Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the spire-controller-manager #71

Closed
wants to merge 1 commit into from
Closed

Add support for the spire-controller-manager #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ description: |
- --service-account-signing-key-file=/run/config/pki/sa.key
```
type: application
version: 0.7.6
version: 0.8.0
appVersion: "1.5.3"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
home: https://github.com/philips-labs/helm-charts/charts/spire
Expand Down
16 changes: 15 additions & 1 deletion charts/spire/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. -->

![Version: 0.7.6](https://img.shields.io/badge/Version-0.7.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square)
![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square)

A Helm chart for deploying spire-server and spire-agent.

Expand Down Expand Up @@ -59,6 +59,19 @@ Kubernetes: `>=1.21.0-0`
| agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| agent.resources | object | `{}` | |
| agent.service.annotations | object | `{}` | |
| controllerManager.affinity | object | `{}` | |
| controllerManager.enabled | bool | `false` | |
| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | |
| controllerManager.image.registry | string | `"ghcr.io"` | |
| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | |
| controllerManager.image.version | string | `"0.2.1"` | |
| controllerManager.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| controllerManager.podAnnotations | object | `{}` | |
| controllerManager.podSecurityContext | object | `{}` | |
| controllerManager.replicaCount | int | `1` | |
| controllerManager.resources | object | `{}` | |
| controllerManager.securityContext | object | `{}` | |
| controllerManager.tolerations | list | `[]` | |
| csiDriver.image.pullPolicy | string | `"IfNotPresent"` | |
| csiDriver.image.registry | string | `"ghcr.io"` | |
| csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | |
Expand Down Expand Up @@ -135,6 +148,7 @@ Kubernetes: `>=1.21.0-0`
| waitForIt.image.repository | string | `"chainguard/wait-for-it"` | |
| waitForIt.image.version | string | `"latest-20221215"` | |
| waitForIt.resources | object | `{}` | |
| workloadRegistrar.enabled | bool | `true` | |
| workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | |
developer-guy marked this conversation as resolved.
Show resolved Hide resolved
| workloadRegistrar.image.registry | string | `"gcr.io"` | |
| workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | |
Expand Down
96 changes: 96 additions & 0 deletions charts/spire/crds/clusterfederatedtrustdomains.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: clusterfederatedtrustdomains.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterFederatedTrustDomain
listKind: ClusterFederatedTrustDomainList
plural: clusterfederatedtrustdomains
singular: clusterfederatedtrustdomain
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.trustDomain
name: Trust Domain
type: string
- jsonPath: .spec.bundleEndpointURL
name: Endpoint URL
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterFederatedTrustDomainSpec defines the desired state
of ClusterFederatedTrustDomain
properties:
bundleEndpointProfile:
description: BundleEndpointProfile is the profile for the bundle endpoint.
properties:
endpointSPIFFEID:
description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
It is required for the "https_spiffe" profile.
type: string
type:
description: Type is the type of the bundle endpoint profile.
enum:
- https_spiffe
- https_web
type: string
required:
- type
type: object
bundleEndpointURL:
description: BundleEndpointURL is the URL of the bundle endpoint.
It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
type: string
trustDomain:
description: TrustDomain is the name of the trust domain to federate
with (e.g. example.org)
pattern: '[a-z0-9._-]{1,255}'
type: string
trustDomainBundle:
description: TrustDomainBundle is the contents of the bundle for the
referenced trust domain. This field is optional when the resource
is created.
type: string
required:
- bundleEndpointProfile
- bundleEndpointURL
- trustDomain
type: object
status:
description: ClusterFederatedTrustDomainStatus defines the observed state
of ClusterFederatedTrustDomain
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
221 changes: 221 additions & 0 deletions charts/spire/crds/clusterspiffeids.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: clusterspiffeids.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterSPIFFEID
listKind: ClusterSPIFFEIDList
plural: clusterspiffeids
singular: clusterspiffeid
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
properties:
admin:
description: Admin indicates whether or not the SVID can be used to
access the SPIRE administrative APIs. Extra care should be taken
to only apply this SPIFFE ID to admin workloads.
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
federatesWith:
description: FederatesWith is a list of trust domain names that workloads
that obtain this SPIFFE ID will federate with.
items:
type: string
type: array
namespaceSelector:
description: NamespaceSelector selects the namespaces that are targetted
by this CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
podSelector:
description: PodSelector selects the pods that are targetted by this
CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
spiffeIDTemplate:
description: SPIFFEID is the SPIFFE ID template. The node and pod
spec are made available to the template under .NodeSpec, .PodSpec
respectively.
type: string
ttl:
description: TTL indicates an upper-bound time-to-live for SVIDs minted
for this ClusterSPIFFEID. If unset, a default will be chosen.
type: string
workloadSelectorTemplates:
description: WorkloadSelectorTemplates are templates to produce arbitrary
workload selectors that apply to a given workload before it will
receive this SPIFFE ID. The rendered value is interpreted by SPIRE
and are of the form type:value, where the value may, and often does,
contain semicolons, .e.g., k8s:container-image:docker/hello-world
The node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
required:
- spiffeIDTemplate
type: object
status:
description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
properties:
stats:
description: Stats produced by the last entry reconciliation run
properties:
entriesMasked:
description: How many entries were masked by entries for other
ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
produce an entry for the same pod with the same set of workload
selectors.
type: integer
entriesToSet:
description: How many entries are to be set for this ClusterSPIFFEID.
In nominal conditions, this should reflect the number of pods
selected, but not always if there were problems encountered
rendering an entry for the pod (RenderFailures) or entries are
masked (EntriesMasked).
type: integer
entryFailures:
description: How many entries were unable to be set due to failures
to create or update the entries via the SPIRE Server API.
type: integer
namespacesIgnored:
description: How many (selected) namespaces were ignored (based
on configuration).
type: integer
namespacesSelected:
description: How many namespaces were selected.
type: integer
podEntryRenderFailures:
description: How many failures were encountered rendering an entry
selected pods. This could be due to either a bad template in
the ClusterSPIFFEID or Pod metadata that when applied to the
template did not produce valid entry values.
type: integer
podsSelected:
description: How many pods were selected out of the namespaces.
type: integer
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
Loading