From f97a164198d3b3b5c03f1b9b8f96c903bd7adbc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Fri, 17 May 2024 15:21:58 -0700 Subject: [PATCH 1/2] manifest updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- Makefile | 2 +- dockerfiles/example/init-container.Dockerfile | 2 +- .../example/multiple-secrets.Dockerfile | 2 +- dockerfiles/example/sdk-go.Dockerfile | 2 +- dockerfiles/example/sidecar.Dockerfile | 2 +- dockerfiles/util/inspector.Dockerfile | 2 +- dockerfiles/util/keygen.Dockerfile | 2 +- .../vsecm-ist-fips/init-container.Dockerfile | 2 +- .../vsecm-ist-fips/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/safe.Dockerfile | 2 +- .../vsecm-ist-fips/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/sidecar.Dockerfile | 2 +- .../vsecm-ist/init-container.Dockerfile | 2 +- dockerfiles/vsecm-ist/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist/safe.Dockerfile | 2 +- dockerfiles/vsecm-ist/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist/sidecar.Dockerfile | 2 +- .../multiple_secrets/k8s-eks/Deployment.yaml | 2 +- .../k8s-eks/image-override.yaml | 2 +- examples/multiple_secrets/k8s/Deployment.yaml | 2 +- .../multiple_secrets/k8s/image-override.yaml | 2 +- examples/operator_decrpyt_secrets/reveal.sh | 2 +- .../k8s-eks/Deployment.yaml | 4 +- .../k8s-eks/image-override.yaml | 4 +- .../using_init_container/k8s/Deployment.yaml | 4 +- .../k8s/image-override.yaml | 4 +- examples/using_sdk_go/k8s-eks/Deployment.yaml | 2 +- .../using_sdk_go/k8s-eks/image-override.yaml | 2 +- examples/using_sdk_go/k8s/Deployment.yaml | 2 +- examples/using_sdk_go/k8s/image-override.yaml | 2 +- .../using_sidecar/k8s-eks/Deployment.yaml | 4 +- .../using_sidecar/k8s-eks/image-override.yaml | 4 +- examples/using_sidecar/k8s/Deployment.yaml | 4 +- .../using_sidecar/k8s/image-override.yaml | 4 +- .../using_vsecm_inspector/Deployment.yaml | 2 +- .../init-container/Deployment.yaml | 4 +- .../init-container/image-override.yaml | 4 +- .../workshop_aegis/inspector/Deployment.yaml | 2 +- .../inspector/image-override.yaml | 2 +- examples/workshop_aegis/sdk/Deployment.yaml | 2 +- .../workshop_aegis/sdk/image-override.yaml | 2 +- .../workshop_aegis/sidecar/Deployment.yaml | 4 +- .../sidecar/image-override.yaml | 4 +- .../cluster-1/inspector/Deployment.yaml | 2 +- .../cluster-1/sentinel/Deployment.yaml | 2 +- .../cluster-2/safe/Deployment.yaml | 2 +- .../k8s/Deployment.yaml | 2 +- .../workshop_vsecm/hack/015-reveal-secrets.sh | 2 +- .../example-init-container/Deployment.yaml | 4 +- .../workloads/inspector/Deployment.yaml | 2 +- .../workloads/keycloak/Deployment.yaml | 2 +- hack/tag-docker.sh | 2 +- helm-charts/0.25.3/Chart.yaml | 69 -- helm-charts/0.25.3/README.md | 76 -- .../0.25.3/charts/keystone/.helmignore | 23 - helm-charts/0.25.3/charts/keystone/Chart.yaml | 34 - .../charts/keystone/templates/Deployment.yaml | 164 --- .../charts/keystone/templates/Identity.yaml | 27 - .../keystone/templates/ServiceAccount.yaml | 24 - .../charts/keystone/templates/_helpers.tpl | 86 -- .../0.25.3/charts/keystone/values.yaml | 84 -- helm-charts/0.25.3/charts/safe/.helmignore | 23 - helm-charts/0.25.3/charts/safe/Chart.yaml | 34 - .../charts/safe/templates/Identity.yaml | 27 - .../charts/safe/templates/RoleBinding.yaml | 44 - .../0.25.3/charts/safe/templates/Secret.yaml | 20 - .../0.25.3/charts/safe/templates/Service.yaml | 26 - .../charts/safe/templates/ServiceAccount.yaml | 24 - .../charts/safe/templates/StatefulSet.yaml | 171 --- .../0.25.3/charts/safe/templates/_helpers.tpl | 86 -- .../templates/hook-preinstall-namespace.yaml | 14 - .../safe/templates/hook-preinstall-role.yaml | 72 -- helm-charts/0.25.3/charts/safe/values.yaml | 133 --- .../0.25.3/charts/sentinel/.helmignore | 23 - helm-charts/0.25.3/charts/sentinel/Chart.yaml | 34 - .../charts/sentinel/templates/Deployment.yaml | 133 --- .../charts/sentinel/templates/Identity.yaml | 27 - .../charts/sentinel/templates/Secret.yaml | 20 - .../sentinel/templates/ServiceAccount.yaml | 24 - .../charts/sentinel/templates/_helpers.tpl | 86 -- .../0.25.3/charts/sentinel/values.yaml | 112 -- helm-charts/0.25.3/charts/spire/.helmignore | 23 - helm-charts/0.25.3/charts/spire/Chart.yaml | 34 - .../charts/spire/templates/_helpers.tpl | 72 -- .../hook-preinstall_leader_election_role.yaml | 26 - .../crd-rbac/hook-preinstall_role.yaml | 57 - .../leader_election_role_binding.yaml | 23 - .../templates/crd-rbac/role_binding.yaml | 22 - .../hook-preinstall_spiffe-csi-driver.yaml | 32 - .../hook-preinstall_spire-namespace.yaml | 14 - .../spire-agent-cluster-role-binding.yaml | 23 - .../templates/spire-agent-cluster-role.yaml | 19 - .../templates/spire-agent-config-map.yaml | 56 - .../templates/spire-agent-daemonset.yaml | 172 --- .../spire-agent-service-account.yaml | 16 - .../spire-controller-manager-config.yaml | 39 - .../spire-controller-manager-webhook.yaml | 57 - .../spire-server-bundle-config-map.yaml | 19 - .../spire-server-bundle-endpoint.yaml | 24 - .../spire-server-cluster-role-binding.yaml | 24 - .../templates/spire-server-cluster-role.yaml | 24 - .../templates/spire-server-config-map.yaml | 86 -- ...er-controller-manager-webhook-service.yaml | 23 - .../templates/spire-server-role-binding.yaml | 25 - .../spire/templates/spire-server-role.yaml | 27 - .../spire-server-service-account.yaml | 16 - .../spire/templates/spire-server-service.yaml | 25 - .../templates/spire-server-stateful-set.yaml | 130 --- helm-charts/0.25.3/charts/spire/values.yaml | 105 -- ...piffe.io_clusterfederatedtrustdomains.yaml | 99 -- .../spire.spiffe.io_clusterspiffeids.yaml | 234 ---- .../spire.spiffe.io_clusterstaticentries.yaml | 100 -- ...re.spiffe.io_controllermanagerconfigs.yaml | 68 -- helm-charts/0.25.3/values.yaml | 84 -- helm-charts/0.25.4/charts/keystone/Chart.yaml | 4 +- helm-charts/0.25.4/values.yaml | 8 +- ...piffe.io_clusterfederatedtrustdomains.yaml | 99 -- .../spire.spiffe.io_clusterspiffeids.yaml | 234 ---- .../spire.spiffe.io_clusterstaticentries.yaml | 100 -- ...re.spiffe.io_controllermanagerconfigs.yaml | 68 -- k8s/0.25.3/eks/vsecm-distroless-fips.yaml | 853 --------------- k8s/0.25.3/eks/vsecm-distroless.yaml | 853 --------------- k8s/0.25.3/local/vsecm-distroless-fips.yaml | 853 --------------- k8s/0.25.3/local/vsecm-distroless.yaml | 853 --------------- k8s/0.25.3/remote/vsecm-distroless-fips.yaml | 853 --------------- k8s/0.25.3/remote/vsecm-distroless.yaml | 853 --------------- k8s/0.25.3/spire.yaml | 995 ------------------ k8s/0.25.4/eks/vsecm-distroless-fips.yaml | 16 +- k8s/0.25.4/eks/vsecm-distroless.yaml | 16 +- k8s/0.25.4/local/vsecm-distroless-fips.yaml | 16 +- k8s/0.25.4/local/vsecm-distroless.yaml | 16 +- k8s/0.25.4/remote/vsecm-distroless-fips.yaml | 16 +- k8s/0.25.4/remote/vsecm-distroless.yaml | 16 +- 133 files changed, 119 insertions(+), 10251 deletions(-) delete mode 100644 helm-charts/0.25.3/Chart.yaml delete mode 100644 helm-charts/0.25.3/README.md delete mode 100644 helm-charts/0.25.3/charts/keystone/.helmignore delete mode 100644 helm-charts/0.25.3/charts/keystone/Chart.yaml delete mode 100644 helm-charts/0.25.3/charts/keystone/templates/Deployment.yaml delete mode 100644 helm-charts/0.25.3/charts/keystone/templates/Identity.yaml delete mode 100644 helm-charts/0.25.3/charts/keystone/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.25.3/charts/keystone/templates/_helpers.tpl delete mode 100644 helm-charts/0.25.3/charts/keystone/values.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/.helmignore delete mode 100644 helm-charts/0.25.3/charts/safe/Chart.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/Identity.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/RoleBinding.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/Secret.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/Service.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/StatefulSet.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/_helpers.tpl delete mode 100644 helm-charts/0.25.3/charts/safe/templates/hook-preinstall-namespace.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/templates/hook-preinstall-role.yaml delete mode 100644 helm-charts/0.25.3/charts/safe/values.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/.helmignore delete mode 100644 helm-charts/0.25.3/charts/sentinel/Chart.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/templates/Deployment.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/templates/Identity.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/templates/Secret.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.25.3/charts/sentinel/templates/_helpers.tpl delete mode 100644 helm-charts/0.25.3/charts/sentinel/values.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/.helmignore delete mode 100644 helm-charts/0.25.3/charts/spire/Chart.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/_helpers.tpl delete mode 100644 helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/crd-rbac/role_binding.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spire-namespace.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role-binding.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-agent-config-map.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-agent-daemonset.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-agent-service-account.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-config.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-webhook.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-config-map.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-endpoint.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role-binding.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-config-map.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-role-binding.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-role.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-service-account.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-service.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/templates/spire-server-stateful-set.yaml delete mode 100644 helm-charts/0.25.3/charts/spire/values.yaml delete mode 100644 helm-charts/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml delete mode 100644 helm-charts/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml delete mode 100644 helm-charts/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml delete mode 100644 helm-charts/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml delete mode 100644 helm-charts/0.25.3/values.yaml delete mode 100644 k8s/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml delete mode 100644 k8s/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml delete mode 100644 k8s/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml delete mode 100644 k8s/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml delete mode 100644 k8s/0.25.3/eks/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.25.3/eks/vsecm-distroless.yaml delete mode 100644 k8s/0.25.3/local/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.25.3/local/vsecm-distroless.yaml delete mode 100644 k8s/0.25.3/remote/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.25.3/remote/vsecm-distroless.yaml delete mode 100644 k8s/0.25.3/spire.yaml diff --git a/Makefile b/Makefile index 19950160..caf6c3ce 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ ifdef VSECM_VERSION VERSION := $(VSECM_VERSION) else - VERSION := 0.25.3 + VERSION := 0.25.4 endif # Set deploySpire to false, if you want to use existing spire deployment diff --git a/dockerfiles/example/init-container.Dockerfile b/dockerfiles/example/init-container.Dockerfile index 5a82b6c9..0aac7ede 100644 --- a/dockerfiles/example/init-container.Dockerfile +++ b/dockerfiles/example/init-container.Dockerfile @@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o example \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/multiple-secrets.Dockerfile b/dockerfiles/example/multiple-secrets.Dockerfile index fb326041..235ebcbb 100644 --- a/dockerfiles/example/multiple-secrets.Dockerfile +++ b/dockerfiles/example/multiple-secrets.