Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Add support for Vault UpstreamAuthority plugin - K8s Auth #415

Merged
merged 24 commits into from
Sep 15, 2023
Merged

Add support for Vault UpstreamAuthority plugin - K8s Auth #415

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
c17546a
Add Vault UpstreamAuthority scaffolding
LaithLite Jul 31, 2023
af42437
Add volume, volume mount and token template
LaithLite Aug 3, 2023
8f6e0bc
Update default value for k8s token path
LaithLite Aug 3, 2023
de9d229
Edit tokenPath to token
LaithLite Sep 1, 2023
8ae1119
Add token expiry, token audience
LaithLite Sep 1, 2023
0d91e3a
Fix missing camelCase, remove old scaffolding
LaithLite Sep 1, 2023
412a3a7
Edit vault namespace to be conditionally added
LaithLite Sep 1, 2023
fd5cc78
Edit token audience default value
LaithLite Sep 1, 2023
639b887
Edit token path to fit spire directory
LaithLite Sep 1, 2023
e07e19d
Add vault server cert templating & options
LaithLite Sep 1, 2023
5470493
Add documentation
LaithLite Sep 1, 2023
2ed722c
Add missing if statement to fix volume template
LaithLite Sep 1, 2023
13b5ecd
Fix volumemount template
LaithLite Sep 1, 2023
5d73734
Edit PSAT to use default value of API server
LaithLite Sep 3, 2023
f5594c1
Fix bad configmap formatting
LaithLite Sep 4, 2023
601af1c
Remove token path option, change psat path to work
LaithLite Sep 4, 2023
a4892f9
Fix documentation whitespacing issues
marcofranssen Sep 4, 2023
628d87e
Edit certificate to be ca.crt, update docs
LaithLite Sep 4, 2023
1750e76
Edit PSAT path to standardise with Spire Agent
LaithLite Sep 5, 2023
a364be2
Merge branch 'main' into vault-upstream
marcofranssen Sep 8, 2023
29ef04c
Update default to Secret for Vault Ca Cert
LaithLite Sep 11, 2023
f75eabb
Edit default PSAT audience to 'vault'
LaithLite Sep 13, 2023
453a1ce
Merge branch 'main' of https://github.com/spiffe/helm-charts into vau…
LaithLite Sep 14, 2023
aa4c1fc
Fix docs
LaithLite Sep 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions charts/spire/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,19 @@ Now you can interact with the Spire agent socket from your own application. The
| spire-server.upstreamAuthority.spire.server.address | string | `""` | |
| spire-server.upstreamAuthority.spire.server.port | int | `8081` | |
| spire-server.upstreamAuthority.spire.upstreamDriver | string | `""` | |
| spire-server.upstreamAuthority.vault.caCert | object | `{"name":"vault-ca","type":"ConfigMap"}` | The CA Certificate file used to verify the Vault server certificate. Only PEM format is supported |
| spire-server.upstreamAuthority.vault.caCert.name | string | `"vault-ca"` | Name of the Kubernetes resource containing the Vault server certificate |
| spire-server.upstreamAuthority.vault.caCert.type | string | `"ConfigMap"` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` |
| spire-server.upstreamAuthority.vault.enabled | bool | `false` | |
| spire-server.upstreamAuthority.vault.insecureSkipVerify | bool | `false` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault |
| spire-server.upstreamAuthority.vault.k8sAuth.enabled | bool | `false` | |
| spire-server.upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint | string | `"kubernetes"` | Name of the mount point where the Kubernetes auth method is mounted |
| spire-server.upstreamAuthority.vault.k8sAuth.k8sAuthRoleName | string | `""` | Required - Name of the Vault role. The plugin authenticates against the named role |
| spire-server.upstreamAuthority.vault.k8sAuth.token.audience | string | `""` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Configure Service Accounts'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) and ['Service Account Token'](https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken) for more info on 'Audience'. |
| spire-server.upstreamAuthority.vault.k8sAuth.token.expiry | int | `7200` | Expiry time in seconds for the token |
| spire-server.upstreamAuthority.vault.namespace | string | `""` | Name of the Vault namespace. This is only available in the Vault Enterprise. |
| spire-server.upstreamAuthority.vault.pkiMountPoint | string | `"pki"` | Name of the mount point where PKI secret engine is mounted |
| spire-server.upstreamAuthority.vault.vaultAddr | string | `""` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) |
| tornjak-frontend.affinity | object | `{}` | |
| tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. |
| tornjak-frontend.fullnameOverride | string | `""` | |
Expand Down
14 changes: 13 additions & 1 deletion charts/spire/charts/spire-server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ curl --cacert CA/rootCA.crt --key client.key --cert client.crt https://localhos

In order to run Tornjak with simple HTTP Connection only, make sure you don't create any `Secrets` or `ConfigMaps` listed above.

## Parameters
## Parameters

### Chart parameters

Expand Down Expand Up @@ -197,6 +197,18 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | |
| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` |
| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` |
| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` |
| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` |
| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` |
| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` |
| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` |
| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` |
| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` |
| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` |
| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` |
| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` |
| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. | `""` |
| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` |
| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
| `controllerManager.enabled` | Flag to enable controller manager | `false` |
| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
Expand Down
32 changes: 32 additions & 0 deletions charts/spire/charts/spire-server/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,38 @@ plugins:
{{- end }}
{{- end }}

{{- with .Values.upstreamAuthority.vault }}
{{- if eq (.enabled | toString) "true" }}
{{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }}
UpstreamAuthority:
vault:
plugin_data:
vault_addr: {{ .vaultAddr | quote }}
pki_mount_point: {{ .pkiMountPoint | quote }}
insecure_skip_verify: {{ .insecureSkipVerify }}
{{- if ne (.insecureSkipVerify | toString) "true" }}
ca_cert_path: "/run/spire/vault-upstream/ca.crt"
{{- end }}
{{- if ne .namespace "" }}
namespace: {{ .namespace | quote }}
{{- end }}

{{- $vaultAuthMethodUsed := 0 }}
{{- with .k8sAuth }}
{{- if eq (.enabled | toString) "true" }}
{{- $vaultAuthMethodUsed = add1 $vaultAuthMethodUsed }}
k8s_auth:
k8s_auth_mount_point: {{ .k8sAuthMountPoint | quote }}
k8s_auth_role_name: {{ .k8sAuthRoleName | quote }}
token_path: "/var/run/secrets/tokens/spire-server"
{{- end }}
{{- end }}
{{- if gt $vaultAuthMethodUsed 1 }}
{{- fail "You can only enable a single authentication mechanism to an upstream Vault." }}
{{- end }}
{{- end }}
{{- end }}

{{- with .Values.upstreamAuthority.awsPCA }}
{{- if eq (.enabled | toString) "true" }}
{{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }}
Expand Down
41 changes: 40 additions & 1 deletion charts/spire/charts/spire-server/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,19 @@ spec:
subPath: policy.json
readOnly: true
{{ end }}
{{ end }}
{{- end }}
{{- with .Values.upstreamAuthority.vault }}
{{- if eq (.enabled | toString) "true" }}
{{- if eq (.k8sAuth.enabled | toString) "true" }}
- name: spire-psat
mountPath: /var/run/secrets/tokens
{{- end }}
{{- if ne (.insecureSkipVerify | toString) "true" }}
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
- name: vault-ca
mountPath: /run/spire/vault-upstream
{{- end }}
{{- end }}
{{- end }}
{{- if gt (len .Values.extraVolumeMounts) 0 }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -354,6 +366,33 @@ spec:
path: {{ .Values.persistence.hostPath }}
type: Directory
{{- end }}
{{- with .Values.upstreamAuthority.vault }}
{{- if eq (.enabled | toString) "true" }}
{{- if ne (.insecureSkipVerify | toString) "true" }}
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
{{- if eq (.caCert.type | lower) "configmap" }}
- name: vault-ca
configMap:
name: {{ .caCert.name }}
{{- else if eq (.caCert.type | lower) "secret" }}
- name: vault-ca
secret:
secretName: {{ .caCert.name }}
optional: false
{{- end }}
{{- end -}}
{{- if eq (.k8sAuth.enabled | toString) "true" }}
- name: spire-psat
projected:
sources:
- serviceAccountToken:
path: spire-server
expirationSeconds: {{ .k8sAuth.token.expiry }}
{{- if ne .k8sAuth.token.audience "" }}
audience: {{ .k8sAuth.token.audience }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{- if eq .Values.persistence.type "pvc" }}
volumeClaimTemplates:
- metadata:
Expand Down
37 changes: 34 additions & 3 deletions charts/spire/charts/spire-server/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ image:
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []

## @param nameOverride Name override
## @param nameOverride Name override
nameOverride: ""

## @param namespaceOverride Namespace override
## @param namespaceOverride Namespace override
namespaceOverride: ""

## @param fullnameOverride Fullname override
## @param fullnameOverride Fullname override
fullnameOverride: ""

## @param serviceAccount.create Specifies whether a service account should be created
Expand Down Expand Up @@ -327,6 +327,37 @@ upstreamAuthority:
address: ""
## @param upstreamAuthority.spire.server.port Port for upstream Spire server
port: 8081
vault:
## @param upstreamAuthority.vault.enabled Enable Hashicorp Vault as upstream CA
enabled: false
## @param upstreamAuthority.vault.vaultAddr The URL of the Vault server. (e.g., https://vault.example.com:8443/)
vaultAddr: ""
## @param upstreamAuthority.vault.namespace Name of the Vault namespace. This is only available in the Vault Enterprise.
namespace: ""
## @param upstreamAuthority.vault.pkiMountPoint Name of the mount point where PKI secret engine is mounted
pkiMountPoint: "pki"
## @param upstreamAuthority.vault.insecureSkipVerify If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault
insecureSkipVerify: false
caCert:
## @param upstreamAuthority.vault.caCert.type Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt`
type: Secret
## @param upstreamAuthority.vault.caCert.name Name of the Kubernetes resource containing the Vault server certificate
name: vault-ca

k8sAuth:
## @param upstreamAuthority.vault.k8sAuth.enabled Enable k8s authentication to Hashicorp Vault
enabled: false
## @param upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint Name of the mount point where the Kubernetes auth method is mounted
k8sAuthMountPoint: "kubernetes"
## @param upstreamAuthority.vault.k8sAuth.k8sAuthRoleName Required - Name of the Vault role. The plugin authenticates against the named role
k8sAuthRoleName: ""
token:
## @param upstreamAuthority.vault.k8sAuth.token.audience Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server.
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
# See ['Configure Service Accounts'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection)
# and ['Service Account Token'](https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken) for more info on 'Audience'.
audience: ""
## @param upstreamAuthority.vault.k8sAuth.token.expiry Expiry time in seconds for the token
expiry: 7200

notifier:
k8sbundle:
Expand Down