From e85f07e73c5e2de8395fccabed0aaed0fec3de3a Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 12:38:40 +0100 Subject: [PATCH 1/9] Fix agent connectivity if deployed with different name e.g. if deploying with spire-65de556ac Signed-off-by: Marco Franssen --- charts/spire/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 489c955..4b95d46 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -6,9 +6,9 @@ A Helm chart for deploying spire-server and spire-agent. -> **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. +> :warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. -> **Note**: Minimum Spire version is `v1.5.3`. +> :warning: Minimum Spire version is `v1.0.2`. To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM. From 2bb8c19b02379dd808e652b25cebcc90ccb3c52a Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 16 Jan 2023 13:02:11 +0100 Subject: [PATCH 2/9] Add support for spire-controller-manager Signed-off-by: Marco Franssen --- .../spire-controller-manager/values.yaml | 6 + charts/spire/README.md | 1 - charts/spire/charts/spire-server/README.md | 12 +- .../crds/clusterfederatedtrustdomains.yaml | 96 ++++++++ .../spire-server/crds/clusterspiffeids.yaml | 221 ++++++++++++++++++ .../crds/controllermanagerconfigs.yaml | 59 +++++ .../spire-server/templates/_helpers.tpl | 4 + .../controller-manager-configmap.yaml | 32 +++ .../templates/controller-manager-roles.yaml | 80 +++++++ .../templates/controller-manager-service.yaml | 22 ++ .../templates/controller-manager-webhook.yaml | 35 +++ .../spire-server/templates/statefulset.yaml | 37 +++ charts/spire/charts/spire-server/values.yaml | 37 +++ charts/spire/values.yaml | 2 - 14 files changed, 640 insertions(+), 4 deletions(-) create mode 100644 .github/tests/spire-controller-manager/values.yaml create mode 100644 charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml create mode 100644 charts/spire/charts/spire-server/crds/clusterspiffeids.yaml create mode 100644 charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml create mode 100644 charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml create mode 100644 charts/spire/charts/spire-server/templates/controller-manager-roles.yaml create mode 100644 charts/spire/charts/spire-server/templates/controller-manager-service.yaml create mode 100644 charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml diff --git a/.github/tests/spire-controller-manager/values.yaml b/.github/tests/spire-controller-manager/values.yaml new file mode 100644 index 0000000..73f1b54 --- /dev/null +++ b/.github/tests/spire-controller-manager/values.yaml @@ -0,0 +1,6 @@ +spire-server: + k8sWorkloadRegistrar: + enabled: false + + controllerManager: + enabled: true diff --git a/charts/spire/README.md b/charts/spire/README.md index 4b95d46..2e05cc3 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -70,5 +70,4 @@ Kubernetes: `>=1.21.0-0` | spire-server.bundleConfigMap | string | `"spire-bundle"` | | | spire-server.clusterName | string | `"example-cluster"` | | | spire-server.nameOverride | string | `"server"` | | -| spire-server.socketPath | string | `"/run/spire/server-sockets/spire-server.sock"` | | | spire-server.trustDomain | string | `"example.org"` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index cfab543..849c1cf 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -20,6 +20,16 @@ A Helm chart to install the SPIRE server. | ca_subject.country | string | `"NL"` | | | ca_subject.organization | string | `"Example"` | | | clusterName | string | `"example-cluster"` | | +| controllerManager.enabled | bool | `false` | | +| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | +| controllerManager.image.registry | string | `"ghcr.io"` | | +| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | +| controllerManager.image.version | string | `"0.2.1"` | | +| controllerManager.resources | object | `{}` | | +| controllerManager.securityContext | object | `{}` | | +| controllerManager.service.annotations | object | `{}` | | +| controllerManager.service.port | int | `443` | | +| controllerManager.service.type | string | `"ClusterIP"` | | | dataStorage.accessMode | string | `"ReadWriteOnce"` | | | dataStorage.enabled | bool | `true` | | | dataStorage.size | string | `"1Gi"` | | @@ -31,7 +41,7 @@ A Helm chart to install the SPIRE server. | image.version | string | `""` | | | imagePullSecrets | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | | -| k8sWorkloadRegistrar.enabled | bool | `true` | | +| k8sWorkloadRegistrar.enabled | bool | `true` | The `k8s-workload-registrar` is deprecated in favor of the `spire-controller-manager` A next release will switch to use the `spire-controller-manager` by default. | | k8sWorkloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | | | k8sWorkloadRegistrar.image.registry | string | `"gcr.io"` | | | k8sWorkloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | | diff --git a/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml b/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml new file mode 100644 index 0000000..91aae17 --- /dev/null +++ b/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/charts/spire-server/crds/clusterspiffeids.yaml b/charts/spire/charts/spire-server/crds/clusterspiffeids.yaml new file mode 100644 index 0000000..74758a5 --- /dev/null +++ b/charts/spire/charts/spire-server/crds/clusterspiffeids.yaml @@ -0,0 +1,221 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targetted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targetted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml b/charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml new file mode 100644 index 0000000..7845a10 --- /dev/null +++ b/charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to remove/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index e7124d6..9e68939 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -85,6 +85,10 @@ Create the name of the service account to use {{- end -}} {{- end }} +{{- define "spire-controller-manager.fullname" -}} +{{ include "spire-server.fullname" . | trimSuffix "-server" }}-controller-manager +{{- end }} + {{- define "spire-k8s-workload-registrar.fullname" -}} {{ include "spire-server.fullname" . | trimSuffix "-server" }}-k8s-workload-registrar {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml new file mode 100644 index 0000000..0d40782 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -0,0 +1,32 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire-controller-manager.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: {{ include "spire-controller-manager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire-server.labels" . | nindent 8 }} + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io + resourceNamespace: {{ .Release.Namespace }} + clusterName: {{ .Values.clusterName }} + trustDomain: {{ .Values.trustDomain }} + ignoreNamespaces: + - kube-system + - kube-public + - {{ .Release.Namespace }} + - local-path-storage + spireServerSocketPath: {{ .Values.socketPath | quote }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml new file mode 100644 index 0000000..795a06f --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml @@ -0,0 +1,80 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "spire-controller-manager.fullname" . }}-leader-election + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "spire-controller-manager.fullname" . }}-leader-election + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "spire-controller-manager.fullname" . }}-leader-election +subjects: +- kind: ServiceAccount + name: {{ include "spire-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "spire-controller-manager.fullname" . }} +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "spire-controller-manager.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "spire-controller-manager.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "spire-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-service.yaml b/charts/spire/charts/spire-server/templates/controller-manager-service.yaml new file mode 100644 index 0000000..c7a33a0 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-service.yaml @@ -0,0 +1,22 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "spire-controller-manager.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} + {{- with .Values.controllerManager.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.controllerManager.service.type }} + ports: + - name: https + port: {{ .Values.controllerManager.service.port }} + targetPort: https + protocol: TCP + selector: + {{- include "spire-server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml b/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml new file mode 100644 index 0000000..3a9dcf6 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml @@ -0,0 +1,35 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "spire-controller-manager.fullname" . }}-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "spire-controller-manager.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "spire-controller-manager.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index c9b81f7..dc2b978 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -99,6 +99,38 @@ spec: mountPath: /run/spire/k8s-workload-registrar/config readOnly: true {{- end }} + {{- if eq (.Values.controllerManager.enabled | toString) "true" }} + - name: spire-controller-manager + securityContext: + {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} + image: {{ template "spire-server.