diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 9624d615..a29acefe 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.7.3 +version: 0.8.0 appVersion: "1.5.2" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 57916560..913f67e6 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) +[7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. @@ -59,6 +59,11 @@ Kubernetes: `>=1.21.0-0` | agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | | | agent.resources | object | `{}` | | | agent.service.annotations | object | `{}` | | +| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | +| controllerManager.image.registry | string | `"ghcr.io"` | | +| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | +| controllerManager.image.version | string | `"0.2.1"` | | +| controllerManager.resources | object | `{}` | | | csiDriver.image.pullPolicy | string | `"IfNotPresent"` | | | csiDriver.image.registry | string | `"ghcr.io"` | | | csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | | diff --git a/charts/spire/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/charts/spire/crds/clusterfederatedtrustdomains.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml rename to charts/spire/crds/clusterfederatedtrustdomains.yaml diff --git a/charts/spire/crds/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire/crds/clusterspiffeids.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_clusterspiffeids.yaml rename to charts/spire/crds/clusterspiffeids.yaml diff --git a/charts/spire/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/charts/spire/crds/controllermanagerconfigs.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_controllermanagerconfigs.yaml rename to charts/spire/crds/controllermanagerconfigs.yaml diff --git a/charts/spire/templates/server-cluster-role.yaml b/charts/spire/templates/server-cluster-role.yaml index db5793c0..927308b9 100644 --- a/charts/spire/templates/server-cluster-role.yaml +++ b/charts/spire/templates/server-cluster-role.yaml @@ -11,12 +11,32 @@ rules: resources: ["tokenreviews"] verbs: ["get", "create"] - apiGroups: [""] - resources: ["pods", "nodes"] + resources: ["pods", "nodes", "namespaces"] verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "update", "delete", "get", "list", "watch"] - + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] --- # Binds above cluster role to spire-server service account kind: ClusterRoleBinding diff --git a/charts/spire/templates/server-role.yaml b/charts/spire/templates/server-role.yaml index 7b3c8d6b..4feec256 100644 --- a/charts/spire/templates/server-role.yaml +++ b/charts/spire/templates/server-role.yaml @@ -18,11 +18,7 @@ rules: verbs: ["get", "patch"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["create"] - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-k8s-registrar-leader-election"] - verbs: ["update", "get"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create"] diff --git a/charts/spire/templates/server-statefulset.yaml b/charts/spire/templates/server-statefulset.yaml index b7e09c9a..660494a2 100644 --- a/charts/spire/templates/server-statefulset.yaml +++ b/charts/spire/templates/server-statefulset.yaml @@ -75,6 +75,27 @@ spec: periodSeconds: 5 resources: {{- toYaml .Values.server.resources | nindent 12 }} + {{- if .Values.controllerManager.enabled }} + - name: {{ .Chart.Name }}-controller-manager + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }} + imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} + args: + - "--config=spire-controller-manager-config.yaml" + ports: + - containerPort: 9443 + volumeMounts: + - name: spire-server-socket + mountPath: /run/spire/server-sockets + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + resources: + {{- toYaml .Values.controllerManager.resources | nindent 12 }} + {{- end }} + {{- if .Values.workloadRegistrar.enabled }} - name: {{ .Chart.Name }}-workload-registrar securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -95,6 +116,7 @@ spec: readOnly: true resources: {{- toYaml .Values.workloadRegistrar.resources | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -112,9 +134,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - - name: spire-workload-registrar-config + - name: spire-controller-manager-config configMap: - name: {{ include "spire.fullname" . }}-workload-registrar + name: {{ include "spire.fullname" . }}-controller-manager-config - name: spire-config configMap: name: {{ include "spire.fullname" . }}-server diff --git a/charts/spire/templates/spire-controller-manager-configmap.yaml b/charts/spire/templates/spire-controller-manager-configmap.yaml new file mode 100644 index 00000000..3d4f7858 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-configmap.yaml @@ -0,0 +1,32 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: {{ .Release.Namespace }} + clusterName: {{ .Values.spire.clusterName }} + trustDomain: {{ .Values.spire.trustDomain }} + ignoreNamespaces: + - kube-system + - kube-public + - spire-system + - local-path-storage + spireServerSocketPath: {{ .Values.server.config.socketPath | quote }} +{{- end }} diff --git a/charts/spire/templates/spire-controller-manager-webhook-service.yaml b/charts/spire/templates/spire-controller-manager-webhook-service.yaml new file mode 100644 index 00000000..687e8335 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "spire.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} +spec: + type: {{ .Values.server.service.type }} + ports: + - name: https + port: 443 + targetPort: 9443 + protocol: TCP + selector: + {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} + diff --git a/charts/spire/templates/spire-controller-manager-webhook.yaml b/charts/spire/templates/spire-controller-manager-webhook.yaml new file mode 100644 index 00000000..3ffa3a4c --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook.yaml @@ -0,0 +1,35 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-system + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-system + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +{{- end }} diff --git a/charts/spire/templates/workload-registrar-configmap.yaml b/charts/spire/templates/workload-registrar-configmap.yaml index 72f0ed58..b0aca3b7 100644 --- a/charts/spire/templates/workload-registrar-configmap.yaml +++ b/charts/spire/templates/workload-registrar-configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -12,3 +13,4 @@ data: server_address = "unix://{{ .Values.server.config.socketPath }}" leader_election = true metrics_addr = "0.0.0.0:18080" +{{- end }} diff --git a/charts/spire/templates/workload-registrar-service.yaml b/charts/spire/templates/workload-registrar-service.yaml index 0588e905..cb5cec1d 100644 --- a/charts/spire/templates/workload-registrar-service.yaml +++ b/charts/spire/templates/workload-registrar-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: Service metadata: @@ -18,3 +19,4 @@ spec: protocol: TCP selector: {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index ca38ff04..50e3eb8e 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -10,6 +10,7 @@ waitForIt: resources: {} workloadRegistrar: + enabled: true image: registry: gcr.io repository: spiffe-io/k8s-workload-registrar @@ -28,10 +29,30 @@ workloadRegistrar: # limits: # cpu: 100m # memory: 64Mi - service: annotations: {} +controllerManager: + enabled: false + image: + registry: ghcr.io + repository: spiffe/spire-controller-manager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + version: "0.2.1" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 32Mi + # limits: + # cpu: 100m + # memory: 64Mi + server: replicaCount: 1 image: