diff --git a/README.md b/README.md index 8e4903a7f..3b9b2917d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of ## How to install or upgrade You most likely want to do an integrated setup based on the spire chart. -See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes). +See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions). ## Contributing diff --git a/charts/spire/README.md b/charts/spire/README.md index 4dbfbd014..9d2d63516 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -7,33 +7,74 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi **Homepage:** -## Install notes +## Install Instructions -To do a quick non production install suitable for quick testing in something like minikube: +### Non Production +To do a quick install suitable for testing in something like minikube: ```shell -helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace -helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ ``` -To customize, start with a base values file and edit as needed: +### Production + +Preparing a production deployment requires a few steps. + +1. Save the following to your-values.yaml, ideally in your git repo. +```yaml +global: + openshift: false # If running on openshift, set to true + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx] + # Update these + clusterName: example-cluster + trustDomain: example.org +spire-server: + ca_subject: + # Update these + country: ARPA + organization: Example + common_name: example.org +``` +2. If you need a non default storageClass, append the following to the spire-server section and update: +``` + persistence: + storageClass: your-storage-class +``` + +3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: ```shell -curl -o your-values.yaml https://raw.githubusercontent.com/spiffe/helm-charts-hardened/main/examples/production/example-your-values.yaml +oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' ``` -Then: +4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples) + +In particular, consider using an external database. + +5. Deploy ```shell -helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml +helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml ``` -For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production). - ## Upgrade notes We only support upgrading one major version at a time. Version skipping isn't supported. +### 0.17.X + +- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate. +- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.spire.enabled=false`) + +- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`. + ### 0.16.X The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index b2722b079..f06b140c6 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -3,13 +3,11 @@ global: upstreamSpireAddress: spire-server.spire-root-server spire-server: - enabled: true upstreamAuthority: spire: enabled: true upstreamDriver: upstream.csi.spiffe.io controllerManager: - enabled: true identities: clusterSPIFFEIDs: default: diff --git a/examples/openshift/README.md b/examples/openshift/README.md deleted file mode 100644 index 1e5181586..000000000 --- a/examples/openshift/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Recommended setup for installing Spire on Openshift - -> [!Note] -> This functionality is under development. It works but has no automated testing and will have security tightened in the future. - -This deployment works only with Openshift version 4.13 or higher. Get the Openshift platform here: [try.openshift.com](try.openshift.com) - -To be consistent with the rest of the Spire helm-charts, -we deploy Spire across 2 namespaces. - -```shell -kubectl create namespace "spire-system" -kubectl create namespace "spire-server" - -#Note, the first install requires privilege due to helm ordering issue. After install it can be safely tightened back up. -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=privileged - -kubectl label namespace "spire-system" security.openshift.io/scc.podSecurityLabelSync=false -kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged -kubectl label namespace "spire-system" pod-security.kubernetes.io/warn=privileged --overwrite -kubectl label namespace "spire-system" pod-security.kubernetes.io/audit=privileged --overwrite - -helm upgrade --install --namespace spire-server spire-crds charts/spire-crds -``` - -Obtain you ingress subdomain: - -```shell -appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') -echo "$appdomain" -``` - -Update the `example-your-values.yaml` file with your subdomain. - -> [!Note] -> The location of the apps subdomain may be different in certain environments_ - -## Standard Deployment - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## IBM Cloud Deployment - -Openshift on IBM Cloud requires additional configuration: - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---set spiffe-csi-driver.kubeletPath=/var/data/kubelet \ ---set spiffe-csi-driver.restrictedScc.enabled=true \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## Feature Customization - -Additional features such as tornjak can be enabled by including their example values files before --values examples/production/example-your-values.yaml - -For example: - -```shell ---values examples/openshift/openshift-values.yaml \ ---values examples/tornjak/values.yaml \ ---values examples/production/example-your-values.yaml \ -``` - -## Finish install - -Once installed, the namespace security can be tightened back up. - -```shell -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted --overwrite -``` diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml deleted file mode 100644 index 87ea5a320..000000000 --- a/examples/openshift/openshift-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -global: - openshift: true diff --git a/examples/openshift/values-ibm-cloud.yaml b/examples/openshift/values-ibm-cloud.yaml new file mode 100644 index 000000000..b83ce678a --- /dev/null +++ b/examples/openshift/values-ibm-cloud.yaml @@ -0,0 +1,5 @@ +spiffe-csi-driver: + kubeletPath: /var/data/kubelet + restrictedScc: + enabled: true +