From 8ae020aaaecdb53123767711cad54ffd74938899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 14 Nov 2022 22:10:14 +0300 Subject: [PATCH] add spire-controller-manager resources, update spire-server statefulset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 7 +- ...yaml => clusterfederatedtrustdomains.yaml} | 0 ...erspiffeids.yaml => clusterspiffeids.yaml} | 0 ...igs.yaml => controllermanagerconfigs.yaml} | 0 charts/spire/templates/_helpers.tpl | 22 ++++++ .../spire/templates/server-cluster-role.yaml | 24 ++++++- charts/spire/templates/server-role.yaml | 6 +- .../spire/templates/server-statefulset.yaml | 4 ++ .../spire-controller-manager-configmap.yaml | 32 +++++++++ .../spire-controller-manager-deployment.yaml | 71 +++++++++++++++++++ ...re-controller-manager-webhook-service.yaml | 19 +++++ .../spire-controller-manager-webhook.yaml | 35 +++++++++ .../workload-registrar-configmap.yaml | 2 + .../templates/workload-registrar-service.yaml | 2 + charts/spire/values.yaml | 44 +++++++++++- 16 files changed, 260 insertions(+), 10 deletions(-) rename charts/spire/crds/{spire.spiffe.io_clusterfederatedtrustdomains.yaml => clusterfederatedtrustdomains.yaml} (100%) rename charts/spire/crds/{spire.spiffe.io_clusterspiffeids.yaml => clusterspiffeids.yaml} (100%) rename charts/spire/crds/{spire.spiffe.io_controllermanagerconfigs.yaml => controllermanagerconfigs.yaml} (100%) create mode 100644 charts/spire/templates/spire-controller-manager-configmap.yaml create mode 100644 charts/spire/templates/spire-controller-manager-deployment.yaml create mode 100644 charts/spire/templates/spire-controller-manager-webhook-service.yaml create mode 100644 charts/spire/templates/spire-controller-manager-webhook.yaml diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 9624d615..a29acefe 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.7.3 +version: 0.8.0 appVersion: "1.5.2" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 57916560..913f67e6 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) +[7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. @@ -59,6 +59,11 @@ Kubernetes: `>=1.21.0-0` | agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | | | agent.resources | object | `{}` | | | agent.service.annotations | object | `{}` | | +| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | +| controllerManager.image.registry | string | `"ghcr.io"` | | +| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | +| controllerManager.image.version | string | `"0.2.1"` | | +| controllerManager.resources | object | `{}` | | | csiDriver.image.pullPolicy | string | `"IfNotPresent"` | | | csiDriver.image.registry | string | `"ghcr.io"` | | | csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | | diff --git a/charts/spire/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/charts/spire/crds/clusterfederatedtrustdomains.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml rename to charts/spire/crds/clusterfederatedtrustdomains.yaml diff --git a/charts/spire/crds/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire/crds/clusterspiffeids.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_clusterspiffeids.yaml rename to charts/spire/crds/clusterspiffeids.yaml diff --git a/charts/spire/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/charts/spire/crds/controllermanagerconfigs.yaml similarity index 100% rename from charts/spire/crds/spire.spiffe.io_controllermanagerconfigs.yaml rename to charts/spire/crds/controllermanagerconfigs.yaml diff --git a/charts/spire/templates/_helpers.tpl b/charts/spire/templates/_helpers.tpl index ee4073eb..f4d8ed22 100644 --- a/charts/spire/templates/_helpers.tpl +++ b/charts/spire/templates/_helpers.tpl @@ -110,6 +110,28 @@ app.kubernetes.io/name: {{ include "spire.name" . }}-oidc app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} + +{{/* +Common controllerManager labels +*/}} +{{- define "spire.controllerManager.labels" -}} +helm.sh/chart: {{ include "spire.chart" . }} +{{ include "spire.controllerManager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector controller-manager labels +*/}} +{{- define "spire.controllerManager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spire.name" . }}-controller-manager +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + {{/* Create the name of the service account to use */}} diff --git a/charts/spire/templates/server-cluster-role.yaml b/charts/spire/templates/server-cluster-role.yaml index db5793c0..927308b9 100644 --- a/charts/spire/templates/server-cluster-role.yaml +++ b/charts/spire/templates/server-cluster-role.yaml @@ -11,12 +11,32 @@ rules: resources: ["tokenreviews"] verbs: ["get", "create"] - apiGroups: [""] - resources: ["pods", "nodes"] + resources: ["pods", "nodes", "namespaces"] verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "update", "delete", "get", "list", "watch"] - + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] --- # Binds above cluster role to spire-server service account kind: ClusterRoleBinding diff --git a/charts/spire/templates/server-role.yaml b/charts/spire/templates/server-role.yaml index 7b3c8d6b..4feec256 100644 --- a/charts/spire/templates/server-role.yaml +++ b/charts/spire/templates/server-role.yaml @@ -18,11 +18,7 @@ rules: verbs: ["get", "patch"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["create"] - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-k8s-registrar-leader-election"] - verbs: ["update", "get"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create"] diff --git a/charts/spire/templates/server-statefulset.yaml b/charts/spire/templates/server-statefulset.yaml index b7e09c9a..2b887bb6 100644 --- a/charts/spire/templates/server-statefulset.yaml +++ b/charts/spire/templates/server-statefulset.yaml @@ -75,6 +75,7 @@ spec: periodSeconds: 5 resources: {{- toYaml .Values.server.resources | nindent 12 }} + {{- if .Values.workloadRegistrar.enabled }} - name: {{ .Chart.Name }}-workload-registrar securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -95,6 +96,7 @@ spec: readOnly: true resources: {{- toYaml .Values.workloadRegistrar.resources | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -112,9 +114,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + {{- if .Values.workloadRegistrar.enabled }} - name: spire-workload-registrar-config configMap: name: {{ include "spire.fullname" . }}-workload-registrar + {{- end }} - name: spire-config configMap: name: {{ include "spire.fullname" . }}-server diff --git a/charts/spire/templates/spire-controller-manager-configmap.yaml b/charts/spire/templates/spire-controller-manager-configmap.yaml new file mode 100644 index 00000000..3d4f7858 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-configmap.yaml @@ -0,0 +1,32 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: {{ .Release.Namespace }} + clusterName: {{ .Values.spire.clusterName }} + trustDomain: {{ .Values.spire.trustDomain }} + ignoreNamespaces: + - kube-system + - kube-public + - spire-system + - local-path-storage + spireServerSocketPath: {{ .Values.server.config.socketPath | quote }} +{{- end }} diff --git a/charts/spire/templates/spire-controller-manager-deployment.yaml b/charts/spire/templates/spire-controller-manager-deployment.yaml new file mode 100644 index 00000000..75b4c0a4 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-deployment.yaml @@ -0,0 +1,71 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +{{- $fullname := include "spire.fullname" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ printf "%s-controller-manager" $fullname }} + labels: + {{- include "spire.controllerManager.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicaCount }} + selector: + matchLabels: + {{- include "spire.controllerManager.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.controllerManager.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spire.controllerManager.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- range . }} + - name: {{ printf "%s-%s" $fullname .name }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "spire.serviceAccountName" . }}-agent + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }}-controller-manager + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }} + imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} + args: + - "--config=spire-controller-manager-config.yaml" + ports: + - containerPort: 9443 + volumeMounts: + - name: spire-server-socket + mountPath: /run/spire/server-sockets + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + resources: + {{- toYaml .Values.controllerManager.resources | nindent 12 }} + volumes: + - name: spire-server-socket + hostPath: + path: /run/spire/server-sockets + type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: {{ include "spire.fullname" . }}-controller-manager-config + {{- with .Values.controllerManager.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controllerManager.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controllerManager.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{ end }} \ No newline at end of file diff --git a/charts/spire/templates/spire-controller-manager-webhook-service.yaml b/charts/spire/templates/spire-controller-manager-webhook-service.yaml new file mode 100644 index 00000000..687e8335 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "spire.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} +spec: + type: {{ .Values.server.service.type }} + ports: + - name: https + port: 443 + targetPort: 9443 + protocol: TCP + selector: + {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} + diff --git a/charts/spire/templates/spire-controller-manager-webhook.yaml b/charts/spire/templates/spire-controller-manager-webhook.yaml new file mode 100644 index 00000000..3ffa3a4c --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook.yaml @@ -0,0 +1,35 @@ +{{- if .Values.controllerManager.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-system + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-system + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +{{- end }} diff --git a/charts/spire/templates/workload-registrar-configmap.yaml b/charts/spire/templates/workload-registrar-configmap.yaml index 72f0ed58..b0aca3b7 100644 --- a/charts/spire/templates/workload-registrar-configmap.yaml +++ b/charts/spire/templates/workload-registrar-configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -12,3 +13,4 @@ data: server_address = "unix://{{ .Values.server.config.socketPath }}" leader_election = true metrics_addr = "0.0.0.0:18080" +{{- end }} diff --git a/charts/spire/templates/workload-registrar-service.yaml b/charts/spire/templates/workload-registrar-service.yaml index 0588e905..cb5cec1d 100644 --- a/charts/spire/templates/workload-registrar-service.yaml +++ b/charts/spire/templates/workload-registrar-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: Service metadata: @@ -18,3 +19,4 @@ spec: protocol: TCP selector: {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index ca38ff04..4102cddb 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -10,6 +10,7 @@ waitForIt: resources: {} workloadRegistrar: + enabled: true image: registry: gcr.io repository: spiffe-io/k8s-workload-registrar @@ -28,10 +29,51 @@ workloadRegistrar: # limits: # cpu: 100m # memory: 64Mi - service: annotations: {} +controllerManager: + enabled: false + replicaCount: 1 + + image: + registry: ghcr.io + repository: spiffe/spire-controller-manager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + version: "0.2.1" + + nodeSelector: + kubernetes.io/arch: amd64 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 32Mi + # limits: + # cpu: 100m + # memory: 64Mi + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + tolerations: [] + + affinity: {} + podAnnotations: {} + server: replicaCount: 1 image: