spiffe
/
helm-charts-hardened
mirror of https://github.com/spiffe/helm-charts-hardened.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: spiffe:main
Branches Tags
spiffe:main
spiffe:gh-pages
spiffe:release
spiffe:spire-ha-agent
spiffe:helper-csi
spiffe:rancher-ver
spiffe:nested-tags-single
spiffe:spire-lib-nested
spiffe:dummy-change
spiffe:fix-security-recommendation-spire-agent-init
spiffe:recommendations-strict-mode
spiffe:dp-ssl-test
spiffe:dummy
spiffe:openshift-doc
spiffe:recommendations-namespaces
spiffe:recommendations
spiffe:note
spiffe:release-patch-0-13-2
spiffe:release-workflow
spiffe:update-maintainers
spiffe:spire-0.26.1
spiffe:spire-nested-0.26.1
spiffe:spiffe-step-ssh-0.1.1
spiffe:spire-nested-0.26.0
spiffe:spire-0.26.0
spiffe:spire-0.25.0
spiffe:spire-nested-0.25.0
spiffe:spire-0.24.5
spiffe:spire-nested-0.24.5
spiffe:spire-nested-0.24.4
spiffe:spire-0.24.4
spiffe:spire-0.24.3
spiffe:spire-nested-0.24.3
spiffe:spire-nested-0.24.2
spiffe:spire-0.24.2
spiffe:spire-0.24.1
spiffe:spiffe-step-ssh-0.1.0
spiffe:spire-nested-0.24.1
spiffe:spire-0.24.0
spiffe:spire-nested-0.24.0
spiffe:spire-crds-0.5.0
spiffe:spire-0.23.0
spiffe:spire-nested-0.23.0
spiffe:spire-0.22.0
spiffe:spire-nested-0.22.0
spiffe:spire-nested-0.21.1
spiffe:spire-0.21.1
spiffe:spire-nested-0.21.0
spiffe:spire-nested-0.20.0
spiffe:spire-0.21.0
spiffe:spire-crds-0.4.0
spiffe:spire-0.20.0
spiffe:spire-0.19.2
spiffe:spire-0.19.1
spiffe:spire-0.19.0
spiffe:spire-0.18.2
spiffe:spire-0.18.1
spiffe:spire-0.18.0
spiffe:spire-0.17.2
spiffe:spire-0.17.1
spiffe:spire-crds-0.3.0
spiffe:spire-0.17.0
spiffe:spire-0.16.0
spiffe:spire-0.15.1
spiffe:spire-crds-0.2.0
spiffe:spire-0.15.0
spiffe:spire-0.14.0
spiffe:spire-crds-0.0.1
spiffe:spire-0.13.2
spiffe:spire-0.13.1
spiffe:spire-0.13.0
spiffe:spire-0.12.0
spiffe:spire-0.11.1
spiffe:spire-0.11.0
spiffe:spire-0.10.1
spiffe:spire-0.10.0
spiffe:spire-0.9.1
spiffe:spire-0.9.0
spiffe:spire-0.8.1
spiffe:spire-0.8.0
spiffe:spire-0.7.0
spiffe:spire-0.6.3
spiffe:spire-0.6.2
spiffe:spire-0.6.1
spiffe:spire-0.6.0
spiffe:spire-0.5.1
spiffe:spire-0.5.0
spiffe:spire-0.4.0
spiffe:spire-0.3.0
spiffe:spire-0.2.0
spiffe:spire-0.1.0
..
compare: spiffe:spire-0.15.1
Branches Tags
spiffe:main
spiffe:gh-pages
spiffe:release
spiffe:spire-ha-agent
spiffe:helper-csi
spiffe:rancher-ver
spiffe:nested-tags-single
spiffe:spire-lib-nested
spiffe:dummy-change
spiffe:fix-security-recommendation-spire-agent-init
spiffe:recommendations-strict-mode
spiffe:dp-ssl-test
spiffe:dummy
spiffe:openshift-doc
spiffe:recommendations-namespaces
spiffe:recommendations
spiffe:note
spiffe:release-patch-0-13-2
spiffe:release-workflow
spiffe:update-maintainers
spiffe:spire-0.26.1
spiffe:spire-nested-0.26.1
spiffe:spiffe-step-ssh-0.1.1
spiffe:spire-nested-0.26.0
spiffe:spire-0.26.0
spiffe:spire-0.25.0
spiffe:spire-nested-0.25.0
spiffe:spire-0.24.5
spiffe:spire-nested-0.24.5
spiffe:spire-nested-0.24.4
spiffe:spire-0.24.4
spiffe:spire-0.24.3
spiffe:spire-nested-0.24.3
spiffe:spire-nested-0.24.2
spiffe:spire-0.24.2
spiffe:spire-0.24.1
spiffe:spiffe-step-ssh-0.1.0
spiffe:spire-nested-0.24.1
spiffe:spire-0.24.0
spiffe:spire-nested-0.24.0
spiffe:spire-crds-0.5.0
spiffe:spire-0.23.0
spiffe:spire-nested-0.23.0
spiffe:spire-0.22.0
spiffe:spire-nested-0.22.0
spiffe:spire-nested-0.21.1
spiffe:spire-0.21.1
spiffe:spire-nested-0.21.0
spiffe:spire-nested-0.20.0
spiffe:spire-0.21.0
spiffe:spire-crds-0.4.0
spiffe:spire-0.20.0
spiffe:spire-0.19.2
spiffe:spire-0.19.1
spiffe:spire-0.19.0
spiffe:spire-0.18.2
spiffe:spire-0.18.1
spiffe:spire-0.18.0
spiffe:spire-0.17.2
spiffe:spire-0.17.1
spiffe:spire-crds-0.3.0
spiffe:spire-0.17.0
spiffe:spire-0.16.0
spiffe:spire-0.15.1
spiffe:spire-crds-0.2.0
spiffe:spire-0.15.0
spiffe:spire-0.14.0
spiffe:spire-crds-0.0.1
spiffe:spire-0.13.2
spiffe:spire-0.13.1
spiffe:spire-0.13.0
spiffe:spire-0.12.0
spiffe:spire-0.11.1
spiffe:spire-0.11.0
spiffe:spire-0.10.1
spiffe:spire-0.10.0
spiffe:spire-0.9.1
spiffe:spire-0.9.0
spiffe:spire-0.8.1
spiffe:spire-0.8.0
spiffe:spire-0.7.0
spiffe:spire-0.6.3
spiffe:spire-0.6.2
spiffe:spire-0.6.1
spiffe:spire-0.6.0
spiffe:spire-0.5.1
spiffe:spire-0.5.0
spiffe:spire-0.4.0
spiffe:spire-0.3.0
spiffe:spire-0.2.0
spiffe:spire-0.1.0

38 Commits
main ... spire-0.15

Author SHA1 Message Date
Marco Franssen b469b62f1a
Merge branch 'main' into release 2023-11-10 14:15:42 +01:00
Faisal Memon c07ca2597d Merge branch 'main' into release 2023-11-09 16:53:37 -08:00
Faisal Memon 2108f80f48 Merge branch 'main' into release 2023-11-09 14:22:14 -08:00
Faisal Memon e458ca371f Merge branch 'main' into release 2023-10-18 13:52:42 -07:00
unufr33 1c98c618b1 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489) 
Current configmap template renders to a wrong KeyManager and
UpstreamAuthority configurarion when aws_kms and aws_pca are enabled and
container is crashing. The proposed changes will fix the issue.

---------

Signed-off-by: unufree <geno.velkov@gmail.com>
Signed-off-by: unufr33 <129618334+unufr33@users.noreply.github.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-12 15:21:59 -07:00
Faisal Memon ff0b0683e3 Bump spire Helm Chart version from 0.13.1 to 0.13.2 
* dd87bc0 Bump spire versions to 1.7.4 (#35)
* fdba5d0 Bump spire Helm Chart version from 0.13.0 to 0.13.1
* 0e41a7d Fix failing Tornjak ingress port (#28)
* df1abf6 Bump to spire 1.7.3 (#31)
* 69a20e3 Merge pull request #29 from spiffe/tornjak-version
* 3036a41 Switch to version v1.4.0
* da49059 Update Tornjak image version
* 0fa43a5 Add plugin support to the spire agent (#22)
* c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27)
* afba33f Add spire agent experimental flags (#26)
* 1107278 Bump test chart dependencies
* 03ff618 Add Tornjak ingress (#16)
* 8f1bfc1 Merge pull request #23 from spiffe/examples-doc
* cd386eb Merge branch 'main' into examples-doc
* 12937db Update Example README
* 06d6690 Bump test chart dependencies (#20)
* 8aca48f Push the changes that update-tags creates (#19)
* a6cb397 Exit code from diff indicating changes should not block commit. (#17)
* ebfa518 Update FAQ from repo switch (#15)
* c23e6cb Fix issue with version checker not running
* 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9)
* 21db1e4 Add a test to ensure upgrades work (#6)
* f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests
* babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests
* 45187fe Add back CODE-OF-CONDUCT
* 50825d9 Deny production runs of example.org trust domains (#229)
* 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0
* f04bdc3 Add support for experimental flags (#492)
* 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490)
* d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489)
* 7a96175 Remove developer-guy as a CODEOWNER

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-12 15:18:03 -07:00
kfox1111 af842bec0a Bump spire versions to 1.7.4 (#35) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-10-12 15:17:46 -07:00
Faisal Memon fdffbea7aa Bump spire Helm Chart version from 0.13.0 to 0.13.1 
* 0e41a7d Fix failing Tornjak ingress port (#28)
* df1abf6 Bump to spire 1.7.3 (#31)
* 69a20e3 Merge pull request #29 from spiffe/tornjak-version
* 3036a41 Switch to version v1.4.0
* da49059 Update Tornjak image version
* 0fa43a5 Add plugin support to the spire agent (#22)
* c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27)
* afba33f Add spire agent experimental flags (#26)
* 1107278 Bump test chart dependencies
* 03ff618 Add Tornjak ingress (#16)
* 8f1bfc1 Merge pull request #23 from spiffe/examples-doc
* cd386eb Merge branch 'main' into examples-doc
* 12937db Update Example README
* 06d6690 Bump test chart dependencies (#20)
* 8aca48f Push the changes that update-tags creates (#19)
* a6cb397 Exit code from diff indicating changes should not block commit. (#17)
* ebfa518 Update FAQ from repo switch (#15)
* c23e6cb Fix issue with version checker not running
* 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9)
* 21db1e4 Add a test to ensure upgrades work (#6)
* f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests
* babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests
* 45187fe Add back CODE-OF-CONDUCT
* 50825d9 Deny production runs of example.org trust domains (#229)
* 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0
* f04bdc3 Add support for experimental flags (#492)
* 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490)
* d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489)
* 7a96175 Remove developer-guy as a CODEOWNER

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-11 11:28:12 -07:00
kfox1111 d13a68c5ce Bump to spire 1.7.3 (#31) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-10-11 11:27:53 -07:00
Marco Franssen b2f04230cc
Merge branch 'main' into release 2023-09-15 19:30:20 +02:00
Faisal Memon 2675f130f4 Merge branch 'main' into release 2023-08-21 10:54:05 -07:00
Faisal Memon 7af7e1d6de
Merge pull request #420 from spiffe/release-patch-0-11-1 
Cut patch release 0.11.1
 2023-08-03 09:56:54 -07:00
Faisal Memon 431d77f40b Bump spire Helm Chart version from 0.11.0 to 0.11.1 (#419) 
Please review the below changelog to ensure this matches up with the
semantic version being applied.

**Note**: As this is a patch release we will make a cherry-picked
release using a followup PR targetering the release branch. Will
cherrypick the following commits into this patch release + the commit
bumping this version number.

**Changes in this release**

* d2e1606 issuer naming should respect issuer_name override (#378)
* a09e054 support annotations so oidc can be annotated (#391)
* 7d94b10 Update spire to 1.7.1 (#412)
* 9a6768b Add support for disabling container selectors (#399)
* 624ca9c Remove misadded lockfile (#400)

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-03 09:22:24 -07:00
Faisal Memon cfd6aa7985 Add support for disabling container selectors (#399) 2023-08-02 15:00:49 -07:00
kfox1111 b3d04ae162 Remove misadded lockfile (#400) 2023-08-02 14:56:55 -07:00
kfox1111 604743d0bf Update spire to 1.7.1 (#412) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-08-02 14:56:41 -07:00
Drew Wells 99c0f148ac support annotations so oidc can be annotated (#391) 
Signed-off-by: Drew Wells <dwells@infoblox.com>
Signed-off-by: Drew Wells <drew.wells00@gmail.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-02 14:55:15 -07:00
Drew Wells b0d9a736fe issuer naming should respect issuer_name override (#378) 
align the spire-server configmap and issuer CR naming

