diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 000000000..adf8dc398 --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,82 @@ +FROM ubuntu:22.04 +RUN \ + apt-get update && \ + apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \ + curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \ + mkdir -p /etc/apt/keyrings && \ + curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ + echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \ + apt-get update && \ + apt-get install -y nodejs && \ + apt-get clean && \ + curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \ + chmod +x /usr/local/bin/yq +RUN \ + curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \ + cd /usr/local && \ + tar -xvf /tmp/go.tgz && \ + rm -f /tmp/go.tgz && \ + cd / +RUN \ + curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \ + chmod +x /usr/local/bin/minikube && \ + curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \ + chmod +x /usr/local/bin/kubectl + +RUN \ + curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \ + chmod +x /tmp/get_helm.sh && \ + /tmp/get_helm.sh && \ + rm /tmp/get_helm.sh + +RUN \ + groupadd -g 10001 dev && \ + useradd --uid 10001 -g 10001 -m dev && \ + echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \ + chmod 400 /etc/sudoers.d/dev + +ENV PATH /usr/local/go/bin:$PATH + +RUN \ + npm install -g "@bitnami/readme-generator-for-helm@2.6.0" + +RUN \ + go install github.com/onsi/ginkgo/v2/ginkgo@latest + +RUN \ + apt-get install -y git zsh strace lsof graphviz && \ + mv /root/go/bin/ginkgo /usr/local/bin + +RUN \ + curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \ + cd /usr/local/bin && \ + tar -xvf /tmp/ct.tar.gz ct && \ + cd / && \ + tar -xvf /tmp/ct.tar.gz etc && \ + mkdir /etc/ct && \ + mv /etc/chart_schema.yaml /etc/ct/ && \ + mv /etc/lintconf.yaml /etc/ct/ && \ + curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \ + cd && \ + cd /tmp && \ + tar -zxvf gh.tar.gz && \ + mv gh_*_linux_amd64/bin/* /usr/local/bin && \ + mkdir -p /usr/local/share/main/man1/ && \ + mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \ + cd + +RUN \ + cd /tmp && \ + git clone https://github.com/devcontainers/features && \ + cd features/src/docker-in-docker && \ + export MOBY=true && \ + export INSTALLDOCKERBUILDX=false && \ + ./install.sh && \ + cd ../../../ && \ + rm -rf features + +RUN \ + usermod -a -G docker dev + +USER dev + diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000..6371257b3 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,30 @@ +{ + "name": "spiffe-helm-charts-hardened", + "image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest", + "features": { + "ghcr.io/devcontainers/features/docker-in-docker:2": { + "version": "latest", + "moby": true, + "installDockerBuildx": false + } + }, + "customizations": { + "vscode": { + "extensions": [ + "ms-kubernetes-tools.vscode-kubernetes-tools" + ], + "settings": { + "terminal.integrated.defaultProfile.linux": "bash", + "terminal.integrated.profiles.linux": { + "zsh": { "path": "/bin/zsh" }, + "bash": { "path": "/bin/bash" } + } + } + } + }, + "postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version", + "hostRequirements": { + "cpus": 1 + }, + "remoteUser": "dev" +} diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 79594ddad..0497334cd 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,26 +2,26 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "54.2.2" + "version": "56.0.1" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.13.2" + "version": "v1.13.3" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.8.3" + "version": "4.9.0" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.14.4" + "version": "9.18.0" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.18" + "version": "13.3.1" } ] diff --git a/.github/tests/common.sh b/.github/tests/common.sh index 3fa18df23..6cb4f6e02 100755 --- a/.github/tests/common.sh +++ b/.github/tests/common.sh @@ -22,6 +22,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1") \`\`\`shell $(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done) +$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done) \`\`\` EOF @@ -36,7 +37,7 @@ k_rollout_status () { } get_spire_release_name () { - helm ls -A | grep '^spire' | awk '{print $1}' + helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}' } print_spire_workload_status () { diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml index 124c8dd4a..e7bda6298 100644 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ b/.github/tests/dependencies/spire-root-server-values.yaml @@ -8,13 +8,23 @@ spire-server: identities: clusterSPIFFEIDs: default: + type: raw + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} namespaceSelector: - kubernetes.io/metadata.name: spire-server + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: In + values: [spire-server] podSelector: - app.kubernetes.io/component: server - app.kubernetes.io/instance: spire - app.kubernetes.io/name: server + matchLabels: + release: spire + release-namespace: spire-server + component: server downstream: true + oidc-discovery-provider: + enabled: false + test-keys: + enabled: false nodeAttestor: k8sPsat: serviceAccountAllowList: @@ -24,6 +34,9 @@ spire-server: k8sbundle: namespace: spire-system +spiffe-oidc-discovery-provider: + enabled: false + spire-agent: enabled: false diff --git a/.github/tests/images.json b/.github/tests/images.json index 7ecacdb74..271dca192 100644 --- a/.github/tests/images.json +++ b/.github/tests/images.json @@ -34,6 +34,10 @@ "query": "telemetry.prometheus.nginxExporter.image", "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$", "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] + }, { + "query": "tests.step.image", + "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$", + "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] }, { "query": "tests.bash.image", diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 766fe14e9..26f6f3915 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -33,7 +33,7 @@ jobs: git diff - name: Setup go - uses: actions/setup-go@v4.1.0 + uses: actions/setup-go@v5.0.0 with: go-version: '1.21' cache: false @@ -41,7 +41,7 @@ jobs: - name: Setup crane uses: imjasonh/setup-crane@v0.3 - - uses: actions/setup-python@v4.6.1 + - uses: actions/setup-python@v5 with: python-version: '3.9' diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 07841e4f3..b2aad512b 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,9 +30,9 @@ jobs: strategy: matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - run: 'echo "Skipping tests"' @@ -65,9 +65,9 @@ jobs: strategy: matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.28.0 + - v1.27.3 + - v1.26.6 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index e2a2abd97..a0d865936 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -73,7 +73,7 @@ jobs: fi - name: Setup Go - uses: actions/setup-go@v4.1.0 + uses: actions/setup-go@v5.0.0 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -104,7 +104,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -130,9 +130,9 @@ jobs: # Kubernetes, but can go back farther as long as we don't need heroics # to pull it off (i.e. kubectl version juggling). k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - name: Checkout @@ -146,7 +146,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -209,9 +209,9 @@ jobs: fail-fast: false matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.28.0 + - v1.27.3 + - v1.26.6 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} @@ -225,7 +225,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -240,8 +240,13 @@ jobs: - name: Install and test example run: | - kubectl create namespace spire-server - helm install -n spire-server spire-crds charts/spire-crds + if [ "${{ matrix.example }}" = "examples/federation" ]; then + kubectl create namespace spire-mgmt + helm install -n spire-mgmt spire-crds charts/spire-crds + else + kubectl create namespace spire-server + helm install -n spire-server spire-crds charts/spire-crds + fi ${{ matrix.example }}/run-tests.sh upgrade-test: @@ -255,9 +260,9 @@ jobs: fail-fast: false matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - name: Checkout @@ -269,7 +274,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 99b35089a..a5b24c3b7 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -29,9 +29,9 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup cosign - uses: sigstore/cosign-installer@v3.2.0 + uses: sigstore/cosign-installer@v3.3.0 with: - cosign-release: v2.2.0 + cosign-release: v2.2.2 - name: Set up Helm uses: azure/setup-helm@v3.5 diff --git a/.github/workflows/update-devcontainer-image.yaml b/.github/workflows/update-devcontainer-image.yaml new file mode 100644 index 000000000..6bd3368f0 --- /dev/null +++ b/.github/workflows/update-devcontainer-image.yaml @@ -0,0 +1,44 @@ +name: Update devcontainer image + +on: + schedule: + - cron: '0 8 * * 1' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + HELM_VERSION: v3.11.1 + +jobs: + build-and-push-devcontainer-image: + runs-on: ubuntu-20.04 + permissions: + contents: read + id-token: write + packages: write + + env: + COSIGN_EXPERIMENTAL: 1 + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install cosign + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + with: + cosign-release: v2.2.2 + - name: Install regctl + uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main + - name: Log in to GHCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build / Push images + run: | + set -e + cd .devcontainer/ + docker build -t ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest . + docker push ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1d4a7ae5e..b66b87790 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -60,3 +60,7 @@ Any changes to Chart.yaml or values.yaml require an update of the README.md. Thi In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning. [readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts." + +## devcontainer support + +We have a usable devcontainer with all the dev tools preinstalled to make contributions easier. You should be able to use it via Codespaces (https://github.com/codespaces/), Visual Studio Code (https://code.visualstudio.com/), DevPod (https://devpod.sh), etc. Please consult the documentation for those tools for how to use them. diff --git a/README.md b/README.md index 8e4903a7f..3b9b2917d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of ## How to install or upgrade You most likely want to do an integrated setup based on the spire chart. -See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes). +See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions). ## Contributing diff --git a/charts/spire-crds/Chart.yaml b/charts/spire-crds/Chart.yaml index 8df8b6f9d..8ac17dcf6 100644 --- a/charts/spire-crds/Chart.yaml +++ b/charts/spire-crds/Chart.yaml @@ -3,12 +3,12 @@ name: spire-crds description: > A Helm chart for deploying the Spire CRDS type: application -version: 0.2.0 +version: 0.3.0 appVersion: "0.0.1" keywords: ["spire-crds"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire-crds/README.md b/charts/spire-crds/README.md index 9f69df414..63134e185 100644 --- a/charts/spire-crds/README.md +++ b/charts/spire-crds/README.md @@ -4,7 +4,7 @@ A Helm chart to install the SPIRE CRDS. -**Homepage:** +**Homepage:** ## Maintainers @@ -17,7 +17,7 @@ A Helm chart to install the SPIRE CRDS. ## Source Code -* +* diff --git a/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml b/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 137616a6b..000000000 --- a/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - {{- .Values.annotations | toYaml | nindent 4 }} - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to remove/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 98e78959e..8de538319 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,12 +3,12 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.16.0 -appVersion: "1.8.5" +version: 0.17.0 +appVersion: "1.8.7" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/README.md b/charts/spire/README.md index b079db7bf..6b0b79554 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,39 +1,80 @@ # spire -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.5](https://img.shields.io/badge/AppVersion-1.8.5-informational?style=flat-square) +![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. -**Homepage:** +**Homepage:** -## Install notes +## Install Instructions -To do a quick non production install suitable for quick testing in something like minikube: +### Non Production +To do a quick install suitable for testing in something like minikube: ```shell -helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace -helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ ``` -To customize, start with a base values file and edit as needed: +### Production + +Preparing a production deployment requires a few steps. + +1. Save the following to your-values.yaml, ideally in your git repo. +```yaml +global: + openshift: false # If running on openshift, set to true + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx] + # Update these + clusterName: example-cluster + trustDomain: example.org +spire-server: + ca_subject: + # Update these + country: ARPA + organization: Example + common_name: example.org +``` +2. If you need a non default storageClass, append the following to the spire-server section and update: +``` + persistence: + storageClass: your-storage-class +``` + +3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: ```shell -curl -o your-values.yaml https://raw.githubusercontent.com/spiffe/helm-charts-hardened/main/examples/production/example-your-values.yaml +oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' ``` -Then: +4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples) + +In particular, consider using an external database. + +5. Deploy ```shell -helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml +helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml ``` -For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production). - ## Upgrade notes We only support upgrading one major version at a time. Version skipping isn't supported. +### 0.17.X + +- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate. +- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.spire.enabled=false`) + +- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`. + ### 0.16.X The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. @@ -130,7 +171,7 @@ Now you can interact with the Spire agent socket from your own application. The ## Source Code -* +* ## Requirements @@ -150,19 +191,35 @@ Now you can interact with the Spire agent socket from your own application. The ### Global parameters -| Name | Description | Value | -| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | -| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | -| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | -| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | -| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | -| `global.spire.image.registry` | Override all Spire image registries at once | `""` | -| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | -| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | +| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | +| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | +| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | +| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | +| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | +| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` | +| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` | +| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | +| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | +| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | +| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` | +| `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` | +| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | +| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | +| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` | +| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` | +| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` | +| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` | +| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | +| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | ### Spire server parameters @@ -213,9 +270,9 @@ Now you can interact with the Spire agent socket from your own application. The ### SPIFFE oidc discovery provider parameters -| Name | Description | Value | -| ---------------------------------------- | ------------------------------------------------------------- | ------- | -| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `false` | +| Name | Description | Value | +| ---------------------------------------- | ------------------------------------------------------------- | ------ | +| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `true` | ### Tornjak frontend parameters diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index c1371d688..cfcb62849 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -25,42 +25,46 @@ A Helm chart to install the SPIFFE CSI driver. ### SPIFFE CSI Driver Chart parameters -| Name | Description | Value | -| ---------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------- | -| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | -| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | -| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | -| `nameOverride` | Name override for spiffe-csi-driver | `""` | -| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | -| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | -| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | -| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | -| `podSecurityContext` | Security context for CSI driver pods | `{}` | -| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | -| `securityContext.privileged` | Flag for specifying privileged mode | `true` | -| `nodeSelector` | Node selector for CSI driver pods | `{}` | -| `tolerations` | Tolerations for CSI driver pods | `[]` | -| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | -| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | -| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.1` | -| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | -| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | -| `priorityClassName` | Priority class assigned to daemonset pods | `""` | -| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | -| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | -| `restrictedScc.version` | Version of the restricted SCC | `2` | +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------- | +| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | +| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | +| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | +| `nameOverride` | Name override for spiffe-csi-driver | `""` | +| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | +| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | +| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | +| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | +| `podSecurityContext` | Security context for CSI driver pods | `{}` | +| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | +| `securityContext.privileged` | Flag for specifying privileged mode | `true` | +| `nodeSelector` | Node selector for CSI driver pods | `{}` | +| `tolerations` | Tolerations for CSI driver pods | `[]` | +| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | +| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | +| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.3` | +| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | +| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | +| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | +| `restrictedScc.version` | Version of the restricted SCC | `2` | +| `selinux.enabled` | Enable selinux support | `false` | +| `selinux.context` | Which selinux context to use | `container_file_t` | +| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | +| `selinux.image.repository` | The repository within the registry | `ubi9` | +| `selinux.image.pullPolicy` | The image pull policy | `Always` | +| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl index 3df9f55ba..4fd5fcd04 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spiffe-csi-driver.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index 7d5339ed0..f81804057 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -33,12 +33,32 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with .Values.initContainers }} + {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} + {{- if or (gt (len .Values.initContainers) 0) (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} initContainers: - {{- toYaml . | nindent 8 }} + {{- if or (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} + - name: set-context + command: + - chcon + - '-Rvt' + - {{ .Values.selinux.context }} + - spire-agent-socket/ + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.selinux.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.selinux.image.pullPolicy }} + securityContext: + capabilities: + drop: + - all + privileged: true + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /spire-agent-socket + terminationMessagePolicy: File + terminationMessagePath: /dev/termination-log + {{- end }} + {{- if gt (len .Values.initContainers) 0 }} + {{- toYaml .Values.initContainers | nindent 8 }} + {{- end }} {{- end }} containers: # This is the container which runs the SPIFFE CSI driver. diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 12eeb7b94..8eebf6f80 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -12,14 +12,12 @@ pluginName: csi.spiffe.io ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spiffe-csi-driver pullPolicy: IfNotPresent - version: "" tag: "" ## @param resources [object] Resource requests and limits for spiffe-csi-driver @@ -102,15 +100,13 @@ nodeDriverRegistrar: ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from ## @param nodeDriverRegistrar.image.repository The repository within the registry ## @param nodeDriverRegistrar.image.pullPolicy The image pull policy - ## @param nodeDriverRegistrar.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param nodeDriverRegistrar.image.tag Overrides the image tag ## image: registry: registry.k8s.io repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent - version: "" - tag: v2.9.1 + tag: v2.9.3 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -130,7 +126,7 @@ agentSocketPath: /run/spire/agent-sockets/spire-agent.sock ## @param kubeletPath Path to kubelet file kubeletPath: /var/lib/kubelet -## @param priorityClassName Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" restrictedScc: @@ -141,3 +137,18 @@ restrictedScc: name: "" ## @param restrictedScc.version Version of the restricted SCC version: 2 + +selinux: + ## @param selinux.enabled Enable selinux support + enabled: false + ## @param selinux.context Which selinux context to use + context: container_file_t + ## @param selinux.image.registry The OCI registry to pull the image from + ## @param selinux.image.repository The repository within the registry + ## @param selinux.image.pullPolicy The image pull policy + ## @param selinux.image.tag Overrides the image tag whose default is the chart appVersion + image: + registry: registry.access.redhat.com + repository: ubi9 + pullPolicy: Always + tag: latest diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 5109dfab1..3f29481c0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 788f69493..91a89bc5f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -25,104 +25,114 @@ A Helm chart to install the SPIFFE OIDC discovery provider. ### Chart parameters -| Name | Description | Value | -| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | -| `replicaCount` | Replica count | `1` | -| `namespaceOverride` | Namespace override | `""` | -| `annotations` | Annotations for the deployment | `{}` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `resources` | Resource requests and limits | `{}` | -| `service.type` | Service type | `ClusterIP` | -| `service.port` | Service port | `80` | -| `service.annotations` | Annotations for service resource | `{}` | -| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | -| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | -| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | -| `insecureScheme.enabled` | Flag to enable insecure schema | `false` | -| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` | -| `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.3-alpine` | -| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | -| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | -| `config.acme.tosAccepted` | Flag for Terms of Service acceptance | `false` | -| `config.acme.cacheDir` | Path for cache directory | `/run/spire` | -| `config.acme.directoryUrl` | URL for acme directory | `https://acme-v02.api.letsencrypt.org/directory` | -| `config.acme.emailAddress` | Email address for registration | `letsencrypt@example.org` | -| `imagePullSecrets` | Image pull secret names | `[]` | -| `nameOverride` | Name override | `""` | -| `fullnameOverride` | Full name override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | iist of tolerations | `[]` | -| `affinity` | Node affinity | `{}` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | -| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.11.0` | -| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `tests.hostAliases` | List of host aliases for testing | `[]` | -| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | -| `tests.tls.customCA` | Custom CA value for tests | `""` | -| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | -| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | -| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | -| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` | -| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | -| `tests.busybox.image.repository` | The repository within the registry | `busybox` | -| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.busybox.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | -| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.agent.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | +| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | +| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | +| `replicaCount` | Replica count | `1` | +| `namespaceOverride` | Namespace override | `""` | +| `annotations` | Annotations for the deployment | `{}` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` | +| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6` | +| `spiffeHelper.resources` | Resource requests and limits | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.ports.http` | Insecure port for the service | `80` | +| `service.ports.https` | Secure port for the service | `443` | +| `service.annotations` | Annotations for service resource | `{}` | +| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | +| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | +| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | +| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | +| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | +| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | +| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | +| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.25.3-alpine` | +| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | +| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | +| `imagePullSecrets` | Image pull secret names | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | iist of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | +| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | +| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `tests.hostAliases` | List of host aliases for testing | `[]` | +| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | +| `tests.tls.customCA` | Custom CA value for tests | `""` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | +| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | +| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6` | +| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | +| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.2` | +| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | +| `tests.busybox.image.repository` | The repository within the registry | `busybox` | +| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | +| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 70d6de2f7..7780aa725 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spiffe-oidc-discovery-provider.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -85,3 +91,11 @@ Create the name of the service account to use {{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}} {{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }} {{- end }} + +{{- define "spiffe-oidc-discovery-provider.tls-enabled" -}} +{{- if and .Values.enabled (or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled) }} +{{- true }} +{{- else }} +{{- false }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml new file mode 100644 index 000000000..3dce910ae --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml @@ -0,0 +1,26 @@ +{{- define "spiffe-oidc-discovery-provider.cert-manager-default-cert" }} +{{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }} +dnsNames: + {{- if ne (len .Values.tls.certManager.certificate.dnsNames) 0 }} + {{- toYaml .Values.tls.certManager.certificate.dnsNames | nindent 4 }} + {{- else }} + - {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.ingress "Values" .Values) }} + {{- end }} +issuerRef: + {{- with .Values.tls.certManager.certificate.issuerRef.group }} + group: {{ . }} + {{- end }} + kind: {{ default "Issuer" .Values.tls.certManager.certificate.issuerRef.kind }} + name: {{ default $fullName .Values.tls.certManager.certificate.issuerRef.name }} +secretName: {{ $fullName }}-cert +{{- end }} +{{- if .Values.tls.certManager.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +spec: + {{ merge (include "spiffe-oidc-discovery-provider.cert-manager-default-cert" . | fromYaml) .Values.tls.certManager.certificate | toYaml | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index ed554059b..cb3ca39ad 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -1,3 +1,16 @@ +{{- $tlsCount := 0 }} +{{- if and .Values.enabled .Values.tls.spire.enabled }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if and .Values.enabled .Values.tls.externalSecret.enabled }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if and .Values.enabled .Values.tls.certManager.enabled }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if gt $tlsCount 1 }} +{{- fail "You can only have one TLS configuration enabled" }} +{{- end }} {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} {{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}} {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }} @@ -14,15 +27,14 @@ domains: {{- $jwtIssuer := (default $uri.path $uri.host) }} {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }} -{{- if .Values.insecureScheme.enabled }} -allow_insecure_scheme: {{ .Values.insecureScheme.enabled }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +allow_insecure_scheme: true listen_socket_path: {{ $oidcSocket | quote }} {{- else }} -acme: - directory_url: {{ .Values.config.acme.directoryUrl | quote }} - cache_dir: {{ .Values.config.acme.cacheDir | quote }} - tos_accepted: {{ .Values.config.acme.tosAccepted }} - email: {{ .Values.config.acme.emailAddress | quote }} +serving_cert_file: + cert_file_path: /certs/tls.crt + key_file_path: /certs/tls.key + addr: ':8443' {{- end }} workload_api: @@ -47,7 +59,7 @@ metadata: data: oidc-discovery-provider.conf: | {{- include "spiffe-oidc-discovery-provider.yaml-config" (dict "oidcSocket" $oidcSocket "root" .) | fromYaml | toPrettyJson | nindent 4 }} - {{- if .Values.insecureScheme.enabled }} + {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} default.conf: | upstream oidc { server unix:{{ $oidcSocket }}; @@ -69,3 +81,9 @@ data: } } {{- end }} + spiffe-helper.conf: | + agent_address = {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }} + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index c34f3a23f..407e39b3d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }} {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} apiVersion: apps/v1 kind: Deployment @@ -26,6 +27,9 @@ spec: {{- end }} labels: {{- include "spiffe-oidc-discovery-provider.selectorLabels" . | nindent 8 }} + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: oidc-discovery-provider spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -33,11 +37,35 @@ spec: {{- end }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} + initContainers: + {{- if .Values.tls.spire.enabled }} + - name: init + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 12 }} + resources: + {{- toYaml .Values.spiffeHelper.resources | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + args: + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + volumeMounts: + - name: spiffe-workload-api + mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: @@ -46,8 +74,8 @@ spec: ports: - containerPort: 8008 name: healthz - {{- if not .Values.insecureScheme.enabled }} - - containerPort: 443 + {{- if $tlsEnabled }} + - containerPort: 8443 name: https {{- end }} volumeMounts: @@ -61,6 +89,9 @@ spec: mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf subPath: oidc-discovery-provider.conf readOnly: true + - name: certdir + mountPath: /certs + readOnly: true readinessProbe: httpGet: path: /ready @@ -73,10 +104,32 @@ spec: {{- toYaml .Values.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.insecureScheme.enabled }} + {{- if .Values.tls.spire.enabled }} + - name: spiffe-helper + resources: + {{- toYaml .Values.spiffeHelper.resources | nindent 12 }} + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + args: + - -config + - /etc/spiffe-helper.conf + volumeMounts: + - name: spiffe-workload-api + mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + {{- end }} + {{- if not $tlsEnabled }} - name: nginx securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "image" .Values.insecureScheme.nginx.image "global" .Values.global) }} imagePullPolicy: {{ .Values.insecureScheme.nginx.image.pullPolicy }} ports: @@ -95,10 +148,10 @@ spec: readOnly: false resources: {{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }} - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - name: nginx-exporter securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "image" .Values.telemetry.prometheus.nginxExporter.image "global" .Values.global) }} imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }} args: @@ -113,7 +166,7 @@ spec: volumes: - name: spiffe-workload-api csi: - driver: "csi.spiffe.io" + driver: "{{ .Values.csiDriverName }}" readOnly: true - name: spire-oidc-sockets emptyDir: {} @@ -122,6 +175,16 @@ spec: name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} - name: nginx-tmp emptyDir: {} + - name: certdir + {{- if .Values.tls.externalSecret.enabled }} + secret: + secretName: {{ .Values.tls.externalSecret.secretName }} + {{- else if .Values.tls.certManager.enabled }} + secret: + secretName: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-cert + {{- else }} + emptyDir: {} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml index fcacb3f22..0a6dfa310 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ include "spire-lib.autoscalingVersion" . }} kind: HorizontalPodAutoscaler metadata: name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} @@ -14,16 +14,20 @@ spec: minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml index 6f5913efc..53c3813a9 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml @@ -1,13 +1,36 @@ {{- if .Values.ingress.enabled -}} +{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }} +{{- $port := .Values.service.ports.https }} +{{- if not $tlsEnabled }} +{{- $port = .Values.service.ports.http }} +{{- end }} {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }} {{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }} +{{- $path := "/" }} +{{- $pathType := "Prefix" }} {{- $tlsSection := true }} {{- $annotations := deepCopy .Values.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} +{{- if $tlsEnabled }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} +{{- if not (and .Values.ingress.enabled .Values.ingress.tlsSecret) }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} +{{- end }} +{{- end }} {{- else if eq $ingressControllerType "openshift" }} -{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- if not $tlsEnabled }} +{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- else }} +{{- if and .Values.ingress.enabled .Values.ingress.tlsSecret }} +{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} +{{- else }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- end }} +{{- end }} +{{- $path = "" }} +{{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} {{- end }} apiVersion: networking.k8s.io/v1 @@ -22,5 +45,5 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml new file mode 100644 index 000000000..e12755c00 --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml @@ -0,0 +1,22 @@ +{{- define "spiffe-oidc-discovery-provider.cert-manager-default-issuer" }} +{{- if not .Values.tls.certManager.issuer.acme.email }} +{{- fail "You must specify an email address via certManager.issuer.acme.email" }} +{{- end }} +email: {{ .Values.tls.certManager.issuer.acme.email | quote}} +server: {{ .Values.tls.certManager.issuer.acme.server | quote}} +privateKeySecretRef: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-issuer +solvers: +- http01: + ingress: {} +{{- end }} +{{- if and .Values.tls.certManager.enabled .Values.tls.certManager.issuer.create }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +spec: + acme: + {{ mergeOverwrite (include "spiffe-oidc-discovery-provider.cert-manager-default-issuer" . | fromYaml) .Values.tls.certManager.issuer.acme | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml index dec060f91..b0457dcbc 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.insecureScheme.enabled }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} {{- if (dig "telemetry" "prometheus" "podMonitor" "enabled" .Values.telemetry.prometheus.podMonitor.enabled .Values.global) }} {{- $namespace := include "spiffe-oidc-discovery-provider.podMonitor.namespace" . }} {{- $podNamespace := ( include "spiffe-oidc-discovery-provider.namespace" . ) }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml index 452fea0ab..a2ad605a0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: pre-delete-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - delete diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml index e39821634..fb8de108f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml @@ -10,14 +10,14 @@ metadata: spec: type: {{ .Values.service.type }} ports: - {{- if .Values.insecureScheme.enabled }} + {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} - name: http - port: {{ .Values.service.port }} + port: {{ .Values.service.ports.http }} targetPort: http protocol: TCP {{- else }} - name: https - port: 443 + port: {{ .Values.service.ports.https }} targetPort: https protocol: TCP {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml index 73a8b3535..99c7c2743 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml @@ -1,5 +1,11 @@ {{- $values := merge .Values }} {{- $host := include "spire-lib.ingress-calculated-name" (dict "Values" .Values "ingress" .Values.ingress) }} +{{- $protocol := "https" }} +{{- $port := .Values.service.ports.https }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +{{- $protocol = "http" }} +{{- $port = .Values.service.ports.http }} +{{- end }} {{- if gt (len .Values.ingress.hosts) 0 }} {{- $host = (index .Values.ingress.hosts 0).host }} {{- end }} @@ -14,26 +20,26 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-service-name image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace-svc-cluster-local image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- if .Values.ingress.enabled }} - name: curl-ingress image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} @@ -53,7 +59,7 @@ spec: args: ['-s', '-f', 'http://{{ $host }}/.well-known/openid-configuration'] {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }} hostAliases: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml index e2bbc4350..8157e498d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml @@ -1,3 +1,9 @@ +{{- $protocol := "https" }} +{{- $port := .Values.service.ports.https }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +{{- $protocol = "http" }} +{{- $port = .Values.service.ports.http }} +{{- end }} apiVersion: v1 kind: Pod metadata: @@ -5,13 +11,14 @@ metadata: namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} labels: {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: test-keys annotations: "helm.sh/hook": test spec: - {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml . | nindent 4 }} - {{- end }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} initContainers: - name: static-busybox @@ -22,10 +29,21 @@ spec: - | cp /bin/busybox /data/busybox chmod +x /data/busybox - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} + volumeMounts: + - name: data-volume + mountPath: /data + - name: install-step + image: {{ template "spire-lib.image" (dict "image" .Values.tests.step.image "global" .Values.global) }} + workingDir: /data + command: + - sh + - -c + - | + cp /usr/local/bin/step /data/step + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - name: data-volume mountPath: /data @@ -41,10 +59,8 @@ spec: [ $? -eq 0 ] && break sleep 1 done - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - name: data-volume mountPath: /data @@ -56,23 +72,24 @@ spec: image: {{ template "spire-lib.image" (dict "image" .Values.tests.toolkit.image "global" .Values.global) }} command: - bash + workingDir: /data env: - name: TMPDIR value: /data args: - - -c + - -cx - | - URL=http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }} - curl -k -s -f "${URL}"/keys - JWT=$(cat /data/token.svid | jq -r '.[].svids[0].svid' | xargs) - cat <<'EOF' >> /data/jwt-decode.sh - {{- (.Files.Get "files/test/jwt-decode.sh") | nindent 10 }} - EOF - bash /data/jwt-decode.sh "${URL}"/keys "${JWT}" - {{- with .Values.securityContext }} + URL={{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }} + + cat /data/token.svid + JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs) + KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid') + # Retrieve public key from JWK set, match kid from JWT to locate the correct one + curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem + # Verify JWT with public pem + echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - mountPath: /data name: data-volume diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 405f96ed0..27fa7bd73 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -8,6 +8,8 @@ global: {} ## ## @param agentSocketName The name of the spire-agent unix socket agentSocketName: spire-agent.sock +## @param csiDriverName The csi driver to use +csiDriverName: csi.spiffe.io ## @param replicaCount Replica count replicaCount: 1 @@ -22,15 +24,27 @@ image: ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy - ## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## registry: ghcr.io repository: spiffe/oidc-discovery-provider pullPolicy: IfNotPresent - version: "" tag: "" +spiffeHelper: + image: + ## @param spiffeHelper.image.registry The OCI registry to pull the image from + ## @param spiffeHelper.image.repository The repository within the registry + ## @param spiffeHelper.image.pullPolicy The image pull policy + ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion + ## + registry: ghcr.io + repository: spiffe/spiffe-helper + pullPolicy: IfNotPresent + tag: nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + ## @param spiffeHelper.resources [object] Resource requests and limits + resources: {} + ## @param resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -45,12 +59,15 @@ resources: {} # memory: 64Mi ## @param service.type Service type -## @param service.port Service port +## @param service.ports.http Insecure port for the service +## @param service.ports.https Secure port for the service ## @param service.annotations Annotations for service resource ## service: type: ClusterIP - port: 80 + ports: + http: 80 + https: 443 annotations: {} # external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.org @@ -88,16 +105,53 @@ livenessProbe: ## @param podAnnotations [object] Pod annotations for Spire OIDC discovery provider podAnnotations: {} -insecureScheme: - ## @param insecureScheme.enabled Flag to enable insecure schema - enabled: false +# Select from one of the options below to be the source of certificates for OIDC Discovery Provider. +# If none are enabled, connections won't be TLS encrypted. +tls: + spire: + ## @param tls.spire.enabled Use spire to secure the oidc-discovery-provider + enabled: true + externalSecret: + ## @param tls.externalSecret.enabled Provide your own certificate/key via tls style Kubernetes Secret + enabled: false + ## @param tls.externalSecret.secretName Specify which Secret to use + secretName: "" + + certManager: + ## @param tls.certManager.enabled Use certificateManager to create the certificate + enabled: false + issuer: + ## @param tls.certManager.issuer.create Create an issuer to use to issue the certificate + create: true + acme: + ## @param tls.certManager.issuer.acme.email Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service + email: "" + ## @param tls.certManager.issuer.acme.server Server to use to get certificate. Defaults to LetsEncrypt + server: https://acme-v02.api.letsencrypt.org/directory + # Testing server: https://acme-staging-v02.api.letsencrypt.org/directory + ## @param tls.certManager.issuer.acme.solvers [object] Configure the issuer solvers. Defaults to http01 via ingress. + solvers: {} + # - http01: + # ingress: + # ingressClassName: nginx + certificate: + ## @param tls.certManager.certificate.dnsNames Override the dnsNames on the certificate request. Defaults to the same settings as Ingress + dnsNames: [] + ## @param tls.certManager.certificate.issuerRef.group If you are using an external plugin, specify the group for it here + ## @param tls.certManager.certificate.issuerRef.kind Kind of the issuer reference. Override if you want to use a ClusterIssuer + ## @param tls.certManager.certificate.issuerRef.name Name of the issuer to use. If unset, it will use the name of the built in issuer + issuerRef: + group: "" + kind: Issuer + name: "" + +insecureScheme: nginx: - ## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from - ## @param insecureScheme.nginx.image.repository The repository within the registry - ## @param insecureScheme.nginx.image.pullPolicy The image pull policy - ## @param insecureScheme.nginx.image.version This value is deprecated in favor of tag. (Will be removed in a future release) - ## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion + ## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.repository The repository within the registry. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.pullPolicy The image pull policy. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. ## Example: ## chainguard image does not support the templates feature ## https://github.com/chainguard-images/nginx/issues/43 @@ -110,7 +164,6 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - version: "" tag: 1.25.3-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} @@ -132,18 +185,8 @@ config: ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery - additionalDomains: - - localhost - - acme: - ## @param config.acme.tosAccepted Flag for Terms of Service acceptance - tosAccepted: false - ## @param config.acme.cacheDir Path for cache directory - cacheDir: /run/spire - ## @param config.acme.directoryUrl URL for acme directory - directoryUrl: https://acme-v02.api.letsencrypt.org/directory - ## @param config.acme.emailAddress Email address for registration - emailAddress: letsencrypt@example.org + additionalDomains: [] + # - localhost ## @param imagePullSecrets [array] Image pull secret names imagePullSecrets: [] @@ -213,15 +256,13 @@ telemetry: ## @param telemetry.prometheus.nginxExporter.image.registry The OCI registry to pull the image from ## @param telemetry.prometheus.nginxExporter.image.repository The repository within the registry ## @param telemetry.prometheus.nginxExporter.image.pullPolicy The image pull policy - ## @param telemetry.prometheus.nginxExporter.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param telemetry.prometheus.nginxExporter.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - version: "" - tag: "0.11.0" + tag: "1.1.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -281,56 +322,60 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from ## @param tests.toolkit.image.repository The repository within the registry ## @param tests.toolkit.image.pullPolicy The image pull policy - ## @param tests.toolkit.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.toolkit.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent - version: "" - tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79 + tag: latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6 + + step: + ## @param tests.step.image.registry The OCI registry to pull the image from + ## @param tests.step.image.repository The repository within the registry + ## @param tests.step.image.pullPolicy The image pull policy + ## @param tests.step.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: "docker.io" + repository: smallstep/step-cli + pullPolicy: IfNotPresent + tag: 0.25.2 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from ## @param tests.busybox.image.repository The repository within the registry ## @param tests.busybox.image.pullPolicy The image pull policy - ## @param tests.busybox.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.busybox.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: "" repository: busybox pullPolicy: IfNotPresent - version: "" tag: 1.36.1-uclibc agent: ## @param tests.agent.image.registry The OCI registry to pull the image from ## @param tests.agent.image.repository The repository within the registry ## @param tests.agent.image.pullPolicy The image pull policy - ## @param tests.agent.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.agent.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-agent pullPolicy: IfNotPresent - version: "" tag: "" tools: @@ -338,12 +383,10 @@ tools: ## @param tools.kubectl.image.registry The OCI registry to pull the image from ## @param tools.kubectl.image.repository The repository within the registry ## @param tools.kubectl.image.pullPolicy The image pull policy - ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: rancher/kubectl pullPolicy: IfNotPresent - version: "" tag: "" diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 24c25e30b..1fc821abe 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a4e9c0b73..d8835056a 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,80 +25,78 @@ A Helm chart to install the SPIRE agent. ### Chart parameters -| Name | Description | Value | -| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. | `""` | -| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | -| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | -| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | -| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | -| `server.address` | Address for Spire server | `""` | -| `server.port` | Port number for Spire server | `8081` | -| `server.namespaceOverride` | Override the namespace for Spire server | `""` | -| `healthChecks.port` | override the host port used for health checking | `9982` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | -| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | -| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e` | -| `waitForIt.resources` | Resource requests and limits | `{}` | -| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | -| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | -| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | -| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | -| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | -| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | -| `sds.enabled` | Enables Envoy SDS configuration | `false` | -| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | -| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | -| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | -| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | -| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `priorityClassName` | Priority class assigned to daemonset pods | `""` | -| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | -| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | -| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | -| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | -| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | -| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | -| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | -| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | -| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | -| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | -| `experimental.enabled` | Allow configuration of experimental features | `false` | -| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | -| `experimental.featureFlags` | List of developer feature flags | `[]` | +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | +| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | +| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | +| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | +| `server.address` | Address for Spire server | `""` | +| `server.port` | Port number for Spire server | `8081` | +| `server.namespaceOverride` | Override the namespace for Spire server | `""` | +| `healthChecks.port` | override the host port used for health checking | `9982` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | +| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | +| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:84be7f9205d88f368097c3712a867c5d35d1d024633de4b5675b3f17f63f27cf` | +| `waitForIt.resources` | Resource requests and limits | `{}` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | +| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | +| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | +| `sds.enabled` | Enables Envoy SDS configuration | `false` | +| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | +| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | +| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | +| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | +| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index 69642052c..89d5624d9 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-agent.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -37,6 +43,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-agent.server.namespace" -}} {{- if .Values.server.namespaceOverride -}} {{- .Values.server.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -83,11 +95,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "spire-agent.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "spire-agent.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} +{{- default (printf "%s-agent" .Release.Name) .Values.serviceAccount.name }} {{- end }} {{- define "spire-agent.server-address" }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 0bfd9d935..347ffcaf9 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -32,6 +32,9 @@ agent: trust_bundle_path: "/run/spire/bundle/bundle.crt" {{- end }} trust_domain: {{ include "spire-lib.trust-domain" . | quote }} + {{- with .Values.availabilityTarget }} + availability_target: {{ . | quote }} + {{- end }} {{- if .Values.sds.enabled }} sds: default_svid_name: {{ .Values.sds.defaultSvidName | quote }} @@ -86,7 +89,7 @@ health_checks: live_path: "/live" ready_path: "/ready" -{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} +{{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} telemetry: - Prometheus: - host: "0.0.0.0" diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 071534ab1..0ac2ad8dd 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,4 +1,5 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} +{{- $podSecurityContext := fromYaml (include "spire-lib.podsecuritycontext" .) }} {{- $cbh := eq (include "spire-agent.connect-by-hostname" .) "true" }} apiVersion: apps/v1 kind: DaemonSet @@ -30,10 +31,8 @@ spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ include "spire-agent.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} + {{- toYaml $podSecurityContext | nindent 8 }} + {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} {{- if ne (len .Values.hostAliases) 0 }} hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} @@ -48,13 +47,13 @@ spec: args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}] resources: {{- toYaml .Values.waitForIt.resources | nindent 12 }} - {{- if gt (int (dig "fsGroup" 0 .Values.podSecurityContext)) 0 }} + {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }} - name: fsgroupfix image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: @@ -72,8 +71,9 @@ spec: image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-config", "/run/spire/config/agent.conf"] - {{- if or (gt (len .Values.extraEnvVars) 0) $cbh }} env: + - name: PATH + value: "/opt/spire/bin:/bin" {{- if $cbh }} - name: MY_NODE_NAME valueFrom: @@ -83,11 +83,10 @@ spec: {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 12 }} {{- end }} - {{- end }} ports: - containerPort: {{ .Values.healthChecks.port }} name: healthz - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: {{ .Values.telemetry.prometheus.port }} name: prom {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 80e3fb412..a8b4dc820 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -9,14 +9,12 @@ global: {} ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-agent pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -91,6 +89,8 @@ trustBundleURL: "" trustBundleFormat: pem ## @param bundleConfigMap Configmap name for Spire bundle bundleConfigMap: spire-bundle +## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. +availabilityTarget: "" ## @skip upstream upstream: false @@ -126,15 +126,13 @@ waitForIt: ## @param waitForIt.image.registry The OCI registry to pull the image from ## @param waitForIt.image.repository The repository within the registry ## @param waitForIt.image.pullPolicy The image pull policy - ## @param waitForIt.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param waitForIt.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/wait-for-it pullPolicy: IfNotPresent - version: "" - tag: latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e + tag: latest@sha256:84be7f9205d88f368097c3712a867c5d35d1d024633de4b5675b3f17f63f27cf ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -145,15 +143,13 @@ fsGroupFix: ## @param fsGroupFix.image.registry The OCI registry to pull the image from ## @param fsGroupFix.image.repository The repository within the registry ## @param fsGroupFix.image.pullPolicy The image pull policy - ## @param fsGroupFix.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param fsGroupFix.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -204,7 +200,7 @@ kubeletConnectByHostname: "" ## @param socketPath The unix socket path to the spire-agent socketPath: /run/spire/agent-sockets/spire-agent.sock -## @param priorityClassName Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" ## @param extraEnvVars [array] Extra environment variables to be added to the Spire Agent container diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 7d13241a4..21181447c 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 0c219892c..1f8f7e9ec 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -79,194 +79,215 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr ### Chart parameters -| Name | Description | Value | -| --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-server` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `priorityClassName` | Priority class assigned to statefulset pods | `""` | -| `service.type` | Type of the Spire server service created | `ClusterIP` | -| `service.port` | Port for the created service | `8081` | -| `service.annotations` | Annotations to add to the service object | `{}` | -| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `affinity` | List of node affinities | `{}` | -| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | -| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | -| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | -| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | -| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | -| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | -| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | -| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | -| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | -| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | -| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | -| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | -| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | -| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | -| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | -| `federation.enabled` | Flag to enable federation | `false` | -| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | -| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | -| `federation.ingress.className` | Ingress class name for federation | `""` | -| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | -| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | -| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `ca_subject.country` | Country for Spire server CA | `ARPA` | -| `ca_subject.organization` | Organization for Spire server CA | `Example` | -| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | -| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | -| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | -| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | -| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | -| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | -| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | -| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | -| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | -| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | -| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | -| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | -| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | -| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | -| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | -| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | -| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | -| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | -| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | -| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | -| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | -| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | -| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | -| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | -| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | -| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | -| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | -| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | -| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | -| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | -| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | -| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | -| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | -| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | -| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | -| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | -| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | -| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | -| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | -| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | -| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | -| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | -| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | -| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | -| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | -| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | -| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | -| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `controllerManager.enabled` | Flag to enable controller manager | `false` | -| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | -| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | -| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | -| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | -| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | -| `controllerManager.securityContext` | Security context | `{}` | -| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | -| `controllerManager.service.port` | Service port for controller manager | `443` | -| `controllerManager.service.annotations` | Annotations for service resource | `{}` | -| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | -| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | -| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | -| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | -| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | -| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | -| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | -| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for the ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `extraVolumes` | Extra volumes to be mounted | `[]` | -| `extraVolumeMounts` | Extra volume mounts | `[]` | -| `extraContainers` | Additional containers to create | `[]` | -| `initContainers` | Additional init containers to create | `[]` | -| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | -| `caTTL` | TTL for CA | `24h` | -| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | -| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| Name | Description | Value | +| -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-server` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `crNameOverride` | Name override for any custom resources | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `priorityClassName` | Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `service.type` | Type of the Spire server service created | `ClusterIP` | +| `service.port` | Port for the created service | `8081` | +| `service.annotations` | Annotations to add to the service object | `{}` | +| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | List of node affinities | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | +| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | +| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | +| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | +| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | +| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | +| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | +| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | +| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | +| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | +| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | +| `federation.enabled` | Flag to enable federation | `false` | +| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | +| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | +| `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `federation.tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `federation.tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `federation.tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `federation.tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `federation.tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `federation.tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `federation.tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `federation.tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `federation.tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | +| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | +| `federation.ingress.className` | Ingress class name for federation | `""` | +| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | +| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | +| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ca_subject.country` | Country for Spire server CA | `ARPA` | +| `ca_subject.organization` | Organization for Spire server CA | `Example` | +| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | +| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | +| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | +| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | +| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | +| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | +| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | +| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | +| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | +| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | +| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | +| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | +| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | +| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | +| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | +| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | +| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | +| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | +| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | +| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | +| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | +| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | +| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | +| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | +| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | +| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | +| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | +| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | +| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | +| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | +| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | +| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | +| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | +| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | +| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | +| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | +| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | +| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | +| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | +| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | +| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | +| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | +| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `controllerManager.enabled` | Flag to enable controller manager | `false` | +| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | +| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `controllerManager.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` | +| `controllerManager.extraEnv` | Extra environment variables to add to the controller manager | `[]` | +| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | +| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.1` | +| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | +| `controllerManager.securityContext` | Security context | `{}` | +| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | +| `controllerManager.service.port` | Service port for controller manager | `443` | +| `controllerManager.service.annotations` | Annotations for service resource | `{}` | +| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.type` | The type of rule this is. | `oidc-discovery-provider` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate DNS names to the discovery provider | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.test-keys.type` | The type of rule this is. | `test-keys` | +| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | +| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | +| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `controllerManager.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for the ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `extraEnv` | Extra environment variables to add to the spire server | `[]` | +| `extraVolumes` | Extra volumes to be mounted | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `extraContainers` | Additional containers to create | `[]` | +| `initContainers` | Additional init containers to create | `[]` | +| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | +| `caTTL` | TTL for CA | `24h` | +| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | +| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` | ### Tornjak @@ -276,8 +297,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.4.0` | +| `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | +| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.2` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | @@ -302,6 +323,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | | `tornjak.resources` | Resource requests and limits | `{}` | +| `tornjak.securityContext` | Security Context to use | `{}` | +| `customPlugins.bundlePublisher` | Custom plugins of type BundlePublisher are configured here | `{}` | | `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | | `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | | `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | @@ -315,5 +338,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 3652f5407..d2ecb3967 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -29,6 +29,42 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-server.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-server.agent-namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-server.bundle-namespace" -}} + {{- if .Values.notifier.k8sbundle.namespace }} + {{- .Values.notifier.k8sbundle.namespace }} + {{- else if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -101,7 +137,7 @@ Create the name of the service account to use {{- if ne (len .Values.nodeAttestor.k8sPsat.serviceAccountAllowList) 0 }} {{- .Values.nodeAttestor.k8sPsat.serviceAccountAllowList | toJson }} {{- else }} -[{{ printf "%s:%s-agent" .Release.Namespace .Release.Name | quote }}] +[{{ printf "%s:%s-agent" (include "spire-server.agent-namespace" .) .Release.Name | quote }}] {{- end }} {{- end }} @@ -225,6 +261,6 @@ The code below determines what connection type should be used. {{- if .Values.controllerManager.className }} {{- .Values.controllerManager.className }} {{- else }} -{{- .Release.Namespace }}-{{ .Release.Name }} +{{- .Release.Namespace }}-{{ default .Release.Name .Values.crNameOverride }} {{- end -}} {{- end -}} diff --git a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml index 95b7dd230..4217322b5 100644 --- a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml @@ -1,9 +1,9 @@ -{{- $namespace := include "spire-server.namespace" . }} +{{- $namespace := include "spire-server.bundle-namespace" . }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $namespace }} {{- with .Values.configMap.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index a6778101a..37e369ba2 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -5,7 +5,7 @@ {{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}} {{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}} {{- range $type, $tvals := .Values.customPlugins }} -{{- if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} +{{- if not (has $type (list "bundlePublisher" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} {{- fail (printf "Unknown plugin type specified: %s" $type) }} {{- end }} {{- range $name, $nval := $tvals }} @@ -22,6 +22,19 @@ {{- end }} {{- end }} {{- end }} +{{- $tlsFederationCount := 0 }} +{{- if .Values.federation.tls.spire.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if .Values.federation.tls.externalSecret.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if .Values.federation.tls.certManager.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if ne $tlsFederationCount 1 }} +{{- fail "You must enable one and only one federation TLS configuration" }} +{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} @@ -74,9 +87,10 @@ plugins: plugin_data: {{ include "spire-server.datastore-config" . | nindent 10 }} + {{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.joinToken.enabled }} + NodeAttestor: {{- with .Values.nodeAttestor.k8sPsat }} {{- if eq (.enabled | toString) "true" }} - NodeAttestor: k8s_psat: plugin_data: clusters: @@ -84,6 +98,13 @@ plugins: service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }} {{- end }} {{- end }} + {{- with .Values.nodeAttestor.joinToken }} + {{- if eq (.enabled | toString) "true" }} + join_token: + plugin_data: {} + {{- end }} + {{- end }} + {{- end }} {{- with .Values.keyManager.disk }} {{- if eq (.enabled | toString) "true" }} @@ -131,7 +152,7 @@ plugins: Notifier: k8sbundle: plugin_data: - namespace: {{ .Values.notifier.k8sbundle.namespace | default (include "spire-server.namespace" .) | quote }} + namespace: {{ include "spire-server.bundle-namespace" . | quote }} config_map: {{ include "spire-lib.bundle-configmap" . | quote }} {{- with .Values.upstreamAuthority.disk }} @@ -242,7 +263,7 @@ health_checks: live_path: "/live" ready_path: "/ready" -{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} +{{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} telemetry: - Prometheus: - host: "0.0.0.0" diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index 8670f7332..cbd5400c5 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -1,22 +1,55 @@ +{{- define "spire-controller-manager-identity-nsselector" }} +key: "kubernetes.io/metadata.name" +{{- if eq .type "base" }} +operator: NotIn +{{- else }} +operator: In +{{- end }} +values: + {{ .namespaces | toYaml | nindent 2 }} +{{- end }} +{{- define "spire-controller-manager-identity-podselector" }} +{{- if eq .type "oidc-discovery-provider" }} +matchLabels: + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: oidc-discovery-provider +{{- else if eq .type "test-keys" }} +matchLabels: + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: test-keys +{{- else }} +{} +{{- end }} +{{- end }} {{- $root := . }} +{{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $skey, $svalue := $value }} -{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} {{- fail (printf "Unsupported property specified: %s" $skey) }} {{- end }} {{- end }} -{{- range $rprop := list "spiffeIDTemplate" }} -{{- if not (hasKey $value $rprop) }} -{{- fail (printf "Required property %s was not specified" $rprop) }} -{{- end }} -{{- end }} {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +{{- $type := dig "type" "base" $value }} +{{- if not (has $type (list "base" "raw" "oidc-discovery-provider" "test-keys")) }} +{{- fail (printf "Type given: %s, must be one of [base, raw, oidc-discovery-provider, test-keys]" $type) }} +{{- end }} +{{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }} +{{- if ne $type "raw" }} +{{- $namespaceSelector := merge $namespaceSelector (dict "matchExpressions" (list)) }} +{{- $namespaceSelectorToAdd := include "spire-controller-manager-identity-nsselector" (dict "type" $type "namespaces" $namespaces) | fromYaml }} +{{- $_ := set $namespaceSelector "matchExpressions" (append $namespaceSelector.matchExpressions $namespaceSelectorToAdd) }} +{{- end }} +{{- $podSelector := deepCopy (dig "podSelector" (dict) $value) }} +{{- $podSelector := merge $podSelector (include "spire-controller-manager-identity-podselector" (dict "type" $type "Release" $root.Release) | fromYaml ) }} --- apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -27,16 +60,20 @@ metadata: {{- end }} spec: className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }} spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} + {{- else }} + spiffeIDTemplate: {{ $root.Values.controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate | quote }} + {{- end }} {{- with $value.federatesWith }} federatesWith: {{- toYaml . | nindent 4 }} {{- end }} - {{- with $value.podSelector }} + {{- with $podSelector }} podSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with $value.namespaceSelector }} + {{- with $namespaceSelector }} namespaceSelector: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index 60f728ab0..f11982f0d 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -23,8 +23,12 @@ data: healthProbeBindAddress: 0.0.0.0:8083 leaderElection: leaderElect: true - resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io + resourceName: {{ printf "%s-%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) | sha256sum | trunc 8 }}.spiffe.io resourceNamespace: {{ include "spire-server.namespace" . }} + {{- with .Values.controllerManager.cacheNamespaces }} + cacheNamespaces: + {{- toYaml . | nindent 6 }} + {{- end }} validatingWebhookConfigurationName: {{ .Release.Namespace }}-{{ include "spire-controller-manager.fullname" . }}-webhook clusterName: {{ include "spire-lib.cluster-name" . }} trustDomain: {{ include "spire-lib.trust-domain" . }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml index 1c2b659a0..d41c0b7b4 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml @@ -16,7 +16,7 @@ apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterFederatedTrustDomain metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml index 47629c4a4..df76208c7 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml @@ -16,7 +16,7 @@ apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterStaticEntry metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/federation-certificate.yaml b/charts/spire/charts/spire-server/templates/federation-certificate.yaml new file mode 100644 index 000000000..013d3026f --- /dev/null +++ b/charts/spire/charts/spire-server/templates/federation-certificate.yaml @@ -0,0 +1,27 @@ +{{- define "spire-server.federation-cert-manager-default-cert" }} +{{- $fullName := include "spire-server.fullname" . }} +{{- $issuerFullName := printf "%s-federation" $fullName }} +dnsNames: + {{- if ne (len .Values.federation.tls.certManager.certificate.dnsNames) 0 }} + {{- toYaml .Values.federation.tls.certManager.certificate.dnsNames | nindent 4 }} + {{- else }} + - {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.federation.ingress "Values" .Values) }} + {{- end }} +issuerRef: + {{- with .Values.federation.tls.certManager.certificate.issuerRef.group }} + group: {{ . }} + {{- end }} + kind: {{ default "Issuer" .Values.federation.tls.certManager.certificate.issuerRef.kind }} + name: {{ default $issuerFullName .Values.federation.tls.certManager.certificate.issuerRef.name }} +secretName: {{ $issuerFullName }}-cert +{{- end }} +{{- if .Values.federation.tls.certManager.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spire-server.fullname" . }} + namespace: {{ include "spire-server.namespace" . }} +spec: + {{ merge (include "spire-server.federation-cert-manager-default-cert" . | fromYaml) .Values.federation.tls.certManager.certificate | toYaml | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 009deaaf1..c61bb88f3 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -1,16 +1,34 @@ {{- if .Values.federation.enabled }} {{- if .Values.federation.ingress.enabled -}} -{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $svcName := include "spire-server.fullname" . }} +{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}} +{{- $federationIngress := deepCopy .Values.federation.ingress }} +{{- if .Values.federation.tls.certManager.enabled }} +{{- $secret := printf "%s-federation-cert" $svcName }} +{{- $_ := set $federationIngress "tlsSecret" $secret }} +{{- end }} +{{- if .Values.federation.tls.externalSecret.enabled }} +{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }} +{{- end }} +{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $tlsSection := true }} {{- $annotations := deepCopy .Values.federation.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} +{{- if not .Values.federation.ingress.tlsSecret }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} +{{- end }} {{- else if eq $ingressControllerType "openshift" }} -{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- if $federationIngress.tlsSecret }} +{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} +{{- else }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- $path = "" }} +{{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} +{{- end }} {{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -24,6 +42,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-issuer.yaml b/charts/spire/charts/spire-server/templates/federation-issuer.yaml new file mode 100644 index 000000000..2a159f537 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/federation-issuer.yaml @@ -0,0 +1,22 @@ +{{- define "spire-server.federation-cert-manager-default-issuer" }} +{{- if not .Values.federation.tls.certManager.issuer.acme.email }} +{{- fail "You must specify an email address via certManager.issuer.acme.email" }} +{{- end }} +email: {{ .Values.federation.tls.certManager.issuer.acme.email | quote}} +server: {{ .Values.federation.tls.certManager.issuer.acme.server | quote}} +privateKeySecretRef: + name: {{ include "spire-server.fullname" . }}-federation-issuer +solvers: +- http01: + ingress: {} +{{- end }} +{{- if and .Values.federation.tls.certManager.enabled .Values.federation.tls.certManager.issuer.create }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" . }}-federation + namespace: {{ include "spire-server.namespace" . }} +spec: + acme: + {{ mergeOverwrite (include "spire-server.federation-cert-manager-default-issuer" . | fromYaml) .Values.federation.tls.certManager.issuer.acme | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/hpa.yaml b/charts/spire/charts/spire-server/templates/hpa.yaml index 921abf632..4c1c41c83 100644 --- a/charts/spire/charts/spire-server/templates/hpa.yaml +++ b/charts/spire/charts/spire-server/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ include "spire-lib.autoscalingVersion" . }} kind: HorizontalPodAutoscaler metadata: name: {{ include "spire-server.fullname" . }} @@ -9,7 +9,7 @@ metadata: spec: scaleTargetRef: apiVersion: apps/v1 - kind: Deployment + kind: StatefulSet name: {{ include "spire-server.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} {{- if and (eq .Values.dataStore.sql.databaseType "sqlite3") .Values.autoscaling.enabled (gt (int .Values.autoscaling.maxReplicas) 1) }} @@ -17,16 +17,20 @@ spec: {{- end }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 77b647075..457f46ba4 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-install securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-install-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index d1b255fd8..4d4d5179d 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-upgrade-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml index 1416a828d..86226a1a7 100644 --- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml @@ -63,11 +63,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-delete securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: pre-delete-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - delete @@ -78,7 +78,7 @@ spec: - --wait - name: pre-delete-check securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - wait diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index a72e0437f..1d462bca1 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -1,9 +1,4 @@ {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} -{{- $webhookname := printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) }} -{{- $oldwebhookname := printf "%s-webhook" (include "spire-controller-manager.fullname" .) }} -{{- if not (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" "" $webhookname) }} -{{- $webhookname = $oldwebhookname }} -{{- end }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} apiVersion: v1 @@ -27,7 +22,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] - resourceNames: [{{ $webhookname | quote }}] + resourceNames: [{{ printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) | quote }}] verbs: ["get", "patch"] --- kind: ClusterRoleBinding @@ -64,16 +59,16 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-upgrade securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-install-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration - - {{ $webhookname }} + - {{ printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) }} - --type=strategic - -p - | diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index 6c667e723..c09bedecd 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -1,10 +1,11 @@ {{- $namespace := include "spire-server.namespace" . }} +{{- $bundleNamespace := include "spire-server.bundle-namespace" . }} # Role to be able to push certificate bundles to a configmap kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $bundleNamespace }} rules: - apiGroups: [""] resources: [configmaps] @@ -52,7 +53,7 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $bundleNamespace }} subjects: - kind: ServiceAccount name: {{ include "spire-server.serviceAccountName" . }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index ca26abb52..45fe21df1 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -29,6 +29,7 @@ spec: template: metadata: annotations: + kubectl.kubernetes.io/default-container: spire-server checksum/config: {{ $configSum }} checksum/config2: {{ $configSum2 }} checksum/config3: {{ $configSum3 }} @@ -39,6 +40,9 @@ spec: labels: {{- include "spire-server.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: server + component: server + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -47,16 +51,14 @@ spec: serviceAccountName: {{ include "spire-server.serviceAccountName" . }} shareProcessNamespace: true securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} + {{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }} {{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) }} initContainers: {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }} - name: wait securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - wait @@ -75,7 +77,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: @@ -85,6 +87,9 @@ spec: env: - name: PATH value: "/opt/spire/bin:/bin" + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 10 }} + {{- end }} {{- if ne .Values.dataStore.sql.databaseType "sqlite3" }} {{- if .Values.dataStore.sql.externalSecret.enabled }} - name: DBPW @@ -127,7 +132,7 @@ spec: protocol: TCP {{- end }} {{- end }} - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: 9988 name: prom {{- end }} @@ -189,18 +194,25 @@ spec: {{- if eq (.Values.controllerManager.enabled | toString) "true" }} - name: spire-controller-manager securityContext: - {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.controllerManager.securityContext) | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }} imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} args: - --config=controller-manager-config.yaml + {{- if .Values.controllerManager.expandEnv }} + - --expand-env + {{- end }} + {{- if gt (len .Values.controllerManager.extraEnv) 0 }} + env: + {{- .Values.controllerManager.extraEnv | toYaml | nindent 12 }} + {{- end }} ports: - name: https containerPort: 9443 protocol: TCP - containerPort: 8083 name: healthz - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: 8082 name: prom2 {{- end }} @@ -225,13 +237,16 @@ spec: - name: spire-controller-manager-tmp mountPath: /tmp readOnly: false + {{- if gt (len .Values.extraVolumeMounts) 0 }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} {{- end }} {{- if eq (.Values.tornjak.enabled | toString) "true" }} - name: tornjak securityContext: - {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image "global" .Values.global) }} + {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.tornjak.securityContext) | nindent 12 }} + image: {{ template "spire-lib.image" (dict "appVersion" .Values.tornjak.image.defaultTag "image" .Values.tornjak.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }} {{- if eq (include "spire-tornjak.connectionType" .) "http" }} startupProbe: diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml index 12850e935..9c48b620e 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml @@ -11,7 +11,7 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} @@ -30,14 +30,14 @@ spec: fi exit 1 securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- if eq (.Values.federation.enabled | toString) "true" }} - name: curl-federation-bundle-endpoint image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'https://{{ include "spire-server.fullname" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.federation.bundleEndpoint.port }}'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if .Values.federation.ingress.enabled }} - name: federation-ingress @@ -51,7 +51,7 @@ spec: mountPath: /ca {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }} hostAliases: diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index cacc94de3..c259f12f5 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -12,20 +12,20 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-tornjak-backend image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/tornjak/serverinfo'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-tornjak-backend-and-spire image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/healthcheck'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} restartPolicy: Never {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 170d46e68..e89b097eb 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -12,14 +12,12 @@ replicaCount: 1 ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-server pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -28,6 +26,9 @@ imagePullSecrets: [] ## @param nameOverride Name override nameOverride: "" +## @param crNameOverride Name override for any custom resources +crNameOverride: "" + ## @param namespaceOverride Namespace override namespaceOverride: "" @@ -59,7 +60,7 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -## @param priorityClassName Priority class assigned to statefulset pods +## @param priorityClassName Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" ## @param service.type Type of the Spire server service created @@ -197,6 +198,45 @@ federation: ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" + tls: + spire: + ## @param federation.tls.spire.enabled Use spire to secure the federation bundle endpoint + enabled: true + + externalSecret: + ## @param federation.tls.externalSecret.enabled Provide your own certificate/key via tls style Kubernetes Secret + enabled: false + ## @param federation.tls.externalSecret.secretName Specify which Secret to use + secretName: "" + + certManager: + ## @param federation.tls.certManager.enabled Use certificateManager to create the certificate + enabled: false + issuer: + ## @param federation.tls.certManager.issuer.create Create an issuer to use to issue the certificate + create: true + acme: + ## @param federation.tls.certManager.issuer.acme.email Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service + email: "" + ## @param federation.tls.certManager.issuer.acme.server Server to use to get certificate. Defaults to LetsEncrypt + server: https://acme-v02.api.letsencrypt.org/directory + # Testing server: https://acme-staging-v02.api.letsencrypt.org/directory + ## @param federation.tls.certManager.issuer.acme.solvers [object] Configure the issuer solvers. Defaults to http01 via ingress. + solvers: {} + # - http01: + # ingress: + # ingressClassName: nginx + certificate: + ## @param federation.tls.certManager.certificate.dnsNames Override the dnsNames on the certificate request. Defaults to the same settings as Ingress + dnsNames: [] + ## @param federation.tls.certManager.certificate.issuerRef.group If you are using an external plugin, specify the group for it here + ## @param federation.tls.certManager.certificate.issuerRef.kind Kind of the issuer reference. Override if you want to use a ClusterIssuer + ## @param federation.tls.certManager.certificate.issuerRef.name Name of the issuer to use. If unset, it will use the name of the built in issuer + issuerRef: + group: "" + kind: Issuer + name: "" + ingress: ## @param federation.ingress.enabled Flag to enable ingress for federation enabled: false @@ -383,6 +423,12 @@ controllerManager: ## @param controllerManager.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. watchClassless: false + ## @param controllerManager.expandEnv Set to true to enable environment variable substitution of config file options + expandEnv: false + + ## @param controllerManager.extraEnv [array] Extra environment variables to add to the controller manager + extraEnv: [] + installAndUpgradeHook: ## @param controllerManager.installAndUpgradeHook.enabled Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true @@ -393,15 +439,13 @@ controllerManager: ## @param controllerManager.image.registry The OCI registry to pull the image from ## @param controllerManager.image.repository The repository within the registry ## @param controllerManager.image.pullPolicy The image pull policy - ## @param controllerManager.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param controllerManager.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-controller-manager pullPolicy: IfNotPresent - version: "" - tag: "0.4.0" + tag: "0.4.1" ## @param controllerManager.resources [object] Resource requests and limits for controller manager resources: {} @@ -479,7 +523,24 @@ controllerManager: downstream: false ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false - + + oidc-discovery-provider: + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.type The type of rule this is. + type: oidc-discovery-provider + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate DNS names to the discovery provider + autoPopulateDNSNames: true + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates [array] DNS name template for issued identities + dnsNameTemplates: + - oidc-discovery.{{ .TrustDomain }} + + test-keys: + ## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.type The type of rule this is. + type: test-keys + # You can specify additional ClusterSPIFFEIDs following this example: # foo: # labels: @@ -488,7 +549,6 @@ controllerManager: # namespaceSelector: # matchLabels: # foo: bar - ## @param controllerManager.identities.clusterStaticEntries Specify ClusterStaticEntry objects. clusterStaticEntries: {} # foo: @@ -498,7 +558,6 @@ controllerManager: # spiffeID: spiffe://example.com/foo # selectors: # - k8s:pod-label:app.kubernetes.io/name:server - ## @param controllerManager.identities.clusterFederatedTrustDomains Specify ClusterFederatedTrustDomain objects. clusterFederatedTrustDomains: {} # foo: @@ -514,19 +573,32 @@ controllerManager: ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued failurePolicy: Fail + ## @param controllerManager.cacheNamespaces If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. + cacheNamespaces: {} + # default: + # nsWithLabel: + # labelSelectors: + # lName: l1 + # nsWithField: + # fieldSelectors: + # fName: f1 + # nsWithBoth: + # labelSelectors: + # lName: l1 + # fieldSelectors: + # fName: f1 + tools: kubectl: ## @param tools.kubectl.image.registry The OCI registry to pull the image from ## @param tools.kubectl.image.repository The repository within the registry ## @param tools.kubectl.image.pullPolicy The image pull policy - ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: rancher/kubectl pullPolicy: IfNotPresent - version: "" tag: "" telemetry: @@ -574,6 +646,9 @@ ingress: # hosts: # - spire-server.example.org +## @param extraEnv [array] Extra environment variables to add to the spire server +extraEnv: [] + ## @param extraVolumes [array] Extra volumes to be mounted extraVolumes: [] @@ -601,6 +676,9 @@ nodeAttestor: enabled: true ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor serviceAccountAllowList: [] + joinToken: + ## @param nodeAttestor.joinToken.enabled Enable the join_token nodeattestor + enabled: false ## @section Tornjak tornjak: @@ -609,15 +687,15 @@ tornjak: ## @param tornjak.image.registry The OCI registry to pull the image from ## @param tornjak.image.repository The repository within the registry ## @param tornjak.image.pullPolicy The image pull policy - ## @param tornjak.image.version This value is deprecated in favor of tag. (Will be removed in a future release) - ## @param tornjak.image.tag Overrides the image tag whose default is the chart appVersion + ## @param tornjak.image.tag Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications + ## @param tornjak.image.defaultTag Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. ## image: registry: ghcr.io repository: spiffe/tornjak-backend pullPolicy: IfNotPresent - version: "" - tag: "v1.4.0" + tag: "" + defaultTag: "v1.4.2" service: ## @param tornjak.service.type Type of service resource @@ -708,21 +786,27 @@ tornjak: # cpu: 100m # memory: 128Mi + ## @param tornjak.securityContext [object] Security Context to use + securityContext: {} + # NOTE: This is unsupported and only to configure currently supported spire built in plugins but plugins unsupported by the chart. # Upgrades wont be tested for anything under this config. If you need this, please let the chart developers know your needs so we # can prioritize proper support. ## @skip unsupportedBuiltInPlugins unsupportedBuiltInPlugins: + bundlePublisher: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} notifier: {} +## @param customPlugins.bundlePublisher Custom plugins of type BundlePublisher are configured here ## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here ## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here ## @param customPlugins.upstreamAuthority Custom plugins of type upstreamAuthority are configured here ## @param customPlugins.notifier Custom plugins of type notifier are configured here customPlugins: + bundlePublisher: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} @@ -748,12 +832,10 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 1e72c8e0e..d8f94c80d 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.4.0" +appVersion: "v1.4.2" home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index fc1ec957f..6431c8594 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -60,7 +60,6 @@ port forwarding. See the chart NOTES output for more details. | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/tornjak-frontend` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | @@ -87,7 +86,7 @@ port forwarding. See the chart NOTES output for more details. | `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | | `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | | `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | -| `workingDir` | Path containing the Tornjak frontend within the image | `/usr/src/app` | +| `workingDir` | Set to override the default path containing the Tornjak frontend within the image | `""` | | `ingress.enabled` | Flag to enable ingress for Tornjak frontend service | `false` | | `ingress.className` | Ingress class name for Tornjak frontend service | `""` | | `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | @@ -99,5 +98,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index fd7a92bc9..c810f0f0a 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "tornjak-frontend.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -84,3 +90,13 @@ Create URL for accessing Tornjak APIs {{- print "http://localhost:" .Values.service.port }} {{- end }} {{- end }} + +{{- define "tornjak-frontend.workingDir" }} +{{- if .Values.workingDir }} +{{- .Values.workingDir }} +{{- else if (dig "openshift" false .Values.global) }} +{{- printf "/opt/app-root/src" }} +{{- else }} +{{- printf "/usr/src/app" }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 8fbf2105f..84e152ba4 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -21,13 +21,13 @@ spec: {{- end }} serviceAccountName: {{ include "tornjak-frontend.