Skip to content

Commit

Permalink
add spire-controller-manager resources, update spire-server statefulset
Browse files Browse the repository at this point in the history
Signed-off-by: Batuhan Apaydın <[email protected]>
  • Loading branch information
developer-guy committed Dec 15, 2022
1 parent ab3e9fc commit 6a22094
Show file tree
Hide file tree
Showing 14 changed files with 166 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ description: |
- --service-account-signing-key-file=/run/config/pki/sa.key
```
type: application
version: 0.7.3
version: 0.8.0
appVersion: "1.5.2"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
home: https://github.com/philips-labs/helm-charts/charts/spire
Expand Down
7 changes: 6 additions & 1 deletion charts/spire/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. -->

![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square)
[7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square)

A Helm chart for deploying spire-server and spire-agent.

Expand Down Expand Up @@ -59,6 +59,11 @@ Kubernetes: `>=1.21.0-0`
| agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| agent.resources | object | `{}` | |
| agent.service.annotations | object | `{}` | |
| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | |
| controllerManager.image.registry | string | `"ghcr.io"` | |
| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | |
| controllerManager.image.version | string | `"0.2.1"` | |
| controllerManager.resources | object | `{}` | |
| csiDriver.image.pullPolicy | string | `"IfNotPresent"` | |
| csiDriver.image.registry | string | `"ghcr.io"` | |
| csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | |
Expand Down
File renamed without changes.
24 changes: 22 additions & 2 deletions charts/spire/templates/server-cluster-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,32 @@ rules:
resources: ["tokenreviews"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods", "nodes"]
resources: ["pods", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "update", "delete", "get", "list", "watch"]

- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/status"]
verbs: ["get", "patch", "update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/status"]
verbs: ["get", "patch", "update"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
Expand Down
6 changes: 1 addition & 5 deletions charts/spire/templates/server-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,7 @@ rules:
verbs: ["get", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["spire-k8s-registrar-leader-election"]
verbs: ["update", "get"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
Expand Down
26 changes: 24 additions & 2 deletions charts/spire/templates/server-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,27 @@ spec:
periodSeconds: 5
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
{{- if .Values.controllerManager.enabled }}
- name: {{ .Chart.Name }}-controller-manager
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }}
imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }}
args:
- "--config=spire-controller-manager-config.yaml"
ports:
- containerPort: 9443
volumeMounts:
- name: spire-server-socket
mountPath: /run/spire/server-sockets
readOnly: true
- name: spire-controller-manager-config
mountPath: /spire-controller-manager-config.yaml
subPath: spire-controller-manager-config.yaml
resources:
{{- toYaml .Values.controllerManager.resources | nindent 12 }}
{{- end }}
{{- if .Values.workloadRegistrar.enabled }}
- name: {{ .Chart.Name }}-workload-registrar
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
Expand All @@ -95,6 +116,7 @@ spec:
readOnly: true
resources:
{{- toYaml .Values.workloadRegistrar.resources | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -112,9 +134,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spire-workload-registrar-config
- name: spire-controller-manager-config
configMap:
name: {{ include "spire.fullname" . }}-workload-registrar
name: {{ include "spire.fullname" . }}-controller-manager-config
- name: spire-config
configMap:
name: {{ include "spire.fullname" . }}-server
Expand Down
32 changes: 32 additions & 0 deletions charts/spire/templates/spire-controller-manager-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if .Values.controllerManager.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire.fullname" . }}-controller-manager-config
namespace: {{ .Release.Namespace }}
data:
spire-controller-manager-config.yaml: |
apiVersion: spire.spiffe.io/v1alpha1
kind: ControllerManagerConfig
metadata:
name: {{ include "spire.fullname" . }}-controller-manager-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "spire.server.labels" . | nindent 4 }}
metrics:
bindAddress: 127.0.0.1:8082
healthProbe:
bindAddress: 127.0.0.1:8083
leaderElection:
leaderElect: true
resourceName: 98c9c988.spiffe.io
resourceNamespace: {{ .Release.Namespace }}
clusterName: {{ .Values.spire.clusterName }}
trustDomain: {{ .Values.spire.trustDomain }}
ignoreNamespaces:
- kube-system
- kube-public
- spire-system
- local-path-storage
spireServerSocketPath: {{ .Values.server.config.socketPath | quote }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if .Values.controllerManager.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "spire.fullname" . }}-controller-manager
namespace: {{ .Release.Namespace }}
labels:
{{- include "spire.server.labels" . | nindent 4 }}
spec:
type: {{ .Values.server.service.type }}
ports:
- name: https
port: 443
targetPort: 9443
protocol: TCP
selector:
{{- include "spire.server.selectorLabels" . | nindent 4 }}
{{- end }}

35 changes: 35 additions & 0 deletions charts/spire/templates/spire-controller-manager-webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{{- if .Values.controllerManager.enabled }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: spire-controller-manager-webhook
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: spire-controller-manager-webhook-service
namespace: spire-system
path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain
failurePolicy: Fail
name: vclusterfederatedtrustdomain.kb.io
rules:
- apiGroups: ["spire.spiffe.io"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["clusterfederatedtrustdomains"]
sideEffects: None
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: spire-controller-manager-webhook-service
namespace: spire-system
path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
failurePolicy: Fail
name: vclusterspiffeid.kb.io
rules:
- apiGroups: ["spire.spiffe.io"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["clusterspiffeids"]
sideEffects: None
{{- end }}
2 changes: 2 additions & 0 deletions charts/spire/templates/workload-registrar-configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.workloadRegistrar.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -12,3 +13,4 @@ data:
server_address = "unix://{{ .Values.server.config.socketPath }}"
leader_election = true
metrics_addr = "0.0.0.0:18080"
{{- end }}
2 changes: 2 additions & 0 deletions charts/spire/templates/workload-registrar-service.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.workloadRegistrar.enabled }}
apiVersion: v1
kind: Service
metadata:
Expand All @@ -18,3 +19,4 @@ spec:
protocol: TCP
selector:
{{- include "spire.server.selectorLabels" . | nindent 4 }}
{{- end }}
23 changes: 22 additions & 1 deletion charts/spire/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ waitForIt:
resources: {}

workloadRegistrar:
enabled: true
image:
registry: gcr.io
repository: spiffe-io/k8s-workload-registrar
Expand All @@ -28,10 +29,30 @@ workloadRegistrar:
# limits:
# cpu: 100m
# memory: 64Mi

service:
annotations: {}

controllerManager:
enabled: false
image:
registry: ghcr.io
repository: spiffe/spire-controller-manager
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
version: "0.2.1"

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# requests:
# cpu: 50m
# memory: 32Mi
# limits:
# cpu: 100m
# memory: 64Mi

server:
replicaCount: 1
image:
Expand Down

0 comments on commit 6a22094

Please sign in to comment.