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sdk-go.Dockerfile b/dockerfiles/example/sdk-go.Dockerfile index 3986080d..e45a30c0 100644 --- a/dockerfiles/example/sdk-go.Dockerfile +++ b/dockerfiles/example/sdk-go.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sidecar.Dockerfile b/dockerfiles/example/sidecar.Dockerfile index 624e5361..d970390b 100644 --- a/dockerfiles/example/sidecar.Dockerfile +++ b/dockerfiles/example/sidecar.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/inspector.Dockerfile b/dockerfiles/util/inspector.Dockerfile index 03e623a0..a3b5b77f 100644 --- a/dockerfiles/util/inspector.Dockerfile +++ b/dockerfiles/util/inspector.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/keygen.Dockerfile b/dockerfiles/util/keygen.Dockerfile index a115f9e9..774e2eff 100644 --- a/dockerfiles/util/keygen.Dockerfile +++ b/dockerfiles/util/keygen.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keygen \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile index 75eb4617..bbdb440b 100644 --- a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile index fe1e455b..2b6c2275 100644 --- a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/safe.Dockerfile b/dockerfiles/vsecm-ist-fips/safe.Dockerfile index 753dc598..c31ded85 100644 --- a/dockerfiles/vsecm-ist-fips/safe.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/safe.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile index f449f551..27238daf 100644 --- a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile index e7c1eda2..77bf5b47 100644 --- a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/init-container.Dockerfile b/dockerfiles/vsecm-ist/init-container.Dockerfile index a262831a..5403ddf3 100644 --- a/dockerfiles/vsecm-ist/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist/init-container.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-init-container \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/keystone.Dockerfile b/dockerfiles/vsecm-ist/keystone.Dockerfile index 14c760bf..022624cd 100644 --- a/dockerfiles/vsecm-ist/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist/keystone.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keystone \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/safe.Dockerfile b/dockerfiles/vsecm-ist/safe.Dockerfile index 50358e3f..0605b1ca 100644 --- a/dockerfiles/vsecm-ist/safe.Dockerfile +++ b/dockerfiles/vsecm-ist/safe.Dockerfile @@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-safe ./app/safe/cm # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sentinel.Dockerfile b/dockerfiles/vsecm-ist/sentinel.Dockerfile index 2ef5597f..1ded20c2 100644 --- a/dockerfiles/vsecm-ist/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist/sentinel.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bac # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sidecar.Dockerfile b/dockerfiles/vsecm-ist/sidecar.Dockerfile index a1888301..3674f8dc 100644 --- a/dockerfiles/vsecm-ist/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist/sidecar.Dockerfile @@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-sidecar ./app/side # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.25.3" +ENV APP_VERSION="0.25.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/examples/multiple_secrets/k8s-eks/Deployment.yaml b/examples/multiple_secrets/k8s-eks/Deployment.yaml index d79253b3..ff6e8f13 100644 --- a/examples/multiple_secrets/k8s-eks/Deployment.yaml +++ b/examples/multiple_secrets/k8s-eks/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-multiple-secrets:0.25.3 + image: vsecm/example-multiple-secrets:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/multiple_secrets/k8s-eks/image-override.yaml b/examples/multiple_secrets/k8s-eks/image-override.yaml index c83689f3..35275797 100644 --- a/examples/multiple_secrets/k8s-eks/image-override.yaml +++ b/examples/multiple_secrets/k8s-eks/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.25.3 + image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.25.4 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/multiple_secrets/k8s/Deployment.yaml b/examples/multiple_secrets/k8s/Deployment.yaml index d79253b3..ff6e8f13 100644 --- a/examples/multiple_secrets/k8s/Deployment.yaml +++ b/examples/multiple_secrets/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-multiple-secrets:0.25.3 + image: vsecm/example-multiple-secrets:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/multiple_secrets/k8s/image-override.yaml b/examples/multiple_secrets/k8s/image-override.yaml index d9191be9..6ffdb46f 100644 --- a/examples/multiple_secrets/k8s/image-override.yaml +++ b/examples/multiple_secrets/k8s/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.25.3 + image: localhost:5000/example-multiple-secrets:0.25.4 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/operator_decrpyt_secrets/reveal.sh b/examples/operator_decrpyt_secrets/reveal.sh index 5de12f0c..1c680917 100644 --- a/examples/operator_decrpyt_secrets/reveal.sh +++ b/examples/operator_decrpyt_secrets/reveal.sh @@ -9,7 +9,7 @@ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.25.3" +VERSION="0.25.4" docker run --rm \ -v "$(pwd)":/vsecm \ diff --git a/examples/using_init_container/k8s-eks/Deployment.yaml b/examples/using_init_container/k8s-eks/Deployment.yaml index 61302455..bed5c333 100644 --- a/examples/using_init_container/k8s-eks/Deployment.yaml +++ b/examples/using_init_container/k8s-eks/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.25.3 + image: vsecm/example-using-init-container:0.25.4 initContainers: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.25.3 + image: vsecm/vsecm-ist-init-container:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_init_container/k8s-eks/image-override.yaml b/examples/using_init_container/k8s-eks/image-override.yaml index 21a3687a..d8a1faf9 100644 --- a/examples/using_init_container/k8s-eks/image-override.yaml +++ b/examples/using_init_container/k8s-eks/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.25.3 + image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.25.4 initContainers: - name: init-container - image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.3 + image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.4 diff --git a/examples/using_init_container/k8s/Deployment.yaml b/examples/using_init_container/k8s/Deployment.yaml index 61302455..bed5c333 100644 --- a/examples/using_init_container/k8s/Deployment.yaml +++ b/examples/using_init_container/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.25.3 + image: vsecm/example-using-init-container:0.25.4 initContainers: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.25.3 + image: vsecm/vsecm-ist-init-container:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_init_container/k8s/image-override.yaml b/examples/using_init_container/k8s/image-override.yaml index 30d2513a..780143ef 100644 --- a/examples/using_init_container/k8s/image-override.yaml +++ b/examples/using_init_container/k8s/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.25.3 + image: localhost:5000/example-using-init-container:0.25.4 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.25.3 + image: localhost:5000/vsecm-ist-init-container:0.25.4 diff --git a/examples/using_sdk_go/k8s-eks/Deployment.yaml b/examples/using_sdk_go/k8s-eks/Deployment.yaml index f20c96aa..d520b479 100644 --- a/examples/using_sdk_go/k8s-eks/Deployment.yaml +++ b/examples/using_sdk_go/k8s-eks/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.25.3 + image: vsecm/example-using-sdk-go:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_sdk_go/k8s-eks/image-override.yaml b/examples/using_sdk_go/k8s-eks/image-override.yaml index 07bce28a..261dd313 100644 --- a/examples/using_sdk_go/k8s-eks/image-override.yaml +++ b/examples/using_sdk_go/k8s-eks/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.25.3 + image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.25.4 diff --git a/examples/using_sdk_go/k8s/Deployment.yaml b/examples/using_sdk_go/k8s/Deployment.yaml index f20c96aa..d520b479 100644 --- a/examples/using_sdk_go/k8s/Deployment.yaml +++ b/examples/using_sdk_go/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.25.3 + image: vsecm/example-using-sdk-go:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_sdk_go/k8s/image-override.yaml b/examples/using_sdk_go/k8s/image-override.yaml index ab32cf36..b44b1e5b 100644 --- a/examples/using_sdk_go/k8s/image-override.yaml +++ b/examples/using_sdk_go/k8s/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk-go:0.25.3 + image: localhost:5000/example-using-sdk-go:0.25.4 diff --git a/examples/using_sidecar/k8s-eks/Deployment.yaml b/examples/using_sidecar/k8s-eks/Deployment.yaml index 8c567dbd..55bec969 100644 --- a/examples/using_sidecar/k8s-eks/Deployment.yaml +++ b/examples/using_sidecar/k8s-eks/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.25.3 + image: vsecm/example-using-sidecar:0.25.4 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.25.3 + image: vsecm/vsecm-ist-sidecar:0.25.4 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/using_sidecar/k8s-eks/image-override.yaml b/examples/using_sidecar/k8s-eks/image-override.yaml index 33e92afe..2e59f2f0 100644 --- a/examples/using_sidecar/k8s-eks/image-override.yaml +++ b/examples/using_sidecar/k8s-eks/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.25.3 + image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.25.4 - name: sidecar - image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.25.3 + image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.25.4 diff --git a/examples/using_sidecar/k8s/Deployment.yaml b/examples/using_sidecar/k8s/Deployment.yaml index 8c567dbd..55bec969 100644 --- a/examples/using_sidecar/k8s/Deployment.yaml +++ b/examples/using_sidecar/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.25.3 + image: vsecm/example-using-sidecar:0.25.4 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.25.3 + image: vsecm/vsecm-ist-sidecar:0.25.4 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/using_sidecar/k8s/image-override.yaml b/examples/using_sidecar/k8s/image-override.yaml index 8243e17c..6420755f 100644 --- a/examples/using_sidecar/k8s/image-override.yaml +++ b/examples/using_sidecar/k8s/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.25.3 + image: localhost:5000/example-using-sidecar:0.25.4 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.25.3 + image: localhost:5000/vsecm-ist-sidecar:0.25.4 diff --git a/examples/using_vsecm_inspector/Deployment.yaml b/examples/using_vsecm_inspector/Deployment.yaml index ccfad48e..443e3c4d 100644 --- a/examples/using_vsecm_inspector/Deployment.yaml +++ b/examples/using_vsecm_inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.25.3 + image: localhost:5000/vsecm-inspector:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_aegis/init-container/Deployment.yaml b/examples/workshop_aegis/init-container/Deployment.yaml index 870ac049..e9bd0903 100644 --- a/examples/workshop_aegis/init-container/Deployment.yaml +++ b/examples/workshop_aegis/init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.25.3 + image: vsecm/example-using-init-container:0.25.4 env: - name: SECRET valueFrom: @@ -50,7 +50,7 @@ spec: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.25.3 + image: vsecm/vsecm-ist-init-container:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/init-container/image-override.yaml b/examples/workshop_aegis/init-container/image-override.yaml index 30d2513a..780143ef 100644 --- a/examples/workshop_aegis/init-container/image-override.yaml +++ b/examples/workshop_aegis/init-container/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.25.3 + image: localhost:5000/example-using-init-container:0.25.4 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.25.3 + image: localhost:5000/vsecm-ist-init-container:0.25.4 diff --git a/examples/workshop_aegis/inspector/Deployment.yaml b/examples/workshop_aegis/inspector/Deployment.yaml index cfb97380..7f1650fa 100644 --- a/examples/workshop_aegis/inspector/Deployment.yaml +++ b/examples/workshop_aegis/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.25.3 + image: vsecm/example-multiple-secrets:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/inspector/image-override.yaml b/examples/workshop_aegis/inspector/image-override.yaml index 1334f2d7..9e39caaa 100644 --- a/examples/workshop_aegis/inspector/image-override.yaml +++ b/examples/workshop_aegis/inspector/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.25.3 + image: localhost:5000/example-multiple-secrets:0.25.4 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/workshop_aegis/sdk/Deployment.yaml b/examples/workshop_aegis/sdk/Deployment.yaml index f20c96aa..d520b479 100644 --- a/examples/workshop_aegis/sdk/Deployment.yaml +++ b/examples/workshop_aegis/sdk/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.25.3 + image: vsecm/example-using-sdk-go:0.25.