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: {{ include "tornjak-frontend.fullname" . }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} ports: - name: http containerPort: 3000 @@ -53,9 +53,9 @@ spec: {{- end }} volumeMounts: - name: cache - mountPath: {{ .Values.workingDir }}/node_modules/.cache + mountPath: {{ include "tornjak-frontend.workingDir" . }}/node_modules/.cache - name: env - mountPath: {{ .Values.workingDir }}/build/tmp + mountPath: {{ include "tornjak-frontend.workingDir" . }}/build/tmp - name: logs mountPath: /opt/app-root/src/.npm/ {{- with .Values.nodeSelector }} diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index 7f5bdc4c5..a528ae385 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -9,13 +9,13 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-tornjak-frontend image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} restartPolicy: Never diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 78a06899e..07d544784 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -9,14 +9,12 @@ global: {} ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/tornjak-frontend pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -113,8 +111,8 @@ startupProbe: failureThreshold: 6 successThreshold: 1 -## @param workingDir Path containing the Tornjak frontend within the image -workingDir: /usr/src/app +## @param workingDir Set to override the default path containing the Tornjak frontend within the image +workingDir: "" ## @param ingress.enabled Flag to enable ingress for Tornjak frontend service ## @param ingress.className Ingress class name for Tornjak frontend service @@ -150,12 +148,10 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d diff --git a/charts/spire/ci/namespace-override-values-skip.yaml b/charts/spire/ci/namespace-override-values-skip.yaml index fdff671c0..b91f0c325 100644 --- a/charts/spire/ci/namespace-override-values-skip.yaml +++ b/charts/spire/ci/namespace-override-values-skip.yaml @@ -1,8 +1,9 @@ spiffe-oidc-discovery-provider: enabled: true namespaceOverride: spire-server - insecureScheme: - enabled: true + tls: + spire: + enabled: false spire-server: namespaceOverride: spire-server diff --git a/charts/spire/ci/no-spire-controller-manager-values.yaml b/charts/spire/ci/no-spire-controller-manager-values.yaml index 772eaf3a5..1e885e74c 100644 --- a/charts/spire/ci/no-spire-controller-manager-values.yaml +++ b/charts/spire/ci/no-spire-controller-manager-values.yaml @@ -1,3 +1,5 @@ spire-server: controllerManager: enabled: false +spiffe-oidc-discovery-provider: + enabled: false diff --git a/charts/spire/ci/oidc-values.yaml b/charts/spire/ci/oidc-values.yaml index 8164ef2b1..2b519deb4 100644 --- a/charts/spire/ci/oidc-values.yaml +++ b/charts/spire/ci/oidc-values.yaml @@ -21,8 +21,9 @@ spire-agent: spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false config: additionalDomains: diff --git a/charts/spire/ci/prometheus-values.yaml b/charts/spire/ci/prometheus-values.yaml index a0886e435..a38435b43 100644 --- a/charts/spire/ci/prometheus-values.yaml +++ b/charts/spire/ci/prometheus-values.yaml @@ -9,5 +9,6 @@ global: spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false diff --git a/charts/spire/templates/NOTES.txt b/charts/spire/templates/NOTES.txt index 6da26815c..0b8a7296f 100644 --- a/charts/spire/templates/NOTES.txt +++ b/charts/spire/templates/NOTES.txt @@ -21,13 +21,15 @@ Warning: You're using an unsupported plugin. Functionality of this release and f Warning: You're using an experimental config. Functionality of this release and future upgrades aren't guaranteed to work smoothly. {{- end }} -{{- $className := include "spire-server.controller-manager-class-name" (dict "Values" (index .Values "spire-server") "Release" .Release) }} -{{- if (index .Values "spire-server").controllerManager.enabled }} -{{- if (index .Values "spire-server").controllerManager.watchClassless }} +{{- if (index .Values "spire-server").enabled }} +{{- $className := include "spire-server.controller-manager-class-name" (dict "Values" (index .Values "spire-server") "Release" .Release) }} +{{- if (index .Values "spire-server").controllerManager.enabled }} +{{- if (index .Values "spire-server").controllerManager.watchClassless }} Spire CR's will be handled if no className is specified or if className is set to "{{ $className }}" -{{- else }} +{{- else }} Spire CR's will be handled only if className is set to "{{ $className }}" +{{- end }} {{- end }} {{- end }} diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 8536e22bc..99a2e079c 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -51,11 +51,15 @@ {{- define "spire-lib.image" -}} {{- $registry := include "spire-lib.registry" . }} {{- $repo := .image.repository }} -{{- $tag := (default .image.tag .image.version) | toString }} +{{- $tag := .image.tag | toString }} {{- if eq (substr 0 7 $tag) "sha256:" }} {{- printf "%s/%s@%s" $registry $repo $tag }} {{- else if .appVersion }} -{{- printf "%s%s:%s" $registry $repo (default .appVersion $tag) }} +{{- $appVersion := .appVersion }} +{{- if and (hasKey . "ubi") (dig "openshift" false .global) }} +{{- $appVersion = printf "ubi-%s" $appVersion }} +{{- end }} +{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }} {{- else if $tag }} {{- printf "%s%s:%s" $registry $repo $tag }} {{- else }} @@ -165,7 +169,7 @@ rules: {{- define "spire-lib.kubectl-image" }} {{- $root := deepCopy . }} -{{- $tag := (default $root.image.tag $root.image.version) | toString }} +{{- $tag := $root.image.tag | toString }} {{- if eq (len $tag) 0 }} {{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} {{- end }} @@ -180,7 +184,7 @@ if strictMode is enabled and the boolean is true {{ $root := index . 0 }} {{ $message := index . 1 }} {{ $condition := index . 2 }} -{{- if (dig "spire" "strictMode" false $root.Values.global) }} +{{- if or (dig "spire" "strictMode" false $root.Values.global) (and (dig "spire" "recommendations" "enabled" false $root.Values.global) (dig "spire" "recommendations" "strictMode" true $root.Values.global)) }} {{- if $condition }} {{- fail $message }} {{- end }} @@ -243,3 +247,88 @@ to merge in values, but spire needs arrays. {{- $_ := set $config "plugins" $plugins }} {{- $config | toPrettyJson }} {{- end }} + +{{- define "spire-lib.default_securitycontext_values" }} +allowPrivilegeEscalation: false +runAsNonRoot: true +readOnlyRootFilesystem: true +capabilities: + drop: [ALL] +seccompProfile: + type: RuntimeDefault +{{- end }} + +{{- define "spire-lib.default_k8s_podsecuritycontext_values" }} +fsGroupChangePolicy: OnRootMismatch +runAsUser: 1000 +runAsGroup: 1000 +fsGroup: 1000 +{{- end }} + +{{/* +Note: runAsUser, runAsGroup, fsGroup, are not needed due to it autoassigning restricted users feature of openshift +*/}} +{{- define "spire-lib.default_openshift_podsecuritycontext_values" }} +fsGroupChangePolicy: OnRootMismatch +{{- end }} + +{{- define "spire-lib.securitycontext" }} +{{ include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.securityContext) }} +{{- end }} + +{{/* Same as securitycontext but takes in: +root - global . context for the chart +securityContext - the subbranch of values that contains the securityContext to merge +*/}} +{{- define "spire-lib.securitycontext-extended" }} +{{- if and (dig "spire" "recommendations" "enabled" false .root.Values.global) (dig "spire" "recommendations" "securityContexts" true .root.Values.global) }} +{{- $vals := deepCopy (include "spire-lib.default_securitycontext_values" .root | fromYaml) }} +{{- $vals = mergeOverwrite $vals .securityContext }} +{{- toYaml $vals }} +{{- else }} +{{- toYaml .securityContext }} +{{- end }} +{{- end }} + +{{- define "spire-lib.podsecuritycontext" }} +{{- $vals := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "securityContexts" true .Values.global) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $vals = mergeOverwrite $vals (include "spire-lib.default_openshift_podsecuritycontext_values" . | fromYaml) }} +{{- else }} +{{- $vals = mergeOverwrite $vals (include "spire-lib.default_k8s_podsecuritycontext_values" . | fromYaml) }} +{{- end }} +{{- end }} +{{- $vals = mergeOverwrite $vals .Values.podSecurityContext }} +{{- toYaml $vals }} +{{- end }} + +{{- define "spire-lib.default_node_priority_class_name" }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} +priorityClassName: system-node-critical +{{- end }} +{{- end }} + +{{- define "spire-lib.default_cluster_priority_class_name" }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} +priorityClassName: system-cluster-critical +{{- end }} +{{- end }} + +{{/* +Use autoscaling/v2 (Kubernetes 1.23 and newer) or autoscaling/v2beta2 (Kubernetes 1.12-1.25) based on cluster capabilities. +Anything lower has an incompatible API. +*/}} +{{- define "spire-lib.autoscalingVersion" -}} +{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") }} +{{- print "autoscaling/v2" }} +{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }} +{{- print "autoscaling/v2beta2" }} +{{- else }} +{{- fail "Unsupported autoscaling API version" }} +{{- end }} +{{- end }} diff --git a/charts/spire/templates/spire-server-namespace.yaml b/charts/spire/templates/spire-server-namespace.yaml new file mode 100644 index 000000000..a0ac41b91 --- /dev/null +++ b/charts/spire/templates/spire-server-namespace.yaml @@ -0,0 +1,30 @@ +{{- define "spire.namespace.default_server_labels" }} +"pod-security.kubernetes.io/warn": restricted +"pod-security.kubernetes.io/audit": restricted +"pod-security.kubernetes.io/enforce": restricted +{{- end }} +{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.server.create }} +{{- $labels := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} +{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_server_labels" . | fromYaml) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} +{{- if (index .Values "spiffe-oidc-discovery-provider").enabled }} +{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "privileged" }} +{{- end }} +{{- end }} +{{- end }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.global.spire.namespaces.server.name }} + {{- with $labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.global.spire.namespaces.server.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/templates/spire-system-namespace.yaml b/charts/spire/templates/spire-system-namespace.yaml new file mode 100644 index 000000000..3ddf3c150 --- /dev/null +++ b/charts/spire/templates/spire-system-namespace.yaml @@ -0,0 +1,27 @@ +{{- define "spire.namespace.default_system_labels" }} +"pod-security.kubernetes.io/warn": privileged +"pod-security.kubernetes.io/audit": privileged +"pod-security.kubernetes.io/enforce": privileged +{{- end }} +{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.system.create }} +{{- $labels := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} +{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_system_labels" . | fromYaml) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} +{{- end }} +{{- end }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.global.spire.namespaces.system.name }} + {{- with $labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.global.spire.namespaces.system.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 77e769c0b..125588427 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -8,6 +8,7 @@ global: k8s: ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install clusterDomain: cluster.local + spire: ## @param global.spire.bundleConfigMap A configmap containing the Spire bundle bundleConfigMap: "" @@ -20,10 +21,48 @@ global: ## @param global.spire.upstreamServerAddress Set what address to use for the upstream server when using nested spire upstreamServerAddress: "" + ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. + ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces + ## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels + ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names + ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. + ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts + ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring + recommendations: + enabled: false + namespaceLayout: true + namespacePSS: true + priorityClassName: true + strictMode: true + securityContexts: true + prometheus: true + image: ## @param global.spire.image.registry Override all Spire image registries at once registry: "" + namespaces: + ## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. + create: false + system: + ## @param global.spire.namespaces.system.name Name of the Spire system Namespace. + name: "spire-system" + ## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources. + create: false + ## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace. + annotations: {} + ## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace. + labels: {} + server: + ## @param global.spire.namespaces.server.name Name of the Spire server Namespace. + name: "spire-server" + ## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources. + create: false + ## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace. + annotations: {} + ## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace. + labels: {} + ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. strictMode: false @@ -123,7 +162,7 @@ upstream-spiffe-csi-driver: ## spiffe-oidc-discovery-provider: ## @param spiffe-oidc-discovery-provider.enabled Flag to enable spiffe-oidc-discovery-provider for the cluster - enabled: false + enabled: true ## @section Tornjak frontend parameters ## Parameter values for Tornjak frontend diff --git a/examples/external-mysql/run-tests.sh b/examples/external-mysql/run-tests.sh index aeaf62731..0f41ea87c 100755 --- a/examples/external-mysql/run-tests.sh +++ b/examples/external-mysql/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server + print_spire_workload_status spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server + get_namespace_details spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "spire-server" spire 2>/dev/null || true helm uninstall --namespace mysql mysql 2>/dev/null || true @@ -32,7 +41,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -48,12 +57,3 @@ helm upgrade --install --namespace "spire-server" \ --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire - -print_helm_releases -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/external-postgresql/run-tests.sh b/examples/external-postgresql/run-tests.sh index 8cfe700e6..3a93f68ef 100755 --- a/examples/external-postgresql/run-tests.sh +++ b/examples/external-postgresql/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server + print_spire_workload_status spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server + get_namespace_details spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "spire-server" spire 2>/dev/null || true helm uninstall --namespace "spire-server" postgresql 2>/dev/null || true @@ -32,7 +41,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -48,12 +57,3 @@ helm upgrade --install --namespace "spire-server" \ --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire - -print_helm_releases -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/federation/a-values.yaml b/examples/federation/a-values.yaml new file mode 100644 index 000000000..6ca171f10 --- /dev/null +++ b/examples/federation/a-values.yaml @@ -0,0 +1,51 @@ +global: + openshift: false + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: ingress-nginx + clusterName: a + trustDomain: a-org.local + bundleConfigMap: spire-bundle-a + +spire-server: + ca_subject: + country: US + organization: A + common_name: a.local + federation: + enabled: true + ingress: + enabled: true + controllerManager: + identities: + clusterSPIFFEIDs: + default: + federatesWith: + - b-org.local + clusterFederatedTrustDomains: + b: + bundleEndpointProfile: + endpointSPIFFEID: spiffe://b-org.local/spire/server + type: https_spiffe + bundleEndpointURL: https://spire-server-federation.b-org.local + trustDomain: b-org.local + +spiffe-oidc-discovery-provider: + enabled: true + tls: + spire: + enabled: false + csiDriverName: a.csi.spiffe.io + ingress: + enabled: true + +spire-agent: + socketPath: /run/spire/agent-sockets-a/spire-agent.sock + +spiffe-csi-driver: + pluginName: a.csi.spiffe.io + agentSocketPath: /run/spire/agent-sockets-a/spire-agent.sock + diff --git a/examples/federation/b-values.yaml b/examples/federation/b-values.yaml new file mode 100644 index 000000000..b76ec6b0d --- /dev/null +++ b/examples/federation/b-values.yaml @@ -0,0 +1,58 @@ +global: + openshift: false + spire: + recommendations: + enabled: true + namespaces: + create: false + ingressControllerType: ingress-nginx + clusterName: b + trustDomain: b-org.local + bundleConfigMap: spire-bundle-b + +spire-server: + ca_subject: + country: US + organization: B + common_name: b.local + federation: + enabled: true + ingress: + enabled: true + controllerManager: + identities: + clusterSPIFFEIDs: + default: + federatesWith: + - a-org.local + clusterFederatedTrustDomains: + a: + bundleEndpointProfile: + endpointSPIFFEID: spiffe://a-org.local/spire/server + type: https_spiffe + bundleEndpointURL: https://spire-server-federation.a-org.local + trustDomain: a-org.local + +spiffe-oidc-discovery-provider: + enabled: true + tls: + spire: + enabled: false + csiDriverName: b.csi.spiffe.io + ingress: + enabled: true + +spire-agent: + healthChecks: + port: 9983 + telemetry: + prometheus: + port: 9990 + socketPath: /run/spire/agent-sockets-b/spire-agent.sock + +spiffe-csi-driver: + healthChecks: + port: 9811 + pluginName: b.csi.spiffe.io + agentSocketPath: /run/spire/agent-sockets-b/spire-agent.sock + diff --git a/examples/federation/client-pod.yaml b/examples/federation/client-pod.yaml new file mode 100644 index 000000000..dc003f80b --- /dev/null +++ b/examples/federation/client-pod.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: client +spec: + terminationGracePeriodSeconds: 1 + containers: + - name: busybox + image: busybox + command: + - /bin/sh + - -c + - 'while true; do wget -q -O - localhost:8080 && touch /tmp/healthy; sleep 1; done' + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + - name: ghostunnel + image: ghostunnel/ghostunnel:v1.7.2 + command: + - ghostunnel + - client + - --use-workload-api-addr + - unix:/spire-workload-api/spire-agent.sock + - --listen + - localhost:8080 + - --target + - server:8443 + - --verify-uri + - spiffe://b-org.local/ns/default/sa/default + volumeMounts: + - name: agent + mountPath: /spire-workload-api + readOnly: true + ports: + - containerPort: 8443 + volumes: + - name: agent + csi: + driver: a.csi.spiffe.io + readOnly: true diff --git a/examples/federation/run-tests.sh b/examples/federation/run-tests.sh new file mode 100755 index 000000000..f320e4c3c --- /dev/null +++ b/examples/federation/run-tests.sh @@ -0,0 +1,75 @@ +#!/usr/bin/env bash + +set -xe + +SCRIPT="$(readlink -f "$0")" +SCRIPTPATH="$(dirname "${SCRIPT}")" +TESTDIR="${SCRIPTPATH}/../../.github/tests" + +# shellcheck source=/dev/null +source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh" +# shellcheck source=/dev/null +source "${TESTDIR}/common.sh" + +CLEANUP=1 + +for i in "$@"; do + case $i in + -c) + CLEANUP=0 + shift # past argument=value + ;; + esac +done + +teardown() { + print_helm_releases + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server spire-system + fi + + if [ "${CLEANUP}" -eq 1 ]; then + helm uninstall --namespace spire-mgmt spire-b 2>/dev/null || true + helm uninstall --namespace spire-mgmt spire-a 2>/dev/null || true + kubectl delete ns spire-mgmt 2>/dev/null || true + fi +} + +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT + +helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \ + --namespace ingress-nginx \ + --create-namespace \ + --set controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP \ + --set controller.ingressClassResource.default=true \ + --wait + +IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o yaml | yq e .spec.clusterIPs[0] -) +kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply -f - +kubectl get configmap -n kube-system coredns -o yaml | grep a-org || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\ $IP spire-server-federation.a-org.local\n $IP spire-server-federation.b-org.local\n" | kubectl apply -f - + +kubectl rollout restart -n kube-system deployment/coredns +kubectl rollout status -w --timeout=1m deploy/coredns -n kube-system + +kubectl create namespace spire-mgmt --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace spire-mgmt pod-security.kubernetes.io/enforce=restricted || true + +helm upgrade --install --namespace spire-mgmt --values "${SCRIPTPATH}/a-values.yaml" \ + --wait spire-a charts/spire + +helm upgrade --install --namespace spire-mgmt --values "${SCRIPTPATH}/b-values.yaml" \ + --wait spire-b charts/spire + +kubectl exec -it -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle show -format spiffe | kubectl exec -i -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle set -format spiffe -id spiffe://a-org.local +kubectl exec -it -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle show -format spiffe | kubectl exec -i -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle set -format spiffe -id spiffe://b-org.local + +kubectl exec -it -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle list +kubectl exec -it -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle list + +kubectl apply -f "${SCRIPTPATH}/server-svc.yaml" +kubectl apply -f "${SCRIPTPATH}/server-pod.yaml" +kubectl apply -f "${SCRIPTPATH}/client-pod.yaml" + +kubectl wait --for=condition=Ready pod/client --timeout 5m diff --git a/examples/federation/server-pod.yaml b/examples/federation/server-pod.yaml new file mode 100644 index 000000000..db992f46d --- /dev/null +++ b/examples/federation/server-pod.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Pod +metadata: + name: server + labels: + app.kubernetes.io/name: server +spec: + containers: + - name: nginx + image: nginx + command: + - /bin/sh + - -c + - | + cat > /etc/nginx/conf.d/default.conf < /usr/share/nginx/html/index.html + exec nginx -g "daemon off;" + - name: ghostunnel + image: ghostunnel/ghostunnel:v1.7.2 + command: + - ghostunnel + - server + - --use-workload-api-addr + - unix:/spire-workload-api/spire-agent.sock + - --listen + - 0.0.0.0:8443 + - --target + - localhost:8080 + - --allow-uri + - spiffe://a-org.local/ns/default/sa/default + volumeMounts: + - name: agent + mountPath: /spire-workload-api + readOnly: true + ports: + - containerPort: 8443 + volumes: + - name: agent + csi: + driver: b.csi.spiffe.io + readOnly: true diff --git a/examples/federation/server-svc.yaml b/examples/federation/server-svc.yaml new file mode 100644 index 000000000..caef658ac --- /dev/null +++ b/examples/federation/server-svc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: server +spec: + selector: + app.kubernetes.io/name: server + ports: + - protocol: TCP + port: 8443 + targetPort: 8443 diff --git a/examples/nested/run-tests.sh b/examples/nested/run-tests.sh index 407715e1d..8fd5fe43e 100755 --- a/examples/nested/run-tests.sh +++ b/examples/nested/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-root-server + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-root-server + get_namespace_details spire-server spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace spire-server spire 2>/dev/null || true kubectl delete ns spire-server 2>/dev/null || true @@ -34,7 +43,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -50,13 +59,3 @@ helm upgrade --install --create-namespace --namespace spire-server --values "${S --wait spire charts/spire helm test --namespace spire-server spire -print_helm_releases -print_spire_workload_status spire-root-server -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-root-server - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index 0a26f7334..f06b140c6 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -3,22 +3,17 @@ global: upstreamSpireAddress: spire-server.spire-root-server spire-server: - enabled: true upstreamAuthority: spire: enabled: true upstreamDriver: upstream.csi.spiffe.io controllerManager: - enabled: true identities: clusterSPIFFEIDs: default: spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} - -spiffe-oidc-discovery-provider: - enabled: true - insecureScheme: - enabled: true + oidc-discovery-provider: + autoPopulateDNSNames: false upstream: enabled: true diff --git a/examples/openshift/README.md b/examples/openshift/README.md deleted file mode 100644 index 1e5181586..000000000 --- a/examples/openshift/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Recommended setup for installing Spire on Openshift - -> [!Note] -> This functionality is under development. It works but has no automated testing and will have security tightened in the future. - -This deployment works only with Openshift version 4.13 or higher. Get the Openshift platform here: [try.openshift.com](try.openshift.com) - -To be consistent with the rest of the Spire helm-charts, -we deploy Spire across 2 namespaces. - -```shell -kubectl create namespace "spire-system" -kubectl create namespace "spire-server" - -#Note, the first install requires privilege due to helm ordering issue. After install it can be safely tightened back up. -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=privileged - -kubectl label namespace "spire-system" security.openshift.io/scc.podSecurityLabelSync=false -kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged -kubectl label namespace "spire-system" pod-security.kubernetes.io/warn=privileged --overwrite -kubectl label namespace "spire-system" pod-security.kubernetes.io/audit=privileged --overwrite - -helm upgrade --install --namespace spire-server spire-crds charts/spire-crds -``` - -Obtain you ingress subdomain: - -```shell -appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') -echo "$appdomain" -``` - -Update the `example-your-values.yaml` file with your subdomain. - -> [!Note] -> The location of the apps subdomain may be different in certain environments_ - -## Standard Deployment - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## IBM Cloud Deployment - -Openshift on IBM Cloud requires additional configuration: - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---set spiffe-csi-driver.kubeletPath=/var/data/kubelet \ ---set spiffe-csi-driver.restrictedScc.enabled=true \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## Feature Customization - -Additional features such as tornjak can be enabled by including their example values files before --values examples/production/example-your-values.yaml - -For example: - -```shell ---values examples/openshift/openshift-values.yaml \ ---values examples/tornjak/values.yaml \ ---values examples/production/example-your-values.yaml \ -``` - -## Finish install - -Once installed, the namespace security can be tightened back up. - -```shell -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted --overwrite -``` diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml deleted file mode 100644 index 6f5dad69a..000000000 --- a/examples/openshift/openshift-values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -global: - openshift: true - telemetry: - prometheus: - enabled: true - -spire-server: - tornjak: - image: - registry: ghcr.io - repository: spiffe/tornjak-backend - tag: ubi-v1.4.1 - nodeAttestor: - k8sPsat: - serviceAccountAllowList: ["spire-system:spire-agent"] - notifier: - k8sbundle: - namespace: spire-system - podSecurityContext: - # These are unset so that openshift can automatically assign its own restricted uids to the pods - runAsUser: null - runAsGroup: null - fsGroup: null - -spire-agent: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -upstream-spire-agent: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -spiffe-oidc-discovery-provider: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -tornjak-frontend: - workingDir: /opt/app-root/src - image: - registry: ghcr.io - repository: spiffe/tornjak-frontend - tag: ubi-v1.4.1 - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -spiffe-csi-driver: - initContainers: - - terminationMessagePath: /dev/termination-log - name: set-context - command: - - chcon - - '-Rvt' - - container_file_t - - spire-agent-socket/ - securityContext: - capabilities: - drop: - - all - privileged: true - imagePullPolicy: Always - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /spire-agent-socket - terminationMessagePolicy: File - image: 'registry.access.redhat.com/ubi9:latest' diff --git a/examples/openshift/values-ibm-cloud.yaml b/examples/openshift/values-ibm-cloud.yaml new file mode 100644 index 000000000..b83ce678a --- /dev/null +++ b/examples/openshift/values-ibm-cloud.yaml @@ -0,0 +1,5 @@ +spiffe-csi-driver: + kubeletPath: /var/data/kubelet + restrictedScc: + enabled: true + diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index a60342a05..595b96b4b 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -35,6 +35,13 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "${ns}" spire 2>/dev/null || true kubectl delete ns "${ns}" 2>/dev/null || true @@ -46,7 +53,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT if [[ -n "$UPGRADE_ARGS" ]]; then pushd "${SCRIPTPATH}" @@ -132,10 +139,3 @@ if helm get manifest -n spire-server spire | grep -i example; then echo Global settings did not work. Please fix. exit 1 fi - -print_helm_releases -print_spire_workload_status "${ns}" - -if [[ "$1" -ne 0 ]]; then - get_namespace_details "${ns}" -fi diff --git a/examples/production/values.yaml b/examples/production/values.yaml index dd6fb4eb5..c5ce8bd45 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -1,131 +1,4 @@ global: - telemetry: - prometheus: - enabled: true spire: - strictMode: true - -spire-server: - nodeAttestor: - k8sPsat: - serviceAccountAllowList: ["spire-system:spire-agent"] - notifier: - k8sbundle: - namespace: spire-system - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - priorityClassName: system-cluster-critical - - logLevel: info - - controllerManager: - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - - ignoreNamespaces: - - kube-system - - kube-public - - local-path-storage - -spiffe-csi-driver: - enabled: true - namespaceOverride: spire-system - priorityClassName: system-node-critical - - -upstream-spiffe-csi-driver: - namespaceOverride: spire-system - priorityClassName: system-node-critical - -spire-agent: - enabled: true - namespaceOverride: spire-system - serviceAccount: - name: spire-agent - server: - namespaceOverride: spire-server - priorityClassName: system-node-critical - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - - logLevel: info - -upstream-spire-agent: - namespaceOverride: spire-system - priorityClassName: system-node-critical - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - - logLevel: info - -spiffe-oidc-discovery-provider: - enabled: true - config: - additionalDomains: [] - insecureScheme: - enabled: true - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - -tornjak-frontend: - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault + recommendations: + enabled: true diff --git a/examples/tornjak/run-tests.sh b/examples/tornjak/run-tests.sh index f911ee08d..f91ed826a 100755 --- a/examples/tornjak/run-tests.sh +++ b/examples/tornjak/run-tests.sh @@ -24,20 +24,20 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status "${ns}" + + if [[ "$1" -ne 0 ]]; then + get_namespace_details "${ns}" + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "${ns}" spire 2>/dev/null || true kubectl delete ns "${ns}" 2>/dev/null || true fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT "${helm_install[@]}" --namespace "${ns}" --values "${SCRIPTPATH}/values.yaml" --wait spire charts/spire helm test --namespace "${ns}" spire - -print_helm_releases -print_spire_workload_status "${ns}" - -if [[ "$1" -ne 0 ]]; then - get_namespace_details "${ns}" -fi diff --git a/tests/go.mod b/tests/go.mod index 44a6a0810..883753d8d 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,9 +3,9 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.13.2 - github.com/onsi/gomega v1.30.0 - helm.sh/helm/v3 v3.13.2 + github.com/onsi/ginkgo/v2 v2.15.0 + github.com/onsi/gomega v1.31.1 + helm.sh/helm/v3 v3.14.0 ) require ( @@ -15,7 +15,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/go-logr/logr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect @@ -45,27 +45,27 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.14.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/crypto v0.17.0 // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.14.0 // indirect + golang.org/x/tools v0.16.1 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.28.2 // indirect - k8s.io/apiextensions-apiserver v0.28.2 // indirect - k8s.io/apimachinery v0.28.2 // indirect - k8s.io/client-go v0.28.2 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + k8s.io/api v0.29.0 // indirect + k8s.io/apiextensions-apiserver v0.29.0 // indirect + k8s.io/apimachinery v0.29.0 // indirect + k8s.io/client-go v0.29.0 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/tests/go.sum b/tests/go.sum index 0140bd971..e697dae38 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -16,10 +16,10 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= -github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -41,6 +41,7 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -85,10 +86,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= -github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY= +github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= +github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo= +github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -127,12 +128,11 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -141,10 +141,10 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -158,20 +158,20 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -179,8 +179,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -189,8 +189,8 @@ google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -205,25 +205,25 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.13.2 h1:IcO9NgmmpetJODLZhR3f3q+6zzyXVKlRizKFwbi7K8w= -helm.sh/helm/v3 v3.13.2/go.mod h1:GIHDwZggaTGbedevTlrQ6DB++LBN6yuQdeGj0HNaDx0= -k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= -k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= -k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= -k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= -k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= -k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= -k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= -k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +helm.sh/helm/v3 v3.14.0 h1:TaZIH6uOchn7L27ptwnnuHJiFrT/BsD4dFdp/HLT2nM= +helm.sh/helm/v3 v3.14.0/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= +k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= +k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= +k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index 891771b8e..0c849ca0a 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -133,4 +133,15 @@ spire-agent: Expect(notes).Should(ContainSubstring("join_token")) }) }) + Describe("spire-server.disabled", func() { + It("spire server off", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + enabled: false +`) + Expect(err).Should(Succeed()) + notes := objs["spire/templates/NOTES.txt"] + Expect(notes).Should(ContainSubstring("Installed")) + }) + }) })