From ef22bff1d51abef3c0985c1f0ebf9f5b3e2924e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 12:36:39 -0700 Subject: [PATCH 01/16] attempt 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../spire-agent-cluster-role-binding.yaml | 23 ++ .../templates/spire-agent-cluster-role.yaml | 19 ++ .../templates/spire-agent-config-map.yaml | 48 +++ ...-agent.yaml => spire-agent-daemonset.yaml} | 79 ----- .../spire-agent-service-account.yaml | 16 + .../spire/templates/spire-server-app.yaml | 101 ++++++ .../spire-server-bundle-config-map.yaml | 19 ++ .../spire-server-bundle-endpoint.yaml | 24 ++ .../spire-server-cluster-role-binding.yaml | 24 ++ .../templates/spire-server-cluster-role.yaml | 24 ++ .../templates/spire-server-config-map.yaml | 70 ++++ ...er-controller-manager-webhook-service.yaml | 23 ++ .../templates/spire-server-role-binding.yaml | 25 ++ .../spire/templates/spire-server-role.yaml | 27 ++ .../spire-server-service-account.yaml | 16 + .../spire/templates/spire-server-service.yaml | 25 ++ .../charts/spire/templates/spire-server.yaml | 310 ------------------ k8s/0.24.5/spire.yaml | 201 ++++++++++-- 18 files changed, 654 insertions(+), 420 deletions(-) create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role-binding.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml rename helm-charts/0.24.5/charts/spire/templates/{spire-agent.yaml => spire-agent-daemonset.yaml} (77%) create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-agent-service-account.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-config-map.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role-binding.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-role-binding.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-role.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml create mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml delete mode 100644 helm-charts/0.24.5/charts/spire/templates/spire-server.yaml diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role-binding.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role-binding.yaml new file mode 100644 index 00000000..1c5e94f7 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role-binding.yaml @@ -0,0 +1,23 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: {{ .Values.global.spire.namespace }} +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role.yaml new file mode 100644 index 00000000..da8ed1ad --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role.yaml @@ -0,0 +1,19 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: + - apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml new file mode 100644 index 00000000..417a9f0e --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml @@ -0,0 +1,48 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: {{ .Values.global.spire.namespace }} +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = {{ .Values.global.spire.logLevel | quote }} + server_address = "spire-server" + server_port = {{ .Values.global.spire.serverPort | quote }} + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = {{ .Values.global.spire.trustDomain | quote }} + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "vsecm-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + } diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml similarity index 77% rename from helm-charts/0.24.5/charts/spire/templates/spire-agent.yaml rename to helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml index 426faa4f..5d0d5c02 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-agent.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml @@ -8,85 +8,6 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -# ServiceAccount for the SPIRE agent -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - ---- - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: - - apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] - ---- - -# Binds above cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io - - ---- - -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = {{ .Values.global.spire.logLevel | quote }} - server_address = "spire-server" - server_port = {{ .Values.global.spire.serverPort | quote }} - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "vsecm-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } - } - } - ---- - apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-service-account.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-service-account.yaml new file mode 100644 index 00000000..d7c205c8 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-service-account.yaml @@ -0,0 +1,16 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ServiceAccount for the SPIRE agent +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml new file mode 100644 index 00000000..5be168ab --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml @@ -0,0 +1,101 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +{{- if eq .Values.server.kind "deployment" }} +kind: Deployment +{{- else }} +kind: StatefulSet +{{- end }} +metadata: + name: spire-server + namespace: {{ .Values.global.spire.namespace }} + labels: + app: spire-server + app.kubernetes.io/component: server +spec: + {{- if eq .Values.server.kind "statefulset" }} + serviceName: spire-server + {{- end }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: spire-server + template: + metadata: + namespace: {{ .Values.global.spire.namespace }} + labels: + app: spire-server + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: {{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }} + imagePullPolicy: {{ .Values.global.images.spireServer.pullPolicy }} + args: ["-config", "/run/spire/server/config/server.conf"] + resources: + requests: + memory: {{ .Values.resources.agent.requests.memory }} + cpu: {{ .Values.resources.agent.requests.cpu }} + ports: + - containerPort: 8081 + volumeMounts: +{{- if .Values.data.persistent }} + - name: spire-data + mountPath: /run/spire/server/data + readOnly: false +{{- end }} + - name: spire-config + mountPath: /run/spire/server/config + readOnly: true + - name: spire-server-socket + mountPath: /tmp/spire-server/private + - name: spire-controller-manager + image: {{ .Values.global.images.spireControllerManager.repository }}:{{ .Values.global.images.spireControllerManager.tag }} + imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} + ports: + - containerPort: 9443 + args: + - "--config=spire-controller-manager-config.yaml" + volumeMounts: + - name: spire-server-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + {{- if .Values.data.persistent }} + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.data.persistentVolumeClaim.size }} + {{- if .Values.data.persistentVolumeClaim.storageClass }} + storageClassName: {{ .Values.data.persistentVolumeClaim }} + {{- end }} + {{- end }} diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-config-map.yaml new file mode 100644 index 00000000..05c99cde --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-config-map.yaml @@ -0,0 +1,19 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ConfigMap containing the latest trust bundle for the trust domain. It is +# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount +# this config map and use the certificate to bootstrap trust with the SPIRE +# server during attestation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml new file mode 100644 index 00000000..b2d77b1d --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml @@ -0,0 +1,24 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Service definition for SPIRE server bundle endpoint +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: {{ .Values.global.spire.namespace }} +spec: + type: NodePort + ports: + - name: api + port: 8443 + protocol: TCP + selector: + app: spire-server diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role-binding.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role-binding.yaml new file mode 100644 index 00000000..bcc3d2d2 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role-binding.yaml @@ -0,0 +1,24 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding + namespace: {{ .Values.global.spire.namespace }} +subjects: + - kind: ServiceAccount + name: spire-server + namespace: {{ .Values.global.spire.namespace }} +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role.yaml new file mode 100644 index 00000000..bf5eee10 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-cluster-role.yaml @@ -0,0 +1,24 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Required cluster role to allow spire-server to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml new file mode 100644 index 00000000..9203f6e2 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml @@ -0,0 +1,70 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: {{ .Values.global.spire.namespace }} +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = {{ .Values.global.spire.trustDomain | quote }} + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/server/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "vsecm-cluster" = { + service_account_allow_list = ["{{ .Values.global.spire.namespace }}:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/server/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "{{ .Values.global.spire.namespace }}" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml new file mode 100644 index 00000000..4e102530 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml @@ -0,0 +1,23 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Service definition for SPIRE controller manager webhook +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: {{ .Values.global.spire.namespace }} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-role-binding.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-role-binding.yaml new file mode 100644 index 00000000..29726f6d --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-role-binding.yaml @@ -0,0 +1,25 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: {{ .Values.global.spire.namespace }} +subjects: + - kind: ServiceAccount + name: spire-server + namespace: {{ .Values.global.spire.namespace }} +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-role.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-role.yaml new file mode 100644 index 00000000..34a5f490 --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-role.yaml @@ -0,0 +1,27 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Role for the SPIRE server +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role + namespace: {{ .Values.global.spire.namespace }} +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap below) + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml new file mode 100644 index 00000000..20280bcc --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml @@ -0,0 +1,16 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ServiceAccount used by the SPIRE server. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: {{ .Values.global.spire.namespace }} \ No newline at end of file diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml new file mode 100644 index 00000000..74a3ef1a --- /dev/null +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml @@ -0,0 +1,25 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ServiceAccount used by the SPIRE server. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: {{ .Values.global.spire.namespace }} +spec: + type: ClusterIP + ports: + - name: api + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server \ No newline at end of file diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server.yaml deleted file mode 100644 index f8b42d76..00000000 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server.yaml +++ /dev/null @@ -1,310 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount used by the SPIRE server. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} - ---- - -# Required cluster role to allow spire-server to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] - ---- - -# Binds above cluster role to spire-server service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- - -# Role for the SPIRE server -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role - namespace: {{ .Values.global.spire.namespace }} -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap below) - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] - ---- - -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io - ---- - -# ConfigMap containing the latest trust bundle for the trust domain. It is -# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount -# this config map and use the certificate to bootstrap trust with the SPIRE -# server during attestation. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} - ---- - -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - "vsecm-cluster" = { - service_account_allow_list = ["{{ .Values.global.spire.namespace }}:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - namespace = "{{ .Values.global.spire.namespace }}" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - ---- - -apiVersion: apps/v1 -{{- if eq .Values.server.kind "deployment" }} -kind: Deployment -{{- else }} -kind: StatefulSet -{{- end }} -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-server - app.kubernetes.io/component: server -spec: - {{- if eq .Values.server.kind "statefulset" }} - serviceName: spire-server - {{- end }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-server - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: {{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }} - imagePullPolicy: {{ .Values.global.images.spireServer.pullPolicy }} - args: ["-config", "/run/spire/server/config/server.conf"] - resources: - requests: - memory: {{ .Values.resources.agent.requests.memory }} - cpu: {{ .Values.resources.agent.requests.cpu }} - ports: - - containerPort: 8081 - volumeMounts: -{{- if .Values.data.persistent }} - - name: spire-data - mountPath: /run/spire/server/data - readOnly: false -{{- end }} - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - - name: spire-controller-manager - image: {{ .Values.global.images.spireControllerManager.repository }}:{{ .Values.global.images.spireControllerManager.tag }} - imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} - ports: - - containerPort: 9443 - args: - - "--config=spire-controller-manager-config.yaml" - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config - {{- if .Values.data.persistent }} - volumeClaimTemplates: - - metadata: - name: spire-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim }} - {{- end }} - {{- end }} - ---- - -# Service definition for SPIRE server defining the gRPC port. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -spec: - type: {{ .Values.service.type }} - ports: - - name: api - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.port }} - protocol: TCP - selector: - app: spire-server - ---- - -# Service definition for SPIRE server bundle endpoint -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: {{ .Values.global.spire.namespace }} -spec: - type: NodePort - ports: - - name: api - port: 8443 - protocol: TCP - selector: - app: spire-server - - ---- -# -# Service definition for SPIRE controller manager webhook -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server - diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index f646f4ff..6deb2662 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -15,7 +15,7 @@ kind: Namespace metadata: name: spire-system --- -# Source: vsecm/charts/spire/templates/spire-agent.yaml +# Source: vsecm/charts/spire/templates/spire-agent-service-account.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -33,7 +33,7 @@ metadata: name: spire-agent namespace: spire-system --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-service-account.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -51,7 +51,17 @@ metadata: name: spire-server namespace: spire-system --- -# Source: vsecm/charts/spire/templates/spire-agent.yaml +# Source: vsecm/charts/spire/templates/spire-agent-config-map.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # ConfigMap for the SPIRE agent featuring: # 1) PSAT node attestation # 2) K8S Workload Attestation over the secure kubelet port @@ -132,7 +142,17 @@ data: - kube-public - kubernetes-dashboard --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-bundle-config-map.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # ConfigMap containing the latest trust bundle for the trust domain. It is # updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount # this config map and use the certificate to bootstrap trust with the SPIRE @@ -143,7 +163,17 @@ metadata: name: spire-bundle namespace: spire-system --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-config-map.