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/sdk/image-override.yaml b/examples/workshop_aegis/sdk/image-override.yaml index f544cef2..e24f5162 100644 --- a/examples/workshop_aegis/sdk/image-override.yaml +++ b/examples/workshop_aegis/sdk/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk:0.25.3 + image: localhost:5000/example-using-sdk:0.25.4 diff --git a/examples/workshop_aegis/sidecar/Deployment.yaml b/examples/workshop_aegis/sidecar/Deployment.yaml index 89aebe9c..f954c59d 100644 --- a/examples/workshop_aegis/sidecar/Deployment.yaml +++ b/examples/workshop_aegis/sidecar/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.25.3 + image: vsecm/example-using-sidecar:0.25.4 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.25.3 + image: vsecm/vsecm-ist-sidecar:0.25.4 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/workshop_aegis/sidecar/image-override.yaml b/examples/workshop_aegis/sidecar/image-override.yaml index 8243e17c..6420755f 100644 --- a/examples/workshop_aegis/sidecar/image-override.yaml +++ b/examples/workshop_aegis/sidecar/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.25.3 + image: localhost:5000/example-using-sidecar:0.25.4 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.25.3 + image: localhost:5000/vsecm-ist-sidecar:0.25.4 diff --git a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml index 58494306..9930316a 100644 --- a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:32000/example-multiple-secrets:0.25.3 + image: localhost:32000/example-multiple-secrets:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml index 099a3596..cd75ec28 100644 --- a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-sentinel containers: - name: main - image: localhost:32000/vsecm-ist-sentinel:0.25.3 + image: localhost:32000/vsecm-ist-sentinel:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml index beb01853..e2216ca2 100644 --- a/examples/workshop_federation/cluster-2/safe/Deployment.yaml +++ b/examples/workshop_federation/cluster-2/safe/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-safe containers: - name: main - image: localhost:32000/vsecm-ist-safe:0.25.3 + image: localhost:32000/vsecm-ist-safe:0.25.4 ports: - containerPort: 8443 volumeMounts: diff --git a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml index ccfad48e..443e3c4d 100644 --- a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml +++ b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.25.3 + image: localhost:5000/vsecm-inspector:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/hack/015-reveal-secrets.sh b/examples/workshop_vsecm/hack/015-reveal-secrets.sh index 9d16e30f..e06bda03 100644 --- a/examples/workshop_vsecm/hack/015-reveal-secrets.sh +++ b/examples/workshop_vsecm/hack/015-reveal-secrets.sh @@ -10,7 +10,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.25.3" +VERSION="0.25.4" eval "$(minikube docker-env -u)" diff --git a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml index f99c2b74..9fad291c 100644 --- a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.25.3 + image: vsecm/example-using-init-container:0.25.4 env: - name: SECRET valueFrom: @@ -53,7 +53,7 @@ spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.25.3 + image: vsecm/vsecm-ist-init-container:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml index 37548151..2c959233 100644 --- a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.25.3 + image: vsecm/example-multiple-secrets:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml index 869d06e2..ff237654 100644 --- a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml @@ -21,7 +21,7 @@ spec: spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.25.3 + image: vsecm/vsecm-ist-init-container:0.25.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/hack/tag-docker.sh b/hack/tag-docker.sh index 6c7739f6..94ff724f 100755 --- a/hack/tag-docker.sh +++ b/hack/tag-docker.sh @@ -15,7 +15,7 @@ # and we should not need to pull the images and sign them again. # So we'd rarely (if ever) need to use this script. -VERSION="0.25.3" +VERSION="0.25.4" export DOCKER_CONTENT_TRUST=0 diff --git a/helm-charts/0.25.3/Chart.yaml b/helm-charts/0.25.3/Chart.yaml deleted file mode 100644 index e11a7126..00000000 --- a/helm-charts/0.25.3/Chart.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: vsecm -description: Helm chart for VMware Secrets Manager - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application -sources: -- https://github.com/vmware-tanzu/secrets-manager - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.25.3" -home: https://vsecm.com/ - -icon: https://vsecm.com/assets/vsecm-256.png - -keywords: - - secrets - - kubernetes - - secrets-manager - - spire - - spiffe - - zero-trust - - cloud-native - - edge - - secret-management - - security - -dependencies: - - name: keystone - repository: file://charts/keystone - version: 0.25.3 - condition: global.deployKeystone - - name: spire - repository: file://charts/spire - version: 0.25.3 - condition: global.deploySpire - - name: safe - repository: file://charts/safe - version: 0.25.3 - condition: global.deploySafe - - name: sentinel - repository: file://charts/sentinel - version: 0.25.3 - condition: global.deploySentinel diff --git a/helm-charts/0.25.3/README.md b/helm-charts/0.25.3/README.md deleted file mode 100644 index adb57d42..00000000 --- a/helm-charts/0.25.3/README.md +++ /dev/null @@ -1,76 +0,0 @@ -# VMware Secrets Manager (VSecM) Helm Chart -[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) - -VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured -that your sensitive data is always secure and protected. VSecM is perfect for -securely storing arbitrary configuration information at a central location and -securely dispatching it to workloads. - -## Installation - -To use VMware Secrets Manager, follow the steps below: - -1. Add VMware Secrets Manager Helm repository: - - ```bash - helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/ - ``` - -2. Update helm repository: - - ```bash - helm repo update - ``` - -3. Install VMware Secrets Manager using Helm: - - ```bash - helm install vsecm vsecm/vsecm --version 0.22.4 - ``` - -## Options - -The following options can be passed to the `helm install` command to set global -variables: - -*`--set global.deploySpire=`: - This flag can be passed to install or skip SPIRE. -*`--set global.baseImage=`: - This flag can be passed to install VSecM with the given baseImage Docker image. - -Default values are `true` and `distroless` for `global.deploySpire` -and `global.baseImage` respectively. - -Here's an example command with the above options: - -```bash -helm install vsecm vsecm/helm-charts --version 0.22.4 \ - --set global.deploySpire=true --set global.baseImage=distroless -``` - -Make sure to replace `` and -`` with the desired values. - -## Environment Configuration - -**VMware Secrets Manager** can be tweaked further using environment variables. - -[Check out **Configuring VSecM** on the official documentation][configuring-vsecm] -for details. - -These environment variable configurations are expose through subcharts. -You can modify them as follows: - -```bash -helm install vsecm vsecm/helm-charts --version 0.22.0 \ ---set safe.environments.VSECM_LOG_LEVEL="6" ---set sentinel.environments.VSECM_LOGL_LEVEL="5" -# You can update other environment variables too. -# Most of the time VSecM assumes sane defaults if you don't set them. -``` - -[configuring-vsecm]: https://vsecm.com/docs/configuration/ - -## License - -This project is licensed under the [BSD 2-Clause License](https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE). diff --git a/helm-charts/0.25.3/charts/keystone/.helmignore b/helm-charts/0.25.3/charts/keystone/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.25.3/charts/keystone/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.25.3/charts/keystone/Chart.yaml b/helm-charts/0.25.3/charts/keystone/Chart.yaml deleted file mode 100644 index 8391bff7..00000000 --- a/helm-charts/0.25.3/charts/keystone/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: keystone -description: Helm chart for keystone - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.25.3" diff --git a/helm-charts/0.25.3/charts/keystone/templates/Deployment.yaml b/helm-charts/0.25.3/charts/keystone/templates/Deployment.yaml deleted file mode 100644 index 8c2c9b5e..00000000 --- a/helm-charts/0.25.3/charts/keystone/templates/Deployment.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "keystone.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "keystone.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "keystone.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "keystone.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "{{ .Values.global.registry }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - {{- $safeInitEndpointUrlSet := false }} - {{- $safeInitSpiffeIdPrefixSet := false }} - {{- $vsecmInitNamespaceSet := false }} - {{- $spireInitNamespaceSet := false }} - {{- range .Values.initEnvironments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeInitEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SAFE_SPIFFEID_PREFIX" }} - {{- $safeInitSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmInitNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireInitNamespaceSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeInitEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeInitSpiffeIdPrefixSet }} - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmInitNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireInitNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "keystone.repository" .}}:{{ .Values.global.images.keystone.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SAFE_SPIFFEID_PREFIX" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/helm-charts/0.25.3/charts/keystone/templates/Identity.yaml b/helm-charts/0.25.3/charts/keystone/templates/Identity.yaml deleted file mode 100644 index 657b4ad5..00000000 --- a/helm-charts/0.25.3/charts/keystone/templates/Identity.