + "audience": [ + "spire-server" + ], + "service_account_allow_list": [ + "spire:my-spire-agent" + ] + } + } + ] + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "webhook_label": "spiffe.io/webhook", + "config_map": "spire-bundle", + "namespace": "spire" + } + } + } + ] + }, + "server": { + "audit_log_enabled": false, + "bind_address": "0.0.0.0", + "bind_port": "8081", + "ca_key_type": "rsa-2048", + "ca_subject": [ + { + "common_name": "example.org", + "country": [ + "ARPA" + ], + "organization": [ + "Example" + ] + } + ], + "ca_ttl": "24h", + "data_dir": "/run/spire/data", + "default_jwt_svid_ttl": "1h", + "default_x509_svid_ttl": "4h", + "jwt_issuer": "https://oidc-discovery.example.org", + "log_level": "info", + "trust_domain": "example.org" + } + } +--- +# Source: spire/charts/spire-server/templates/controller-manager-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-spire-controller-manager + namespace: spire +data: + controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: my-spire-controller-manager + namespace: spire + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm + metrics: + bindAddress: 0.0.0.0:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: ffa97b5d.spiffe.io + resourceNamespace: spire + validatingWebhookConfigurationName: spire-my-spire-controller-manager-webhook + entryIDPrefixCleanup: "" + entryIDPrefix: example-cluster + clusterName: example-cluster + trustDomain: example.org + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + spireServerSocketPath: "/tmp/spire-server/private/api.sock" + className: "spire-my-spire" + watchClassless: false + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: my-spire-agent +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - nodes/proxy + verbs: ["get"] +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-my-spire-controller-manager +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# ClusterRole to allow spire-server node attestor to query Token Review API +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-my-spire-server +rules: + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: + - get + - watch + - list + - create + - apiGroups: [""] + resources: [nodes, pods] + verbs: + - get + - list +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: my-spire-agent +subjects: + - kind: ServiceAccount + name: my-spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: my-spire-agent + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-my-spire-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-my-spire-controller-manager +subjects: +- kind: ServiceAccount + name: my-spire-server + namespace: spire +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-my-spire-server +subjects: + - kind: ServiceAccount + name: my-spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-my-spire-server + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: my-spire-controller-manager-leader-election + namespace: spire +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Role to be able to push certificate bundles to a configmap +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire +rules: + - apiGroups: [""] + resources: [configmaps] + resourceNames: [spire-bundle] + verbs: + - get + - patch +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: my-spire-controller-manager-leader-election + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: my-spire-controller-manager-leader-election +subjects: +- kind: ServiceAccount + name: my-spire-server + namespace: spire +--- +# Source: spire/charts/spire-server/templates/roles.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire +subjects: + - kind: ServiceAccount + name: my-spire-server + namespace: spire +roleRef: + kind: Role + name: spire-bundle + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: my-spire-controller-manager-webhook + namespace: spire + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire +--- +# Source: spire/charts/spire-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: my-spire-server + namespace: spire + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire +--- +# Source: spire/charts/spire-agent/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: my-spire-agent + namespace: spire + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: my-spire + app.kubernetes.io/component: default + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-agent + checksum/config: 189a2074a2638b33e12e48c6b48cd90430194c06c322e61278dbc90af0a6bbb1 + labels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: my-spire + app.kubernetes.io/component: default + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: my-spire-agent + securityContext: + {} + + initContainers: + - name: ensure-alternate-names + image: cgr.dev/chainguard/bash:latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76 + imagePullPolicy: Always + command: ["bash", "-xc"] + args: + - | + cd /run/spire/sockets + L=`readlink socket` + [ "x$L" != "xagent.sock" ] && rm -f socket + [ ! -L socket ] && ln -s agent.sock socket + L=`readlink spire-agent.sock` + [ "x$L" != "xagent.sock" ] && rm -f spire-agent.sock + [ ! -L spire-agent.sock ] && ln -s agent.sock spire-agent.sock + L=`readlink api.sock` + [ "x$L" != "xagent.sock" ] && rm -f api.sock + [ ! -L api.sock ] && ln -s agent.sock api.sock + [ -L agent.sock ] && rm -f agent.sock + exit 0 + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/sockets + securityContext: + runAsUser: 0 + runAsGroup: 0 + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.9.4 + imagePullPolicy: IfNotPresent + args: ["-config", "/opt/spire/conf/agent/agent.conf"] + securityContext: + {} + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - containerPort: 9982 + name: healthz + volumeMounts: + - name: spire-config + mountPath: /opt/spire/conf/agent + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /tmp/spire-agent/public + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + {} + volumes: + - name: spire-config + configMap: + name: my-spire-agent + - name: spire-agent-admin-socket-dir + emptyDir: {} + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate +--- +# Source: spire/charts/spire-server/templates/server-resource.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: my-spire-server + namespace: spire + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/version: "1.9.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: server +spec: + replicas: 1 + serviceName: my-spire-server + selector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/component: server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-server + checksum/config: 256ab3b88bd873772e8324e6a0bb215d439b742efd9aa656d8f9a5abf9d71ea1 + checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/config3: 757409015cd2cf0d5ceffc0f33f088b5dfe465dd5737e73b15dfa7cef23fb915 + checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: my-spire + app.kubernetes.io/component: server + component: server + release: my-spire + release-namespace: spire + spec: + serviceAccountName: my-spire-server + shareProcessNamespace: true + securityContext: + {} + + containers: + - name: spire-server + securityContext: + {} + image: ghcr.io/spiffe/spire-server:1.9.4 + imagePullPolicy: IfNotPresent + args: + - -expandEnv + - -config + - /run/spire/config/server.conf + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - name: grpc + containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: server-tmp + mountPath: /tmp + readOnly: false + - name: spire-controller-manager + securityContext: + {} + image: ghcr.io/spiffe/spire-controller-manager:0.5.0 + imagePullPolicy: IfNotPresent + args: + - --config=controller-manager-config.yaml + env: + - name: ENABLE_WEBHOOKS + value: "true" + ports: + - name: https + containerPort: 9443 + protocol: TCP + - containerPort: 8083 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + - name: spire-controller-manager-tmp + mountPath: /tmp + readOnly: false + volumes: + - name: server-tmp + emptyDir: {} + - name: spire-config + configMap: + name: my-spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-tmp + emptyDir: {} + - name: controller-manager-config + configMap: + name: my-spire-controller-manager + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-my-spire-default +spec: + className: "spire-my-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - spire + - spire-server + - spire-system + dnsNameTemplates: + - '{{ .PodMeta.Name }}' + autoPopulateDNSNames: true +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-my-spire-oidc-discovery-provider +spec: + className: "spire-my-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: oidc-discovery-provider + release: my-spire + release-namespace: spire + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire + - spire-server + - spire-system + dnsNameTemplates: + - oidc-discovery.{{ .TrustDomain }} + autoPopulateDNSNames: true +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-my-spire-test-keys +spec: + className: "spire-my-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: test-keys + release: my-spire + release-namespace: spire + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire + - spire-server + - spire-system +--- +# Source: spire/charts/spire-server/templates/controller-manager-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-my-spire-controller-manager-webhook + labels: + spiffe.io/webhook: "true" +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: my-spire-controller-manager-webhook + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: my-spire-controller-manager-webhook + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None \ No newline at end of file diff --git a/docs/demo/deployments/spire/values.yaml b/docs/demo/deployments/spire/values.yaml new file mode 100644 index 00000000..b3412073 --- /dev/null +++ b/docs/demo/deployments/spire/values.yaml @@ -0,0 +1,14 @@ +spiffe-csi-driver: + enabled: false +spiffe-oidc-discovery-provider: + enabled: false +spire-agent: + socketPath: /run/spire/sockets/agent.sock +spire-server: + controllerManager: + identities: + clusterSPIFFEIDs: + default: + autoPopulateDNSNames: true + dnsNameTemplates: + - "{{ .PodMeta.Name }}" \ No newline at end of file diff --git a/docs/demo/scripts/kind/Makefile b/docs/demo/scripts/kind/Makefile index 09c9c47b..585f43ae 100644 --- a/docs/demo/scripts/kind/Makefile +++ b/docs/demo/scripts/kind/Makefile @@ -148,12 +148,13 @@ clean: kind-delete-cluster kind-delete-gateways ## Delete the Kind cluster and t .PHONY: install-spire install-spire: ## Install spire - kubectl apply -k ../../deployments/spire + kubectl create namespace spire ; \ + kubectl apply -f ../../deployments/spire/spire-crds.yaml -n spire ; \ + kubectl apply -f ../../deployments/spire/spire.yaml -n spire .PHONY: wait-spire wait-spire: ## Wait for spire to be ready - kubectl wait -n spire --timeout=$(WAIT_TIMEOUT) --for=condition=ready pod -l app=spire-agent ; \ - kubectl wait -n spire --timeout=$(WAIT_TIMEOUT) --for=condition=ready pod -l app=spire-server + kubectl wait -n spire --timeout=$(WAIT_TIMEOUT) --for=condition=ready pod -l app.kubernetes.io/instance=my-spire ############################################################################# ##@ NSM