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # ConfigMap containing the SPIRE server configuration. apiVersion: v1 kind: ConfigMap @@ -264,7 +294,17 @@ rules: resources: ["clusterstaticentries/status"] verbs: ["get", "patch", "update"] --- -# Source: vsecm/charts/spire/templates/spire-agent.yaml +# Source: vsecm/charts/spire/templates/spire-agent-cluster-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # Required cluster role to allow spire-agent to query k8s API server kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -275,7 +315,17 @@ rules: resources: ["pods","nodes","nodes/proxy"] verbs: ["get"] --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-cluster-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # Required cluster role to allow spire-server to query k8s API server kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -315,7 +365,17 @@ subjects: name: spire-server namespace: spire-system --- -# Source: vsecm/charts/spire/templates/spire-agent.yaml +# Source: vsecm/charts/spire/templates/spire-agent-cluster-role-binding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # Binds above cluster role to spire-agent service account kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -330,7 +390,17 @@ roleRef: name: spire-agent-cluster-role apiGroup: rbac.authorization.k8s.io --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-cluster-role-binding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # Binds above cluster role to spire-server service account kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -374,7 +444,17 @@ rules: resources: ["events"] verbs: ["create", "patch"] --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # Role for the SPIRE server kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -418,7 +498,17 @@ subjects: name: spire-server namespace: spire-system --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-role-binding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + # RoleBinding granting the spire-server-role to the SPIRE server # service account. kind: RoleBinding @@ -435,56 +525,95 @@ roleRef: name: spire-server-role apiGroup: rbac.authorization.k8s.io --- -# Source: vsecm/charts/spire/templates/spire-server.yaml -# Service definition for SPIRE server defining the gRPC port. +# Source: vsecm/charts/spire/templates/spire-server-bundle-endpoint.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Service definition for SPIRE server bundle endpoint apiVersion: v1 kind: Service metadata: - name: spire-server + name: spire-server-bundle-endpoint namespace: spire-system spec: - type: ClusterIP + type: NodePort ports: - name: api - port: 8081 - targetPort: 8081 + port: 8443 protocol: TCP selector: app: spire-server --- -# Source: vsecm/charts/spire/templates/spire-server.yaml -# Service definition for SPIRE server bundle endpoint +# Source: vsecm/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Service definition for SPIRE controller manager webhook apiVersion: v1 kind: Service metadata: - name: spire-server-bundle-endpoint + name: spire-controller-manager-webhook-service namespace: spire-system spec: - type: NodePort ports: - - name: api - port: 8443 + - port: 443 protocol: TCP + targetPort: 9443 selector: app: spire-server --- -# Source: vsecm/charts/spire/templates/spire-server.yaml -# -# Service definition for SPIRE controller manager webhook +# Source: vsecm/charts/spire/templates/spire-server-service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ServiceAccount used by the SPIRE server. apiVersion: v1 kind: Service metadata: - name: spire-controller-manager-webhook-service + name: spire-server namespace: spire-system spec: + type: ClusterIP ports: - - port: 443 + - name: api + port: 8081 + targetPort: 8081 protocol: TCP - targetPort: 9443 selector: app: spire-server --- -# Source: vsecm/charts/spire/templates/spire-agent.yaml +# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -625,7 +754,17 @@ spec: path: /var/lib/kubelet/plugins_registry type: Directory --- -# Source: vsecm/charts/spire/templates/spire-server.yaml +# Source: vsecm/charts/spire/templates/spire-server-app.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + apiVersion: apps/v1 kind: Deployment metadata: From 3d9f9b52c56cb7dc6f6c4f770dcf6003962cab87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 12:40:59 -0700 Subject: [PATCH 02/16] add priorityclassname MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../0.24.5/charts/keystone/templates/Deployment.yaml | 3 +++ helm-charts/0.24.5/charts/safe/templates/Deployment.yaml | 3 +++ .../0.24.5/charts/sentinel/templates/Deployment.yaml | 3 +++ .../charts/spire/templates/spire-agent-daemonset.yaml | 1 + .../0.24.5/charts/spire/templates/spire-server-app.yaml | 3 +++ helm-charts/0.24.5/charts/spire/values.yaml | 6 ++++++ k8s/0.24.5/eks/vsecm-distroless-fips.yaml | 9 +++++++++ k8s/0.24.5/eks/vsecm-distroless.yaml | 9 +++++++++ k8s/0.24.5/local/vsecm-distroless-fips.yaml | 9 +++++++++ k8s/0.24.5/local/vsecm-distroless.yaml | 9 +++++++++ k8s/0.24.5/remote/vsecm-distroless-fips.yaml | 9 +++++++++ k8s/0.24.5/remote/vsecm-distroless.yaml | 9 +++++++++ k8s/0.24.5/spire.yaml | 4 ++++ 13 files changed, 77 insertions(+) diff --git a/helm-charts/0.24.5/charts/keystone/templates/Deployment.yaml b/helm-charts/0.24.5/charts/keystone/templates/Deployment.yaml index 231678bc..676e6ca3 100644 --- a/helm-charts/0.24.5/charts/keystone/templates/Deployment.yaml +++ b/helm-charts/0.24.5/charts/keystone/templates/Deployment.yaml @@ -38,6 +38,9 @@ spec: serviceAccountName: {{ include "keystone.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "{{ .Values.global.registry }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}" diff --git a/helm-charts/0.24.5/charts/safe/templates/Deployment.yaml b/helm-charts/0.24.5/charts/safe/templates/Deployment.yaml index 69cb3ba2..25d3beb3 100644 --- a/helm-charts/0.24.5/charts/safe/templates/Deployment.yaml +++ b/helm-charts/0.24.5/charts/safe/templates/Deployment.yaml @@ -38,6 +38,9 @@ spec: serviceAccountName: {{ include "safe.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + + priorityClassName: system-cluster-critical + containers: - name: main image: "{{ .Values.global.registry }}/{{- include "safe.repository" .}}:{{ .Values.global.images.safe.tag }}" diff --git a/helm-charts/0.24.5/charts/sentinel/templates/Deployment.yaml b/helm-charts/0.24.5/charts/sentinel/templates/Deployment.yaml index 5f245f77..bbf69994 100644 --- a/helm-charts/0.24.5/charts/sentinel/templates/Deployment.yaml +++ b/helm-charts/0.24.5/charts/sentinel/templates/Deployment.yaml @@ -38,6 +38,9 @@ spec: serviceAccountName: {{ include "sentinel.