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "keystone.fullname" . }} -spec: - spiffeIDTemplate: "spiffe://{{ .Values.global.spire.trustDomain }}\ - /workload/{{ include "keystone.fullname" . }}\ - /ns/{{`{{ .PodMeta.Namespace }}`}}\ - /sa/{{`{{ .PodSpec.ServiceAccountName }}`}}\ - /n/{{`{{ .PodMeta.Name }}`}}" - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "keystone.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "keystone.serviceAccountName" . }}" diff --git a/helm-charts/0.25.3/charts/keystone/templates/ServiceAccount.yaml b/helm-charts/0.25.3/charts/keystone/templates/ServiceAccount.yaml deleted file mode 100644 index 1cf52fe8..00000000 --- a/helm-charts/0.25.3/charts/keystone/templates/ServiceAccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "keystone.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false -{{- end }} diff --git a/helm-charts/0.25.3/charts/keystone/templates/_helpers.tpl b/helm-charts/0.25.3/charts/keystone/templates/_helpers.tpl deleted file mode 100644 index aa8b4a55..00000000 --- a/helm-charts/0.25.3/charts/keystone/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "keystone.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "keystone.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "keystone.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "keystone.labels" -}} -helm.sh/chart: {{ include "keystone.chart" . }} -{{ include "keystone.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "keystone.selectorLabels" -}} -app.kubernetes.io/name: {{ include "keystone.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "keystone.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "keystone.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Keystone -*/}} -{{- define "keystone.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.keystone.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.25.3/charts/keystone/values.yaml b/helm-charts/0.25.3/charts/keystone/values.yaml deleted file mode 100644 index dfadfc82..00000000 --- a/helm-charts/0.25.3/charts/keystone/values.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for keystone. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 - -livenessPort: 8081 - -# See https://vsecm.com/configuration for more information -# about these environment variables. - -environments: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - -initEnvironments: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-keystone" - -podAnnotations: {} - -podSecurityContext: {} -# fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 1000 - -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.25.3/charts/safe/.helmignore b/helm-charts/0.25.3/charts/safe/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.25.3/charts/safe/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.25.3/charts/safe/Chart.yaml b/helm-charts/0.25.3/charts/safe/Chart.yaml deleted file mode 100644 index ef1fdaa1..00000000 --- a/helm-charts/0.25.3/charts/safe/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: safe -description: Helm chart for VMware Secrets Manager (VSecM) Safe - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.25.3" diff --git a/helm-charts/0.25.3/charts/safe/templates/Identity.yaml b/helm-charts/0.25.3/charts/safe/templates/Identity.yaml deleted file mode 100644 index 8db4608f..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/Identity.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "safe.fullname" . }} -spec: - spiffeIDTemplate: "spiffe://{{ .Values.global.spire.trustDomain }}\ - /workload/{{ include "safe.fullname" . }}\ - /ns/{{`{{ .PodMeta.Namespace }}`}}\ - /sa/{{`{{ .PodSpec.ServiceAccountName }}`}}\ - /n/{{`{{ .PodMeta.Name }}`}}" - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "safe.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "safe.serviceAccountName" . }}" diff --git a/helm-charts/0.25.3/charts/safe/templates/RoleBinding.yaml b/helm-charts/0.25.3/charts/safe/templates/RoleBinding.yaml deleted file mode 100644 index 4b70be7e..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/RoleBinding.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: {{ .Values.global.vsecm.namespace }} -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: {{ .Values.global.vsecm.namespace }} -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: {{ .Values.global.vsecm.namespace }} -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## diff --git a/helm-charts/0.25.3/charts/safe/templates/Secret.yaml b/helm-charts/0.25.3/charts/safe/templates/Secret.yaml deleted file mode 100644 index ba3fed72..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/Secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.rootKeySecretName }} - namespace: {{ .Values.global.vsecm.namespace }} -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" diff --git a/helm-charts/0.25.3/charts/safe/templates/Service.yaml b/helm-charts/0.25.3/charts/safe/templates/Service.yaml deleted file mode 100644 index a4b6311d..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/Service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP - name: http - selector: - {{- include "safe.selectorLabels" . | nindent 4 }} diff --git a/helm-charts/0.25.3/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.25.3/charts/safe/templates/ServiceAccount.yaml deleted file mode 100644 index 7ebdb4ea..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/ServiceAccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "safe.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: true -{{- end }} diff --git a/helm-charts/0.25.3/charts/safe/templates/StatefulSet.yaml b/helm-charts/0.25.3/charts/safe/templates/StatefulSet.yaml deleted file mode 100644 index 070b5fcb..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/StatefulSet.yaml +++ /dev/null @@ -1,171 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - serviceName: {{ include "safe.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "safe.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "safe.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "safe.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "safe.repository" .}}:{{ .Values.global.images.safe.tag }}" - imagePullPolicy: {{ .Values.global.images.safe.pullPolicy }} - ports: - - containerPort: {{ .Values.service.port }} - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: {{ .Values.data.hostPath.path }} - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SAFE_SPIFFEID_PREFIX" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SENTINEL_SPIFFEID_PREFIX" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: {{ .Values.readinessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - -{{- if not .Values.data.persistent }} - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: {{ .Values.data.hostPath.path }} - type: DirectoryOrCreate -{{- end}} - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: {{ .Values.rootKeySecretName }} - items: - - key: KEY_TXT - path: key.txt - -{{- if .Values.data.persistent }} - volumeClaimTemplates: - - metadata: - name: vsecm-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.25.3/charts/safe/templates/_helpers.tpl b/helm-charts/0.25.3/charts/safe/templates/_helpers.tpl deleted file mode 100644 index f7dd4480..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "safe.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "safe.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "safe.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "safe.labels" -}} -helm.sh/chart: {{ include "safe.chart" . }} -{{ include "safe.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "safe.selectorLabels" -}} -app.kubernetes.io/name: {{ include "safe.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "safe.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "safe.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for vsecm safe -*/}} -{{- define "safe.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.safe.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-namespace.yaml b/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-namespace.yaml deleted file mode 100644 index df206801..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-namespace.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.global.vsecm.namespace }} diff --git a/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-role.yaml b/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-role.yaml deleted file mode 100644 index 1250298a..00000000 --- a/helm-charts/0.25.3/charts/safe/templates/hook-preinstall-role.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: {{ .Values.global.vsecm.namespace }} -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - "helm.sh/hook-weight": "2" - {{- end }} diff --git a/helm-charts/0.25.3/charts/safe/values.yaml b/helm-charts/0.25.3/charts/safe/values.yaml deleted file mode 100644 index 2bafc7b6..00000000 --- a/helm-charts/0.25.3/charts/safe/values.yaml +++ /dev/null @@ -1,133 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for safe. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -livenessPort: 8081 -readinessPort: 8082 -rootKeySecretName: &rootKeyName vsecm-root-key - -data: - persistent: false - # Define the PVC if `persistent` is true. - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi - - # Define the hostPath if `persistent` is false. - hostPath: - path: "/var/local/vsecm/data" - -# See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: *rootKeyName - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-safe" - -podAnnotations: {} - -podSecurityContext: - {} - # fsGroup: 2000 - -securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 8443 - targetPort: 8443 - -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.25.3/charts/sentinel/.helmignore b/helm-charts/0.25.3/charts/sentinel/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.25.3/charts/sentinel/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.25.3/charts/sentinel/Chart.yaml b/helm-charts/0.25.3/charts/sentinel/Chart.yaml deleted file mode 100644 index 19465104..00000000 --- a/helm-charts/0.25.3/charts/sentinel/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: sentinel -description: Helm chart for sentinel - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.25.3" diff --git a/helm-charts/0.25.3/charts/sentinel/templates/Deployment.yaml b/helm-charts/0.25.3/charts/sentinel/templates/Deployment.yaml deleted file mode 100644 index 3b056a2a..00000000 --- a/helm-charts/0.25.3/charts/sentinel/templates/Deployment.yaml +++ /dev/null @@ -1,133 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sentinel.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "sentinel.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "sentinel.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "sentinel.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "sentinel.repository" .}}:{{ .Values.global.images.sentinel.tag }}" - imagePullPolicy: {{ .Values.global.images.sentinel.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - {{- end }} - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SAFE_SPIFFEID_PREFIX" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SENTINEL_SPIFFEID_PREFIX" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret - {{- end }} diff --git a/helm-charts/0.25.3/charts/sentinel/templates/Identity.yaml b/helm-charts/0.25.3/charts/sentinel/templates/Identity.yaml deleted file mode 100644 index df45f8ed..00000000 --- a/helm-charts/0.25.3/charts/sentinel/templates/Identity.