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }} + imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} + args: + - --config=controller-manager-config.yaml + ports: + - name: https + containerPort: 9443 + protocol: TCP + # TODO: implement probes + # livenessProbe: + # httpGet: + # path: / + # port: https + # readinessProbe: + # httpGet: + # path: / + # port: https + resources: + {{- toYaml .Values.controllerManager.resources | nindent 12 }} + volumeMounts: + - name: spire-server-socket + mountPath: /run/spire/server-sockets + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -133,6 +165,11 @@ spec: configMap: name: {{ include "spire-k8s-workload-registrar.fullname" . }} {{- end }} + {{- if eq (.Values.controllerManager.enabled | toString) "true" }} + - name: controller-manager-config + configMap: + name: {{ include "spire-controller-manager.fullname" . }} + {{- end }} volumeClaimTemplates: {{- if eq (.Values.dataStorage.enabled | toString) "true" }} - metadata: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index cb1693c..86ec2de 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -107,7 +107,44 @@ upstreamAuthority: key: "" bundle: "" +controllerManager: + enabled: false + + image: + registry: ghcr.io + repository: spiffe/spire-controller-manager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + version: "0.2.1" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 443 + annotations: {} + k8sWorkloadRegistrar: + # -- The `k8s-workload-registrar` is deprecated in favor of the `spire-controller-manager` + # A next release will switch to use the `spire-controller-manager` by default. enabled: true image: diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 16cf92c..310fe73 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -9,8 +9,6 @@ spire-server: clusterName: &clusterName "example-cluster" trustDomain: &trustDomain "example.org" - socketPath: &serverSocketPath /run/spire/server-sockets/spire-server.sock - spire-agent: nameOverride: agent bundleConfigMap: *bundleConfigMap From eb55d959101aedfa3b36027bbffe4e52d47bdfd9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 16 Jan 2023 16:04:13 +0100 Subject: [PATCH 3/9] Bump spire chart version to 0.11.0 Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 8bcbaab..030389c 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.10.2 +version: 0.11.0 appVersion: "1.5.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 2e05cc3..42c82be 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,13 +2,13 @@ -![Version: 0.10.2](https://img.shields.io/badge/Version-0.10.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square) +![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. -> :warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. +> **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. -> :warning: Minimum Spire version is `v1.0.2`. +> **Note**: Minimum Spire version is `v1.5.3`. To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM. From 47e5264cca16b23714fd79a32c64dc3ed778deb7 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 16 Jan 2023 16:01:40 +0100 Subject: [PATCH 4/9] Add by default k8s workload registrar compatible SPIFFEIDs to controller-manager setup Signed-off-by: Marco Franssen --- charts/spire/charts/spire-server/README.md | 5 +++++ .../controller-manager-cluster-ids.yaml | 19 +++++++++++++++++++ .../controller-manager-configmap.yaml | 3 +++ charts/spire/charts/spire-server/values.yaml | 12 ++++++++++++ 4 files changed, 39 insertions(+) create mode 100644 charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 849c1cf..3c1770e 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -21,6 +21,11 @@ A Helm chart to install the SPIRE server. | ca_subject.organization | string | `"Example"` | | | clusterName | string | `"example-cluster"` | | | controllerManager.enabled | bool | `false` | | +| controllerManager.identities.dnsNameTemplates | list | `[]` | | +| controllerManager.identities.enabled | bool | `true` | | +| controllerManager.identities.podSelector | object | `{}` | | +| controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` | | +| controllerManager.ignoreNamespaces | list | `[]` | | | controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | | controllerManager.image.registry | string | `"ghcr.io"` | | | controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml new file mode 100644 index 0000000..2818c1f --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -0,0 +1,19 @@ +{{- $root := . }} +{{- with .Values.controllerManager }} +{{- if and (eq (.enabled | toString) "true") (eq (.identities.enabled | toString) "true") }} +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: {{ include "spire-controller-manager.fullname" $root }}-service-account-based +spec: + spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }} + {{- with .identities.podSelector }} + podSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .identities.dnsNameTemplates }} + dnsNameTemplates: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index 0d40782..5a2edb3 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -28,5 +28,8 @@ data: - kube-public - {{ .Release.Namespace }} - local-path-storage + {{- with .Values.controllerManager.ignoreNamespaces }} + {{- toYaml . | nindent 6 }} + {{- end }} spireServerSocketPath: {{ .Values.socketPath | quote }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 86ec2de..091cb07 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -142,6 +142,18 @@ controllerManager: port: 443 annotations: {} + ignoreNamespaces: [] + + identities: + enabled: true + + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + podSelector: {} + # matchLabels: + # spiffe.io/spiffe-id: "true" + dnsNameTemplates: [] + # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + k8sWorkloadRegistrar: # -- The `k8s-workload-registrar` is deprecated in favor of the `spire-controller-manager` # A next release will switch to use the `spire-controller-manager` by default. From d6b23a4bdb31ec94d9a166132789fdc5e207c019 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 16 Jan 2023 17:11:06 +0100 Subject: [PATCH 5/9] Include spire namespace to fix oidc-provider Signed-off-by: Marco Franssen Co-authored-by: Gert Jan Kamstra --- charts/spire/charts/spire-server/README.md | 4 +++- .../spire-server/templates/controller-manager-configmap.yaml | 4 ---- charts/spire/charts/spire-server/values.yaml | 5 ++++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 3c1770e..acbfd01 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -25,7 +25,9 @@ A Helm chart to install the SPIRE server. | controllerManager.identities.enabled | bool | `true` | | | controllerManager.identities.podSelector | object | `{}` | | | controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` | | -| controllerManager.ignoreNamespaces | list | `[]` | | +| controllerManager.ignoreNamespaces[0] | string | `"kube-system"` | | +| controllerManager.ignoreNamespaces[1] | string | `"kube-public"` | | +| controllerManager.ignoreNamespaces[2] | string | `"local-path-storage"` | | | controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | | controllerManager.image.registry | string | `"ghcr.io"` | | | controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index 5a2edb3..b177acc 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -24,10 +24,6 @@ data: clusterName: {{ .Values.clusterName }} trustDomain: {{ .Values.trustDomain }} ignoreNamespaces: - - kube-system - - kube-public - - {{ .Release.Namespace }} - - local-path-storage {{- with .Values.controllerManager.ignoreNamespaces }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 091cb07..5b3d429 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -142,7 +142,10 @@ controllerManager: port: 443 annotations: {} - ignoreNamespaces: [] + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage identities: enabled: true From 233ceb8171225d73ea287f1653809657615223d9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 09:45:08 +0100 Subject: [PATCH 6/9] Add icon to spire chart Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 030389c..75f61d7 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -33,6 +33,7 @@ keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire sources: - https://github.com/philips-labs/helm-charts/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen email: marco.franssen@philips.com From 15486f4db312155e6a985711970f71f60cd4ec3c Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 11:31:45 +0100 Subject: [PATCH 7/9] Fix spire validating webhook configuration Signed-off-by: Marco Franssen --- .../spire-server/templates/controller-manager-configmap.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index b177acc..a447676 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -21,6 +21,7 @@ data: leaderElect: true resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io resourceNamespace: {{ .Release.Namespace }} + validatingWebhookConfigurationName: {{ include "spire-controller-manager.fullname" . }}-webhook clusterName: {{ .Values.clusterName }} trustDomain: {{ .Values.trustDomain }} ignoreNamespaces: From ae3665aad653957140855105c34511f6e459b68c Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 14:57:24 +0100 Subject: [PATCH 8/9] Fix link to sources Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 4 ++-- charts/spire/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 75f61d7..7f6717b 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -30,9 +30,9 @@ type: application version: 0.11.0 appVersion: "1.5.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] -home: https://github.com/philips-labs/helm-charts/charts/spire +home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire sources: - - https://github.com/philips-labs/helm-charts/charts/spire + - https://github.com/philips-labs/helm-charts/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/README.md b/charts/spire/README.md index 42c82be..ec492e5 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -30,7 +30,7 @@ spec: - --service-account-signing-key-file=/run/config/pki/sa.key ``` -**Homepage:** +**Homepage:** ## Maintainers @@ -40,7 +40,7 @@ spec: ## Source Code -* +* ## Requirements From bd2100b6a6dfce77dd2aa89bf09914e22383b057 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 14:59:19 +0100 Subject: [PATCH 9/9] Add spire-controller-manager keyword to chart Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 7f6717b..5d8a3c5 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -29,7 +29,7 @@ description: | type: application version: 0.11.0 appVersion: "1.5.4" -keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] +keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire sources: - https://github.com/philips-labs/helm-charts/tree/main/charts/spire