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + + priorityClassName: system-cluster-critical + containers: - name: main image: "{{ .Values.global.registry }}/{{- include "sentinel.repository" .}}:{{ .Values.global.images.sentinel.tag }}" diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml index 5d0d5c02..d7ca45ac 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml @@ -35,6 +35,7 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent + priorityClassName: system-node-critical containers: - name: spire-agent image: {{ .Values.global.images.spireAgent.repository }}:{{ .Values.global.images.spireAgent.tag }} diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml index 5be168ab..73ea778f 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml @@ -40,6 +40,9 @@ spec: {{- end }} serviceAccountName: spire-server shareProcessNamespace: true + + priorityClassName: system-cluster-critical + containers: - name: spire-server image: {{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }} diff --git a/helm-charts/0.24.5/charts/spire/values.yaml b/helm-charts/0.24.5/charts/spire/values.yaml index da1ac142..01218c9f 100644 --- a/helm-charts/0.24.5/charts/spire/values.yaml +++ b/helm-charts/0.24.5/charts/spire/values.yaml @@ -36,6 +36,12 @@ service: port: 8081 annotations: {} +bundleEndpoint: + # ClusterIP, NodePort, LoadBalancer + type: ClusterIP + port: 8081 + annotations: {} + serviceAccount: # Specifies whether a service account should be created create: true diff --git a/k8s/0.24.5/eks/vsecm-distroless-fips.yaml b/k8s/0.24.5/eks/vsecm-distroless-fips.yaml index 3901a125..0a65eb45 100644 --- a/k8s/0.24.5/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.24.5/eks/vsecm-distroless-fips.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.24.5" diff --git a/k8s/0.24.5/eks/vsecm-distroless.yaml b/k8s/0.24.5/eks/vsecm-distroless.yaml index 64791a3f..59bbd834 100644 --- a/k8s/0.24.5/eks/vsecm-distroless.yaml +++ b/k8s/0.24.5/eks/vsecm-distroless.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.24.5" diff --git a/k8s/0.24.5/local/vsecm-distroless-fips.yaml b/k8s/0.24.5/local/vsecm-distroless-fips.yaml index 9622942a..866ea6bb 100644 --- a/k8s/0.24.5/local/vsecm-distroless-fips.yaml +++ b/k8s/0.24.5/local/vsecm-distroless-fips.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "localhost:5000/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "localhost:5000/vsecm-ist-fips-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "localhost:5000/vsecm-ist-fips-sentinel:0.24.5" diff --git a/k8s/0.24.5/local/vsecm-distroless.yaml b/k8s/0.24.5/local/vsecm-distroless.yaml index a01406ef..96c38abb 100644 --- a/k8s/0.24.5/local/vsecm-distroless.yaml +++ b/k8s/0.24.5/local/vsecm-distroless.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "localhost:5000/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "localhost:5000/vsecm-ist-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "localhost:5000/vsecm-ist-sentinel:0.24.5" diff --git a/k8s/0.24.5/remote/vsecm-distroless-fips.yaml b/k8s/0.24.5/remote/vsecm-distroless-fips.yaml index a4e36f2a..df0f3c21 100644 --- a/k8s/0.24.5/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.24.5/remote/vsecm-distroless-fips.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "vsecm/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "vsecm/vsecm-ist-fips-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "vsecm/vsecm-ist-fips-sentinel:0.24.5" diff --git a/k8s/0.24.5/remote/vsecm-distroless.yaml b/k8s/0.24.5/remote/vsecm-distroless.yaml index 35a1965d..8404cce4 100644 --- a/k8s/0.24.5/remote/vsecm-distroless.yaml +++ b/k8s/0.24.5/remote/vsecm-distroless.yaml @@ -321,6 +321,9 @@ spec: serviceAccountName: vsecm-keystone securityContext: {} + + priorityClassName: system-cluster-critical + initContainers: - name: init-container image: "vsecm/vsecm-ist-init-container:0.24.5" @@ -434,6 +437,9 @@ spec: serviceAccountName: vsecm-safe securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "vsecm/vsecm-ist-safe:0.24.5" @@ -591,6 +597,9 @@ spec: serviceAccountName: vsecm-sentinel securityContext: {} + + priorityClassName: system-cluster-critical + containers: - name: main image: "vsecm/vsecm-ist-sentinel:0.24.5" diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 6deb2662..d4b8c48d 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -637,6 +637,7 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent + priorityClassName: system-node-critical containers: - name: spire-agent image: ghcr.io/spiffe/spire-agent:1.9.1 @@ -786,6 +787,9 @@ spec: spec: serviceAccountName: spire-server shareProcessNamespace: true + + priorityClassName: system-cluster-critical + containers: - name: spire-server image: ghcr.io/spiffe/spire-server:1.9.1 From 64ad283a515e84074911766f36060f2a0f876dbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 12:51:46 -0700 Subject: [PATCH 03/16] add health check to spire agent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../templates/spire-agent-config-map.yaml | 8 ++++++ .../templates/spire-agent-daemonset.yaml | 17 +++++++++++++ k8s/0.24.5/spire.yaml | 25 +++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml index 417a9f0e..5fd6c2d2 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml @@ -28,6 +28,14 @@ data: trust_domain = {{ .Values.global.spire.trustDomain | quote }} } + health_checks { + bind_address = "0.0.0.0" + bind_port = "9982" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + plugins { NodeAttestor "k8s_psat" { plugin_data { diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml index d7ca45ac..75a2541f 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-agent-daemonset.yaml @@ -45,6 +45,23 @@ spec: requests: memory: {{ .Values.resources.agent.requests.memory }} cpu: {{ .Values.resources.agent.requests.cpu }} + + ports: + - containerPort: 9982 + name: healthz + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + volumeMounts: - name: spire-config mountPath: /run/spire/config diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index d4b8c48d..9d58df74 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -82,6 +82,14 @@ data: trust_domain = "vsecm.com" } + health_checks { + bind_address = "0.0.0.0" + bind_port = "9982" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + plugins { NodeAttestor "k8s_psat" { plugin_data { @@ -647,6 +655,23 @@ spec: requests: memory: 512Mi cpu: 50m + + ports: + - containerPort: 9982 + name: healthz + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + volumeMounts: - name: spire-config mountPath: /run/spire/config From 3b40de05883e9b98624464bcea8cee5b4c3a890d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 12:57:45 -0700 Subject: [PATCH 04/16] increase wait timeout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- hack/install-vsecm-to-eks.sh | 4 ++-- makefiles/VSecMDeploy.mk | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/hack/install-vsecm-to-eks.sh b/hack/install-vsecm-to-eks.sh index e6848456..d4be7feb 100755 --- a/hack/install-vsecm-to-eks.sh +++ b/hack/install-vsecm-to-eks.sh @@ -20,8 +20,8 @@ helm install vsecm vsecm/vsecm echo "verifying vsecm installation" -kubectl wait --for=condition=Available deployment -n vsecm-system vsecm-sentinel +kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-sentinel echo "vsecm-sentinel: deployment available" -kubectl wait --for=condition=Available deployment -n vsecm-system vsecm-safe +kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-safe echo "vsecm-safe: deployment available" echo "vsecm installation successful" diff --git a/makefiles/VSecMDeploy.mk b/makefiles/VSecMDeploy.mk index 2523eec4..c2f18b24 100644 --- a/makefiles/VSecMDeploy.mk +++ b/makefiles/VSecMDeploy.mk @@ -38,7 +38,7 @@ deploy-spire: kubectl apply -f ${MANIFESTS_BASE_PATH}/crds; \ kubectl apply -f ${MANIFESTS_BASE_PATH}/spire.yaml; \ echo "verifying SPIRE installation"; \ - kubectl wait --for=condition=Available deployment -n spire-system spire-server; \ + kubectl wait --timeout=60s --for=condition=Available deployment -n spire-system spire-server; \ echo "spire-server: deployment available"; \ echo "spire installation successful"; \ fi @@ -67,9 +67,9 @@ deploy-fips-eks: deploy-spire .PHONY: post-deploy post-deploy: echo "verifying vsecm installation" - kubectl wait --for=condition=Available deployment -n vsecm-system vsecm-sentinel + kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-sentinel echo "vsecm-sentinel: deployment available" - kubectl wait --for=condition=Available deployment -n vsecm-system vsecm-safe + kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-safe echo "vsecm-safe: deployment available" echo "vsecm installation successful" From 62bab5ad9cf7d3710eaedd1a59a77644cf1d9d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:05:36 -0700 Subject: [PATCH 05/16] add probes to spire-server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../spire/templates/spire-server-app.yaml | 19 +++++++++++++ .../templates/spire-server-config-map.yaml | 8 ++++++ k8s/0.24.5/spire.yaml | 27 +++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml index 73ea778f..a1b6da61 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml @@ -54,6 +54,25 @@ spec: cpu: {{ .Values.resources.agent.requests.cpu }} ports: - containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: {{- if .Values.data.persistent }} - name: spire-data diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml index 9203f6e2..a785fb27 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml @@ -30,6 +30,14 @@ data: } } + health_checks { + bind_address = "0.0.0.0" + bind_port = "8080" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + plugins { DataStore "sql" { plugin_data { diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 9d58df74..2eb2cc80 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -204,6 +204,14 @@ data: } } + health_checks { + bind_address = "0.0.0.0" + bind_port = "8080" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + plugins { DataStore "sql" { plugin_data { @@ -826,6 +834,25 @@ spec: cpu: 50m ports: - containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: - name: spire-config mountPath: /run/spire/server/config From c2946f0d95ebca60979bc51d2f73c73c6e27eac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:15:27 -0700 Subject: [PATCH 06/16] add controller manager health checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../charts/spire/templates/spire-server-app.yaml | 14 ++++++++++++++ k8s/0.24.5/spire.yaml | 12 ++++++++++++ 2 files changed, 26 insertions(+) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml index a1b6da61..de3f780a 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-app.yaml @@ -22,6 +22,7 @@ metadata: app.kubernetes.io/component: server spec: {{- if eq .Values.server.kind "statefulset" }} + # noinspection KubernetesUnknownKeys serviceName: spire-server {{- end }} replicas: {{ .Values.replicaCount }} @@ -89,6 +90,18 @@ spec: imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} ports: - containerPort: 9443 + - containerPort: 8083 + name: healthz + + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + args: - "--config=spire-controller-manager-config.yaml" volumeMounts: @@ -108,6 +121,7 @@ spec: configMap: name: spire-controller-manager-config {{- if .Values.data.persistent }} + # noinspection KubernetesUnknownKeys volumeClaimTemplates: - metadata: name: spire-data diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 2eb2cc80..d8fae2ed 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -864,6 +864,18 @@ spec: imagePullPolicy: IfNotPresent ports: - containerPort: 9443 + - containerPort: 8083 + name: healthz + + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + args: - "--config=spire-controller-manager-config.yaml" volumeMounts: From 1c3ea8defbc3b67bdcc32c7027813acb09428cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:20:15 -0700 Subject: [PATCH 07/16] attempt 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../spire/templates/spire-controller-manager-config.yaml | 4 +++- k8s/0.24.5/spire.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml index 0142af66..178a8c83 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml @@ -20,7 +20,9 @@ data: metrics: bindAddress: 127.0.0.1:8082 healthProbe: - bindAddress: 127.0.0.1:8083 + bindAddress: 0.0.0.0:8083 + health: + healthProbeBindAddress: 0.0.0.0:8083 leaderElection: leaderElect: true resourceName: 98c9c988.spiffe.io diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index d8fae2ed..3cdd16af 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -132,7 +132,9 @@ data: metrics: bindAddress: 127.0.0.1:8082 healthProbe: - bindAddress: 127.0.0.1:8083 + bindAddress: 0.0.0.0:8083 + health: + healthProbeBindAddress: 0.0.0.0:8083 leaderElection: leaderElect: true resourceName: 98c9c988.spiffe.io From 387f61f5a3dc470a608868eef93c2bc36b30f0fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:23:39 -0700 Subject: [PATCH 08/16] attemp 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../charts/spire/templates/spire-controller-manager-config.yaml | 2 -- k8s/0.24.5/spire.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml index 178a8c83..324d16df 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-controller-manager-config.yaml @@ -19,8 +19,6 @@ data: kind: ControllerManagerConfig metrics: bindAddress: 127.0.0.1:8082 - healthProbe: - bindAddress: 0.0.0.0:8083 health: healthProbeBindAddress: 0.0.0.0:8083 leaderElection: diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 3cdd16af..a0ea5a7c 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -131,8 +131,6 @@ data: kind: ControllerManagerConfig metrics: bindAddress: 127.0.0.1:8082 - healthProbe: - bindAddress: 0.0.0.0:8083 health: healthProbeBindAddress: 0.0.0.0:8083 leaderElection: From f3b238efd176dbc8a9aaf637260c19cecc68013f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:27:59 -0700 Subject: [PATCH 09/16] BundleEndpoint update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../charts/spire/templates/spire-server-bundle-endpoint.yaml | 4 ++-- helm-charts/0.24.5/charts/spire/values.yaml | 2 +- k8s/0.24.5/spire.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml index b2d77b1d..27a92e28 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-bundle-endpoint.yaml @@ -15,10 +15,10 @@ metadata: name: spire-server-bundle-endpoint namespace: {{ .Values.global.spire.namespace }} spec: - type: NodePort + type: {{ .Values.bundleEndpoint.type }} ports: - name: api - port: 8443 + port: {{ .Values.bundleEndpoint.port }} protocol: TCP selector: app: spire-server diff --git a/helm-charts/0.24.5/charts/spire/values.yaml b/helm-charts/0.24.5/charts/spire/values.yaml index 01218c9f..8156c4e1 100644 --- a/helm-charts/0.24.5/charts/spire/values.yaml +++ b/helm-charts/0.24.5/charts/spire/values.yaml @@ -39,7 +39,7 @@ service: bundleEndpoint: # ClusterIP, NodePort, LoadBalancer type: ClusterIP - port: 8081 + port: 8443 annotations: {} serviceAccount: diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index a0ea5a7c..83d8eb0f 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -559,7 +559,7 @@ metadata: name: spire-server-bundle-endpoint namespace: spire-system spec: - type: NodePort + type: ClusterIP ports: - name: api port: 8443 From b8acb039f5bc96152169bcf0282cd710bfccc202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:38:56 -0700 Subject: [PATCH 10/16] add notifier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../charts/spire/templates/spire-server-config-map.yaml | 1 + .../0.24.5/charts/spire/templates/spire-server-service.yaml | 6 +++--- k8s/0.24.5/spire.yaml | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml index a785fb27..d09fb8ba 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-config-map.yaml @@ -64,6 +64,7 @@ data: Notifier "k8sbundle" { plugin_data { + config_map = "spire-bundle" namespace = "{{ .Values.global.spire.namespace }}" } } diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml index 74a3ef1a..efb95d71 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml @@ -15,11 +15,11 @@ metadata: name: spire-server namespace: {{ .Values.global.spire.namespace }} spec: - type: ClusterIP + type: {{ .Values.service.type }} ports: - name: api - port: 8081 - targetPort: 8081 + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.port }} protocol: TCP selector: app: spire-server \ No newline at end of file diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 83d8eb0f..0868a6f0 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -238,6 +238,7 @@ data: Notifier "k8sbundle" { plugin_data { + config_map = "spire-bundle" namespace = "spire-system" } } From c64325197fbd3cc9e8df3d0b85bfc9226f7502e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 13:59:57 -0700 Subject: [PATCH 11/16] whitespace MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../charts/spire/templates/spire-server-service-account.yaml | 2 +- .../0.24.5/charts/spire/templates/spire-server-service.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml index 20280bcc..4318daae 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service-account.yaml @@ -13,4 +13,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: spire-server - namespace: {{ .Values.global.spire.namespace }} \ No newline at end of file + namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml index efb95d71..e6e12c73 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml @@ -22,4 +22,5 @@ spec: targetPort: {{ .Values.service.port }} protocol: TCP selector: - app: spire-server \ No newline at end of file + app: spire-server + \ No newline at end of file From 05a7dcecae3c5e3eb16194fd4c17079208563d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 14:07:00 -0700 Subject: [PATCH 12/16] updated agent and server versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- .../0.24.5/charts/spire/templates/spire-server-service.yaml | 1 - helm-charts/0.24.5/values.yaml | 4 ++-- k8s/0.24.5/spire.yaml | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml index e6e12c73..5f71a612 100644 --- a/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml +++ b/helm-charts/0.24.5/charts/spire/templates/spire-server-service.yaml @@ -23,4 +23,3 @@ spec: protocol: TCP selector: app: spire-server - \ No newline at end of file diff --git a/helm-charts/0.24.5/values.yaml b/helm-charts/0.24.5/values.yaml index 084912d2..d7f56a84 100644 --- a/helm-charts/0.24.5/values.yaml +++ b/helm-charts/0.24.5/values.yaml @@ -37,7 +37,7 @@ global: tag: 0.24.5 spireAgent: repository: ghcr.io/spiffe/spire-agent - tag: 1.9.1 + tag: 1.9.5 pullPolicy: IfNotPresent spiffeCsiDriver: repository: ghcr.io/spiffe/spiffe-csi-driver @@ -49,7 +49,7 @@ global: pullPolicy: IfNotPresent spireServer: repository: ghcr.io/spiffe/spire-server - tag: 1.9.1 + tag: 1.9.5 pullPolicy: IfNotPresent spireControllerManager: repository: ghcr.io/spiffe/spire-controller-manager diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 0868a6f0..54b84ec0 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -657,7 +657,7 @@ spec: priorityClassName: system-node-critical containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.9.1 + image: ghcr.io/spiffe/spire-agent:1.9.5 imagePullPolicy: IfNotPresent args: ["-config", "/run/spire/config/agent.conf"] resources: @@ -826,7 +826,7 @@ spec: containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.9.1 + image: ghcr.io/spiffe/spire-server:1.9.5 imagePullPolicy: IfNotPresent args: ["-config", "/run/spire/server/config/server.conf"] resources: From f47796d8665760643de20e8b2a9070aae27edf0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 14:49:58 -0700 Subject: [PATCH 13/16] 1.9.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- helm-charts/0.24.5/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-charts/0.24.5/values.yaml b/helm-charts/0.24.5/values.yaml index d7f56a84..82ac046e 100644 --- a/helm-charts/0.24.5/values.yaml +++ b/helm-charts/0.24.5/values.yaml @@ -37,7 +37,7 @@ global: tag: 0.24.5 spireAgent: repository: ghcr.io/spiffe/spire-agent - tag: 1.9.5 + tag: 1.9.4 pullPolicy: IfNotPresent spiffeCsiDriver: repository: ghcr.io/spiffe/spiffe-csi-driver @@ -49,7 +49,7 @@ global: pullPolicy: IfNotPresent spireServer: repository: ghcr.io/spiffe/spire-server - tag: 1.9.5 + tag: 1.9.4 pullPolicy: IfNotPresent spireControllerManager: repository: ghcr.io/spiffe/spire-controller-manager From 02cb1996b59a786cf6704c7e64ffbb7a55d84bb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 14:51:20 -0700 Subject: [PATCH 14/16] version change MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- k8s/0.24.5/spire.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 54b84ec0..5f5d1490 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -657,7 +657,7 @@ spec: priorityClassName: system-node-critical containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.9.5 + image: ghcr.io/spiffe/spire-agent:1.9.4 imagePullPolicy: IfNotPresent args: ["-config", "/run/spire/config/agent.conf"] resources: @@ -826,7 +826,7 @@ spec: containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.9.5 + image: ghcr.io/spiffe/spire-server:1.9.4 imagePullPolicy: IfNotPresent args: ["-config", "/run/spire/server/config/server.conf"] resources: From f16e73081e7ff91c112abd1dd4031c41968421a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 14:53:45 -0700 Subject: [PATCH 15/16] update spire controller manager MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- helm-charts/0.24.5/values.yaml | 2 +- k8s/0.24.5/spire.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-charts/0.24.5/values.yaml b/helm-charts/0.24.5/values.yaml index 82ac046e..80464172 100644 --- a/helm-charts/0.24.5/values.yaml +++ b/helm-charts/0.24.5/values.yaml @@ -53,7 +53,7 @@ global: pullPolicy: IfNotPresent spireControllerManager: repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.4.3 + tag: 0.5.0 pullPolicy: IfNotPresent vsecm: namespace: vsecm-system diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index 5f5d1490..da9240f9 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -861,7 +861,7 @@ spec: - name: spire-server-socket mountPath: /tmp/spire-server/private - name: spire-controller-manager - image: ghcr.io/spiffe/spire-controller-manager:0.4.3 + image: ghcr.io/spiffe/spire-controller-manager:0.5.0 imagePullPolicy: IfNotPresent ports: - containerPort: 9443 From 47d159b51d01b7ed9091a073049003e87588c049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Wed, 24 Apr 2024 14:57:12 -0700 Subject: [PATCH 16/16] spiffe csi driver update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- helm-charts/0.24.5/values.yaml | 2 +- k8s/0.24.5/spire.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-charts/0.24.5/values.yaml b/helm-charts/0.24.5/values.yaml index 80464172..16ce7f82 100644 --- a/helm-charts/0.24.5/values.yaml +++ b/helm-charts/0.24.5/values.yaml @@ -41,7 +41,7 @@ global: pullPolicy: IfNotPresent spiffeCsiDriver: repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.5 + tag: 0.2.6 pullPolicy: IfNotPresent nodeDriverRegistrar: repository: registry.k8s.io/sig-storage/csi-node-driver-registrar diff --git a/k8s/0.24.5/spire.yaml b/k8s/0.24.5/spire.yaml index da9240f9..a6b68a6f 100644 --- a/k8s/0.24.5/spire.yaml +++ b/k8s/0.24.5/spire.yaml @@ -694,7 +694,7 @@ spec: mountPath: /run/spire/sockets # This is the container which runs the SPIFFE CSI driver. - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.5 + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 imagePullPolicy: IfNotPresent args: [ "-workload-api-socket-dir", "/spire-agent-socket",