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "sentinel.fullname" . }} -spec: - spiffeIDTemplate: "spiffe://{{ .Values.global.spire.trustDomain }}\ - /workload/{{ include "sentinel.fullname" . }}\ - /ns/{{`{{ .PodMeta.Namespace }}`}}\ - /sa/{{`{{ .PodSpec.ServiceAccountName }}`}}\ - /n/{{`{{ .PodMeta.Name }}`}}" - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "sentinel.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "sentinel.serviceAccountName" . }}" diff --git a/helm-charts/0.25.3/charts/sentinel/templates/Secret.yaml b/helm-charts/0.25.3/charts/sentinel/templates/Secret.yaml deleted file mode 100644 index b5f331fa..00000000 --- a/helm-charts/0.25.3/charts/sentinel/templates/Secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.initCommand.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: {{ .Values.global.vsecm.namespace }} -type: Opaque -stringData: - data: {{ .Values.initCommand.command | quote }} -{{- end }} diff --git a/helm-charts/0.25.3/charts/sentinel/templates/ServiceAccount.yaml b/helm-charts/0.25.3/charts/sentinel/templates/ServiceAccount.yaml deleted file mode 100644 index e34d3c71..00000000 --- a/helm-charts/0.25.3/charts/sentinel/templates/ServiceAccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sentinel.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false -{{- end }} diff --git a/helm-charts/0.25.3/charts/sentinel/templates/_helpers.tpl b/helm-charts/0.25.3/charts/sentinel/templates/_helpers.tpl deleted file mode 100644 index 914b1544..00000000 --- a/helm-charts/0.25.3/charts/sentinel/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "sentinel.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sentinel.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sentinel.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "sentinel.labels" -}} -helm.sh/chart: {{ include "sentinel.chart" . }} -{{ include "sentinel.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "sentinel.selectorLabels" -}} -app.kubernetes.io/name: {{ include "sentinel.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "sentinel.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "sentinel.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Sentinel -*/}} -{{- define "sentinel.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.sentinel.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.25.3/charts/sentinel/values.yaml b/helm-charts/0.25.3/charts/sentinel/values.yaml deleted file mode 100644 index 1967861f..00000000 --- a/helm-charts/0.25.3/charts/sentinel/values.yaml +++ /dev/null @@ -1,112 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for sentinel. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 - -livenessPort: 8081 - -environments: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-sentinel" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -initCommand: - enabled: true - - # Add any initialization command here, separated by a line with only "--" - # The command stanza MUST end with a "--". - command: | - exit:true - -- - - # Example: - # -------- - # - # sleep:30001 - # -- - # w:keycloak-admin-secret,keycloak-db-secret - # n:smo-app,web-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_ADMIN_USER":"{{.username}}","KEYCLOAK_ADMIN_PASSWORD":"{{.password}}"} - # -- - # w:k8s:keycloak-db-secret - # n:smo-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_DB_USER":"{{.username}}","KEYCLOAK_DB_PASSWORD":"{{.password}}"} - # -- - # sleep:5000 - # -- - # w:keycloak - # n:default - # s:trigger-init - # -- diff --git a/helm-charts/0.25.3/charts/spire/.helmignore b/helm-charts/0.25.3/charts/spire/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.25.3/charts/spire/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.25.3/charts/spire/Chart.yaml b/helm-charts/0.25.3/charts/spire/Chart.yaml deleted file mode 100644 index 7a7f568e..00000000 --- a/helm-charts/0.25.3/charts/spire/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: spire -description: Helm chart for spire - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.25.3" diff --git a/helm-charts/0.25.3/charts/spire/templates/_helpers.tpl b/helm-charts/0.25.3/charts/spire/templates/_helpers.tpl deleted file mode 100644 index 2493264f..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/_helpers.tpl +++ /dev/null @@ -1,72 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "spire.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "spire.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "spire.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "spire.labels" -}} -helm.sh/chart: {{ include "spire.chart" . }} -{{ include "spire.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "spire.selectorLabels" -}} -app.kubernetes.io/name: {{ include "spire.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "spire.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "spire.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml b/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml deleted file mode 100644 index 787891cd..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: {{ .Values.global.spire.namespace }} -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] diff --git a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml b/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml deleted file mode 100644 index a5b74e1c..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: - - apiGroups: [ "" ] - resources: [ "endpoints" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/status"] - verbs: ["get", "patch", "update"] diff --git a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml b/helm-charts/0.25.3/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml deleted file mode 100644 index 397140fa..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-rolebinding - namespace: {{ .Values.global.spire.namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/role_binding.yaml b/helm-charts/0.25.3/charts/spire/templates/crd-rbac/role_binding.yaml deleted file mode 100644 index 5608f7fd..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/crd-rbac/role_binding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml b/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml deleted file mode 100644 index d8047e59..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # We only support ephemeral, inline volumes. We don't need a controller to - # provision and attach volumes. - attachRequired: false - - # We want the pod information so that the CSI driver can verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # We don't want (or need) K8s to change ownership on the contents of the mount - # when it is mounted into the pod, since the Workload API is completely open - # (i.e. 0777). - # Note, this was added in Kubernetes 1.19, so omit - fsGroupPolicy: None - - # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 - volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta - - Ephemeral diff --git a/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spire-namespace.yaml b/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spire-namespace.yaml deleted file mode 100644 index 10d2824a..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/hook-preinstall_spire-namespace.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role-binding.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role-binding.yaml deleted file mode 100644 index 1c5e94f7..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role-binding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds above cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role.yaml deleted file mode 100644 index da8ed1ad..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-agent-cluster-role.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: - - apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-agent-config-map.yaml deleted file mode 100644 index 5fd6c2d2..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-agent-config-map.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = {{ .Values.global.spire.logLevel | quote }} - server_address = "spire-server" - server_port = {{ .Values.global.spire.serverPort | quote }} - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "9982" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "vsecm-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } - } - } diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-agent-daemonset.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-agent-daemonset.yaml deleted file mode 100644 index 39221a0c..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-agent-daemonset.yaml +++ /dev/null @@ -1,172 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-agent - annotations: {{ .Values.spireAgent.annotations | toYaml | nindent 4 }} -spec: - selector: - matchLabels: - app: spire-agent - updateStrategy: - type: RollingUpdate - template: - metadata: - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-agent - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - priorityClassName: system-node-critical - containers: - - name: spire-agent - image: {{ .Values.global.images.spireAgent.repository }}:{{ .Values.global.images.spireAgent.tag }} - imagePullPolicy: {{ .Values.global.images.spireAgent.pullPolicy }} - args: ["-config", "/run/spire/config/agent.conf"] - resources: - requests: - memory: {{ .Values.resources.agent.requests.memory }} - cpu: {{ .Values.resources.agent.requests.cpu }} - - ports: - - containerPort: 9982 - name: healthz - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-token - mountPath: /var/run/secrets/tokens - - name: spire-agent-socket-dir - mountPath: /run/spire/sockets - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: {{ .Values.global.images.spiffeCsiDriver.repository }}:{{ .Values.global.images.spiffeCsiDriver.tag }} - imagePullPolicy: {{ .Values.global.images.spiffeCsiDriver.pullPolicy }} - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - resources: - requests: - memory: {{ .Values.resources.spiffeCsiDriver.requests.memory }} - cpu: {{ .Values.resources.spiffeCsiDriver.requests.cpu }} - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: {{ .Values.global.images.nodeDriverRegistrar.repository }}:{{ .Values.global.images.nodeDriverRegistrar.tag }} - imagePullPolicy: {{ .Values.global.images.nodeDriverRegistrar.pullPolicy }} - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - # This volume is used to share the Workload API socket between the CSI - # driver and SPIRE agent. Note, an emptyDir volume could also be used, - # however, this can lead to broken bind mounts in the workload - # containers if the agent pod is restarted (since the emptyDir - # directory on the node that was mounted into workload containers by - # the CSI driver belongs to the old pod instance and is no longer - # valid). - - name: spire-agent-socket-dir - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-agent-service-account.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-agent-service-account.yaml deleted file mode 100644 index d7c205c8..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-agent-service-account.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount for the SPIRE agent -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-config.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-config.yaml deleted file mode 100644 index 9203e373..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-config.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager-config - namespace: {{ .Values.global.spire.namespace }} -data: - spire-controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: 98c9c988.spiffe.io - resourceNamespace: {{ .Values.global.spire.namespace }} - clusterName: vsecm-cluster - trustDomain: vsecm.com - ignoreNamespaces: - - kube-system - - kube-public - - {{ .Values.global.spire.namespace }} - - local-path-storage - # - do not ignore {{ .Values.global.vsecm.namespace }}! - # - {{ .Values.global.vsecm.namespace }} - - kube-node-lease - - kube-public - - kubernetes-dashboard diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-webhook.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-webhook.yaml deleted file mode 100644 index 7da831fa..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-controller-manager-webhook.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Fail - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Fail - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry - failurePolicy: Fail - name: clusterstaticentry.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterstaticentries"] - sideEffects: None diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-config-map.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-config-map.yaml deleted file mode 100644 index 05c99cde..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-config-map.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap containing the latest trust bundle for the trust domain. It is -# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount -# this config map and use the certificate to bootstrap trust with the SPIRE -# server during attestation. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-endpoint.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-endpoint.yaml deleted file mode 100644 index 27a92e28..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-bundle-endpoint.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Service definition for SPIRE server bundle endpoint -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: {{ .Values.global.spire.namespace }} -spec: - type: {{ .Values.bundleEndpoint.type }} - ports: - - name: api - port: {{ .Values.bundleEndpoint.port }} - protocol: TCP - selector: - app: spire-server diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role-binding.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role-binding.yaml deleted file mode 100644 index bcc3d2d2..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role-binding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds above cluster role to spire-server service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role.yaml deleted file mode 100644 index bf5eee10..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-cluster-role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-server to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-config-map.yaml deleted file mode 100644 index c122e809..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-config-map.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - -{{- if .Values.experimental.eventsBasedCache }} - experimental { - events_based_cache = true - } -{{- end }} - - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "8080" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - "vsecm-cluster" = { - service_account_allow_list = ["{{ .Values.global.spire.namespace }}:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - config_map = "spire-bundle" - namespace = "{{ .Values.global.spire.namespace }}" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml deleted file mode 100644 index 4e102530..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Service definition for SPIRE controller manager webhook -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-role-binding.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-role-binding.yaml deleted file mode 100644 index 29726f6d..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-role-binding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-role.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-role.yaml deleted file mode 100644 index 34a5f490..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-role.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Role for the SPIRE server -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role - namespace: {{ .Values.global.spire.namespace }} -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap below) - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-service-account.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-service-account.yaml deleted file mode 100644 index 4318daae..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-service-account.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount used by the SPIRE server. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-service.yaml deleted file mode 100644 index 5f71a612..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount used by the SPIRE server. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} -spec: - type: {{ .Values.service.type }} - ports: - - name: api - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.port }} - protocol: TCP - selector: - app: spire-server diff --git a/helm-charts/0.25.3/charts/spire/templates/spire-server-stateful-set.yaml b/helm-charts/0.25.3/charts/spire/templates/spire-server-stateful-set.yaml deleted file mode 100644 index 2538c64b..00000000 --- a/helm-charts/0.25.3/charts/spire/templates/spire-server-stateful-set.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-server - app.kubernetes.io/component: server -spec: - serviceName: spire-server - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: {{ .Values.global.spire.namespace }} - labels: - app: spire-server - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: spire-server - shareProcessNamespace: true - - priorityClassName: system-cluster-critical - - containers: - - name: spire-server - image: {{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }} - imagePullPolicy: {{ .Values.global.images.spireServer.pullPolicy }} - args: ["-config", "/run/spire/server/config/server.conf"] - resources: - requests: - memory: {{ .Values.resources.agent.requests.memory }} - cpu: {{ .Values.resources.agent.requests.cpu }} - ports: - - containerPort: 8081 - protocol: TCP - - containerPort: 8080 - name: healthz - - livenessProbe: - httpGet: - path: /live - port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - - volumeMounts: -{{- if .Values.data.persistent }} - - name: spire-data - mountPath: /run/spire/server/data - readOnly: false -{{- end }} - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - - name: spire-controller-manager - image: {{ .Values.global.images.spireControllerManager.repository }}:{{ .Values.global.images.spireControllerManager.tag }} - imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} - ports: - - containerPort: 9443 - - containerPort: 8083 - name: healthz - - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - - args: - - "--config=spire-controller-manager-config.yaml" - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config - {{- if .Values.data.persistent }} - # noinspection KubernetesUnknownKeys - volumeClaimTemplates: - - metadata: - name: spire-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} - {{- end }} diff --git a/helm-charts/0.25.3/charts/spire/values.yaml b/helm-charts/0.25.3/charts/spire/values.yaml deleted file mode 100644 index 1aa45b33..00000000 --- a/helm-charts/0.25.3/charts/spire/values.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for spire. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -## @section Chart parameters -## -## @param replicaCount SPIRE server currently runs with a sqlite database. -## Scaling to multiple instances will not work until we use an external database. -replicaCount: 1 - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -nameOverride: "" -fullnameOverride: "" - -experimental: - eventsBasedCache: false - -service: - # ClusterIP, NodePort, LoadBalancer - type: ClusterIP - port: 8081 - annotations: {} - -bundleEndpoint: - # ClusterIP, NodePort, LoadBalancer - type: ClusterIP - port: 8443 - annotations: {} - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -spireAgent: - annotations: - # Define a helm hook to make spire-agent daemonSet deploy after spire-server statefulSet - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -resources: - # These are the default resources suitable for a moderate SPIRE usage. - # Of course, it's best to do your own benchmarks and update these - # requests and limits to your production needs accordingly. - # That being said, as a rule of thumb, do not limit the CPU request - # on SPIRE Agent and SPIRE server. It's best to let them leverage - # the available excess CPU, if available. - server: - requests: - memory: "1Gi" - cpu: "100m" - agent: - requests: - memory: "512Mi" - cpu: "50m" - spiffeCsiDriver: - requests: - memory: "128Mi" - cpu: "50m" - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -data: - persistent: false - # Define the PVC if `persistent` is true. - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi diff --git a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/helm-charts/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml deleted file mode 100644 index e547e8a9..00000000 --- a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml b/helm-charts/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml deleted file mode 100644 index b02ef2e7..00000000 --- a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml +++ /dev/null @@ -1,234 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream - SPIRE server. - type: boolean - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - jwtTtl: - description: JWTTTL indicates an upper-bound time-to-live for JWT - SVIDs minted for this ClusterSPIFFEID. - type: string - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for X509 SVIDs - minted for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml b/helm-charts/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml deleted file mode 100644 index 6fc92d5f..00000000 --- a/helm-charts/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterstaticentries.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterStaticEntry - listKind: ClusterStaticEntryList - plural: clusterstaticentries - singular: clusterstaticentry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterStaticEntry is the Schema for the clusterstaticentries - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry - properties: - admin: - type: boolean - dnsNames: - items: - type: string - type: array - downstream: - type: boolean - federatesWith: - items: - type: string - type: array - hint: - type: string - jwtSVIDTTL: - type: string - parentID: - type: string - selectors: - items: - type: string - type: array - spiffeID: - type: string - x509SVIDTTL: - type: string - required: - - parentID - - selectors - - spiffeID - type: object - status: - description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry - properties: - masked: - description: If the static entry was masked by another entry. - type: boolean - rendered: - description: If the static entry rendered properly. - type: boolean - set: - description: If the static entry was successfully created/updated. - type: boolean - required: - - masked - - rendered - - set - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm-charts/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/helm-charts/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 538ac974..00000000 --- a/helm-charts/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to deletion/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/helm-charts/0.25.3/values.yaml b/helm-charts/0.25.3/values.yaml deleted file mode 100644 index ad11e802..00000000 --- a/helm-charts/0.25.3/values.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -global: - deploySpire: true - deployKeystone: true - - # possible options for baseImage (distroless, distroless-fips) - baseImage: distroless - registry: vsecm - logLevel: "7" - images: - keystone: - distrolessRepository: vsecm-ist-keystone - distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.25.3 - pullPolicy: IfNotPresent - safe: - distrolessRepository: vsecm-ist-safe - distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.25.3 - pullPolicy: IfNotPresent - sentinel: - distrolessRepository: vsecm-ist-sentinel - distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.25.3 - pullPolicy: IfNotPresent - initContainer: - repository: vsecm-ist-init-container - tag: 0.25.3 - spireAgent: - repository: ghcr.io/spiffe/spire-agent - tag: 1.9.4 - pullPolicy: IfNotPresent - spiffeCsiDriver: - repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.6 - pullPolicy: IfNotPresent - nodeDriverRegistrar: - repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.0 - pullPolicy: IfNotPresent - spireServer: - repository: ghcr.io/spiffe/spire-server - tag: 1.9.4 - pullPolicy: IfNotPresent - spireControllerManager: - repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.5.0 - pullPolicy: IfNotPresent - vsecm: - namespace: vsecm-system - safeEndpointUrl: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - safeSpiffeIdPrefix: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - sentinelSpiffeIdPrefix: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - spire: - # The trust domain is the root of the SPIFFE ID hierarchy. It is used to - # identify the trust domain of a workload. If you use anything other than - # the default `vsecm.com`, you must also update the relevant environment - # variables that does SPIFFE ID validation. - # - # To prevent accidental collisions (two trust domains select identical names), - # operators are advised to select trust domain names which are highly likely - # to be globally unique. Even though a trust domain name is not a DNS name, - # using a registered domain name as a suffix of a trust domain name, when - # available, will reduce chances of an accidental collision; for example, - # if a trust domain operator owns the domain name `example.com`, - # then using a trust domain name such as `apps.example.com` would likely - # not produce a collision. When trust domain names are automatically generated - # without operator input, randomly generating a unique name (such as a UUID) - # is strongly advised. - trustDomain: "vsecm.com" - namespace: spire-system - logLevel: DEBUG - serverPort: 8081 - -podAnnotations: {} \ No newline at end of file diff --git a/helm-charts/0.25.4/charts/keystone/Chart.yaml b/helm-charts/0.25.4/charts/keystone/Chart.yaml index 8391bff7..2a5b4c0c 100644 --- a/helm-charts/0.25.4/charts/keystone/Chart.yaml +++ b/helm-charts/0.25.4/charts/keystone/Chart.yaml @@ -25,10 +25,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.3 +version: 0.25.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.25.3" +appVersion: "0.25.4" diff --git a/helm-charts/0.25.4/values.yaml b/helm-charts/0.25.4/values.yaml index ad11e802..2fcff278 100644 --- a/helm-charts/0.25.4/values.yaml +++ b/helm-charts/0.25.4/values.yaml @@ -20,21 +20,21 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.25.3 + tag: 0.25.4 pullPolicy: IfNotPresent safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.25.3 + tag: 0.25.4 pullPolicy: IfNotPresent sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.25.3 + tag: 0.25.4 pullPolicy: IfNotPresent initContainer: repository: vsecm-ist-init-container - tag: 0.25.3 + tag: 0.25.4 spireAgent: repository: ghcr.io/spiffe/spire-agent tag: 1.9.4 diff --git a/k8s/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml deleted file mode 100644 index e547e8a9..00000000 --- a/k8s/0.25.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/k8s/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml deleted file mode 100644 index b02ef2e7..00000000 --- a/k8s/0.25.3/crds/spire.spiffe.io_clusterspiffeids.yaml +++ /dev/null @@ -1,234 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream - SPIRE server. - type: boolean - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - jwtTtl: - description: JWTTTL indicates an upper-bound time-to-live for JWT - SVIDs minted for this ClusterSPIFFEID. - type: string - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for X509 SVIDs - minted for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/k8s/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml deleted file mode 100644 index 6fc92d5f..00000000 --- a/k8s/0.25.3/crds/spire.spiffe.io_clusterstaticentries.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: clusterstaticentries.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterStaticEntry - listKind: ClusterStaticEntryList - plural: clusterstaticentries - singular: clusterstaticentry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterStaticEntry is the Schema for the clusterstaticentries - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry - properties: - admin: - type: boolean - dnsNames: - items: - type: string - type: array - downstream: - type: boolean - federatesWith: - items: - type: string - type: array - hint: - type: string - jwtSVIDTTL: - type: string - parentID: - type: string - selectors: - items: - type: string - type: array - spiffeID: - type: string - x509SVIDTTL: - type: string - required: - - parentID - - selectors - - spiffeID - type: object - status: - description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry - properties: - masked: - description: If the static entry was masked by another entry. - type: boolean - rendered: - description: If the static entry rendered properly. - type: boolean - set: - description: If the static entry was successfully created/updated. - type: boolean - required: - - masked - - rendered - - set - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/k8s/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 538ac974..00000000 --- a/k8s/0.25.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to deletion/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/k8s/0.25.3/eks/vsecm-distroless-fips.yaml b/k8s/0.25.3/eks/vsecm-distroless-fips.yaml deleted file mode 100644 index 8458b429..00000000 --- a/k8s/0.25.3/eks/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/eks/vsecm-distroless.yaml b/k8s/0.25.3/eks/vsecm-distroless.yaml deleted file mode 100644 index ebe2963b..00000000 --- a/k8s/0.25.3/eks/vsecm-distroless.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/local/vsecm-distroless-fips.yaml b/k8s/0.25.3/local/vsecm-distroless-fips.yaml deleted file mode 100644 index 55e2d454..00000000 --- a/k8s/0.25.3/local/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/local/vsecm-distroless.yaml b/k8s/0.25.3/local/vsecm-distroless.yaml deleted file mode 100644 index 052967f1..00000000 --- a/k8s/0.25.3/local/vsecm-distroless.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "localhost:5000/vsecm-ist-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/remote/vsecm-distroless-fips.yaml b/k8s/0.25.3/remote/vsecm-distroless-fips.yaml deleted file mode 100644 index 39a456b2..00000000 --- a/k8s/0.25.3/remote/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "vsecm/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-fips-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/remote/vsecm-distroless.yaml b/k8s/0.25.3/remote/vsecm-distroless.yaml deleted file mode 100644 index 7ea46ee8..00000000 --- a/k8s/0.25.3/remote/vsecm-distroless.yaml +++ /dev/null @@ -1,853 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.25.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "vsecm/vsecm-ist-init-container:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - containers: - - name: main - image: "vsecm/vsecm-ist-keystone:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.25.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-sentinel:0.25.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.25.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-safe:0.25.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/agent.sock" - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER - value: "false" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-keystone\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-safe\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel -spec: - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/vsecm-sentinel\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.25.3/spire.yaml b/k8s/0.25.3/spire.yaml deleted file mode 100644 index 9c4317eb..00000000 --- a/k8s/0.25.3/spire.yaml +++ /dev/null @@ -1,995 +0,0 @@ ---- -# Source: vsecm/charts/spire/templates/hook-preinstall_spire-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-agent-service-account.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount for the SPIRE agent -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-server-service-account.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount used by the SPIRE server. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-agent-config-map.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire-system -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "vsecm.com" - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "9982" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "vsecm-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } - } - } ---- -# Source: vsecm/charts/spire/templates/spire-controller-manager-config.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager-config - namespace: spire-system -data: - spire-controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: 98c9c988.spiffe.io - resourceNamespace: spire-system - clusterName: vsecm-cluster - trustDomain: vsecm.com - ignoreNamespaces: - - kube-system - - kube-public - - spire-system - - local-path-storage - # - do not ignore vsecm-system! - # - vsecm-system - - kube-node-lease - - kube-public - - kubernetes-dashboard ---- -# Source: vsecm/charts/spire/templates/spire-server-bundle-config-map.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap containing the latest trust bundle for the trust domain. It is -# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount -# this config map and use the certificate to bootstrap trust with the SPIRE -# server during attestation. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-server-config-map.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire-system -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "vsecm.com" - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "8080" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - "vsecm-cluster" = { - service_account_allow_list = ["spire-system:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - config_map = "spire-bundle" - namespace = "spire-system" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } ---- -# Source: vsecm/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: - - apiGroups: [ "" ] - resources: [ "endpoints" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/status"] - verbs: ["get", "patch", "update"] ---- -# Source: vsecm/charts/spire/templates/spire-agent-cluster-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: - - apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] ---- -# Source: vsecm/charts/spire/templates/spire-server-cluster-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-server to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] ---- -# Source: vsecm/charts/spire/templates/crd-rbac/role_binding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-agent-cluster-role-binding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds above cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: spire-system -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/spire-server-cluster-role-binding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds above cluster role to spire-server service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding - namespace: spire-system -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-system -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: spire-system -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: vsecm/charts/spire/templates/spire-server-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Role for the SPIRE server -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role - namespace: spire-system -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap below) - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] ---- -# Source: vsecm/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-rolebinding - namespace: spire-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/spire-server-role-binding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: spire-system -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-system -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/spire-server-bundle-endpoint.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Service definition for SPIRE server bundle endpoint -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: spire-system -spec: - type: ClusterIP - ports: - - name: api - port: 8443 - protocol: TCP - selector: - app: spire-server ---- -# Source: vsecm/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Service definition for SPIRE controller manager webhook -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: spire-system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server ---- -# Source: vsecm/charts/spire/templates/spire-server-service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ServiceAccount used by the SPIRE server. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire-system -spec: - type: ClusterIP - ports: - - name: api - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server ---- -# Source: vsecm/charts/spire/templates/spire-server-stateful-set.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: spire-system - labels: - app: spire-server - app.kubernetes.io/component: server -spec: - serviceName: spire-server - replicas: 1 - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: spire-system - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - - priorityClassName: system-cluster-critical - - containers: - - name: spire-server - image: ghcr.io/spiffe/spire-server:1.9.4 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/server/config/server.conf"] - resources: - requests: - memory: 512Mi - cpu: 50m - ports: - - containerPort: 8081 - protocol: TCP - - containerPort: 8080 - name: healthz - - livenessProbe: - httpGet: - path: /live - port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - - volumeMounts: - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - - name: spire-controller-manager - image: ghcr.io/spiffe/spire-controller-manager:0.5.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9443 - - containerPort: 8083 - name: healthz - - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - - args: - - "--config=spire-controller-manager-config.yaml" - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config ---- -# Source: vsecm/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # We only support ephemeral, inline volumes. We don't need a controller to - # provision and attach volumes. - attachRequired: false - - # We want the pod information so that the CSI driver can verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # We don't want (or need) K8s to change ownership on the contents of the mount - # when it is mounted into the pod, since the Workload API is completely open - # (i.e. 0777). - # Note, this was added in Kubernetes 1.19, so omit - fsGroupPolicy: None - - # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 - volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta - - Ephemeral ---- -# Source: vsecm/charts/spire/templates/spire-controller-manager-webhook.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire-system - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Fail - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire-system - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Fail - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire-system - path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry - failurePolicy: Fail - name: clusterstaticentry.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterstaticentries"] - sideEffects: None ---- -# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire-system - labels: - app: spire-agent - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: hook-succeeded -spec: - selector: - matchLabels: - app: spire-agent - updateStrategy: - type: RollingUpdate - template: - metadata: - namespace: spire-system - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - priorityClassName: system-node-critical - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.9.4 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/config/agent.conf"] - resources: - requests: - memory: 512Mi - cpu: 50m - - ports: - - containerPort: 9982 - name: healthz - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-token - mountPath: /var/run/secrets/tokens - - name: spire-agent-socket-dir - mountPath: /run/spire/sockets - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - resources: - requests: - memory: 128Mi - cpu: 50m - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - # This volume is used to share the Workload API socket between the CSI - # driver and SPIRE agent. Note, an emptyDir volume could also be used, - # however, this can lead to broken bind mounts in the workload - # containers if the agent pod is restarted (since the emptyDir - # directory on the node that was mounted into workload containers by - # the CSI driver belongs to the old pod instance and is no longer - # valid). - - name: spire-agent-socket-dir - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory diff --git a/k8s/0.25.4/eks/vsecm-distroless-fips.yaml b/k8s/0.25.4/eks/vsecm-distroless-fips.yaml index c7397cde..81db8d9e 100644 --- a/k8s/0.25.4/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.25.4/eks/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/k8s/0.25.4/eks/vsecm-distroless.yaml b/k8s/0.25.4/eks/vsecm-distroless.yaml index f7011cbe..b4034d63 100644 --- a/k8s/0.25.4/eks/vsecm-distroless.yaml +++ b/k8s/0.25.4/eks/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.25.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/k8s/0.25.4/local/vsecm-distroless-fips.yaml b/k8s/0.25.4/local/vsecm-distroless-fips.yaml index c14b84cd..9b6a6a39 100644 --- a/k8s/0.25.4/local/vsecm-distroless-fips.yaml +++ b/k8s/0.25.4/local/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.25.3" + image: "localhost:5000/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.25.3" + image: "localhost:5000/vsecm-ist-fips-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.25.3" + image: "localhost:5000/vsecm-ist-fips-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.25.3" + image: "localhost:5000/vsecm-ist-fips-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/k8s/0.25.4/local/vsecm-distroless.yaml b/k8s/0.25.4/local/vsecm-distroless.yaml index 130c6e22..4d75b9d1 100644 --- a/k8s/0.25.4/local/vsecm-distroless.yaml +++ b/k8s/0.25.4/local/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.25.3" + image: "localhost:5000/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "localhost:5000/vsecm-ist-keystone:0.25.3" + image: "localhost:5000/vsecm-ist-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.25.3" + image: "localhost:5000/vsecm-ist-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-safe:0.25.3" + image: "localhost:5000/vsecm-ist-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/k8s/0.25.4/remote/vsecm-distroless-fips.yaml b/k8s/0.25.4/remote/vsecm-distroless-fips.yaml index 3f903ca5..06e75e32 100644 --- a/k8s/0.25.4/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.25.4/remote/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.25.3" + image: "vsecm/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.25.3" + image: "vsecm/vsecm-ist-fips-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.25.3" + image: "vsecm/vsecm-ist-fips-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-safe:0.25.3" + image: "vsecm/vsecm-ist-fips-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/k8s/0.25.4/remote/vsecm-distroless.yaml b/k8s/0.25.4/remote/vsecm-distroless.yaml index cacf37e7..ae4657b1 100644 --- a/k8s/0.25.4/remote/vsecm-distroless.yaml +++ b/k8s/0.25.4/remote/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -298,11 +298,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.25.3 + helm.sh/chart: keystone-0.25.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.25.3" + app.kubernetes.io/version: "0.25.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -326,7 +326,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.25.3" + image: "vsecm/vsecm-ist-init-container:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -369,7 +369,7 @@ spec: value: "spire-system" containers: - name: main - image: "vsecm/vsecm-ist-keystone:0.25.3" + image: "vsecm/vsecm-ist-keystone:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -467,7 +467,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-sentinel:0.25.3" + image: "vsecm/vsecm-ist-sentinel:0.25.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -600,7 +600,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-safe:0.25.3" + image: "vsecm/vsecm-ist-safe:0.25.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 From 003effba9e19b1c172cbe50d5a0185b2eb246ac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Fri, 17 May 2024 15:30:50 -0700 Subject: [PATCH 2/2] release notes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- docs/content/timeline/changelog.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md index 9ef615b5..0772eb24 100644 --- a/docs/content/timeline/changelog.md +++ b/docs/content/timeline/changelog.md @@ -15,6 +15,10 @@ weight = 11 ## Recent Updates +TBD + +## [0.25.3] - 2024-05-17 + * Removed some configuration options including ` VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET` because how the root key will be updated will be depending on backing store implementation. And it does @@ -28,7 +32,19 @@ weight = 11 * Removed Kubernetes secrets deletion queue because we do not link Kubernetes secrets to workloads anymore. Deletion of ad-hoc VSecM-generated Kubernetes `Secret`s will be handled by upcoming configuration options. Right now, - VSecM Safe can only create and update, but not delete Kubernetes `Secret`s + VSecM Safe can only create and update, but not delete Kubernetes `Secret`s. +* Stability improvements, including adding "exponential backoff"s to places + where requests can be retried before giving up; also letting the apps + crash (*and be re-crated by the scheduler*) if certain critical requests fail + even after a fair amount exponentially-backed-off of retries (*10 by default*). +* An entire overhaul of the documentation website: It is now faster, more + accessible, more usable, easier to navigate and follow. +* Added an experimental Java SDK. The keyword here is: **experimental**; we + do know that it does not work out-of-the box, so we are not providing any + documentation yet: Feel free to join our Slack channel to learn more about + how best you can use it. +* Refactorings and improvements across the entire codebase. +* Introduced [Architectural Decision Records](https://vsecm.com/documentation/architecture/adr-intro/) ## [0.25.2] - 2024-05-06