---------

Signed-off-by: Drew Wells <dwells@infoblox.com>
Signed-off-by: Faisal Memon <fymemon@yahoo.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-02 14:53:13 -07:00
Marco Franssen ca418613a2
Merge branch 'main' into release 2023-07-20 10:51:10 +02:00
Marco Franssen cc9565be5d
Merge branch 'main' into release 2023-06-30 22:18:45 +02:00
Marco Franssen 8b5f9703ff
Merge branch 'main' into release 2023-06-28 22:54:51 +02:00
Marco Franssen 8f7c9ba6a4
Bump spire Helm Chart version from 0.9.0 to 0.9.1 (#365) 2023-06-22 19:01:05 +02:00
kfox1111 622d5c9caf
Fix the init container flags of the statefulset (#366) 2023-06-22 19:00:57 +02:00
Drew Wells 2620c8357a
fixes missing template (#362) 2023-06-22 18:59:32 +02:00
Faisal Memon 49025cd3db
Always add parseTime=true for mysql query string (#352) 2023-06-22 18:59:22 +02:00
github-actions[bot] ee0a16bdc8
Bump test chart dependencies (#358) 
Co-authored-by: marcofranssen <marcofranssen@users.noreply.github.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-06-22 18:59:13 +02:00
Marco Franssen 0e5d2817fa
Merge branch 'main' into release 2023-06-20 08:33:33 +02:00
Marco Franssen b628b08e16
Merge branch 'main' into release 2023-05-30 19:30:17 +02:00
Marco Franssen 191d1f05d8
Merge branch 'main' into release 2023-05-25 14:22:51 +02:00
Faisal Memon f7403f45cb Merge branch 'main' into release 2023-05-12 11:20:47 -07:00
Marco Franssen 7a67caca5c
Merge branch 'main' into release 2023-04-14 09:53:32 +02:00
Marco Franssen e9de49e93b
Merge branch 'main' into release 2023-04-12 11:09:48 +02:00
Marco Franssen 949d34828e
Merge branch 'main' into release 2023-04-06 09:46:22 +02:00
Marco Franssen 3f044af7b9
Merge branch 'main' into release 2023-04-04 14:27:34 +02:00
kfox1111 545059c316
Merge pull request #176 from spiffe/release-patch 
Cut patch release for 0.5.0
 2023-03-28 09:02:20 -07:00
Marco Franssen a1b19dd215
Bump spire Helm Chart version from 0.5.0 to 0.5.1 
* 64585ba Fix formatting issues introduced with #152
* 0dac0db Improve Spire Chart documentation
* f709ed9 Bump actions/checkout from 3.4.0 to 3.5.0
* faef439 Bump helm/chart-testing-action from 2.3.1 to 2.4.0
* ae62dd1 Bump spire version to 1.6.1
* 02fda80 Add Artifact Hub badge to README.md
* 901e670 Disable default Tornjak deployment (#153)
* 05d0f47 Introduction of Tornjak to SPIRE Server helm charts (#144)
* b25dc77 Test fixing the tests (#148)
* b4be9ed Add maturity tag (#138)
* d4fd2ce Extract the namespace override test out of the old lockdown test. (#145)
* 4f85802 Update lockdown test to test the production example
* 04a1305 Fork the lockdown test to two tests as it is doing the work of 2 (#134)
* 64d0107 Resolve issue in prod example on volume mount (#143)
* 5b6708b Remove @dennisgove from CODEOWNERS (#140)
* a516caa Remove k8s 1.21 from test matrix + small syntax error fix (#133)
* 811a2f6 Add option to enable federation on spire-server (#97)

Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
Marco Franssen 088f4f3676
Improve Spire Chart documentation 
Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
Marco Franssen 37e469c725
Bump spire version to 1.6.1 
Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
243 changed files with 2029 additions and 11190 deletions
Show Stats Expand all files Collapse all files

82
.devcontainer/Dockerfile
View File

@ -1,82 +0,0 @@
FROM ubuntu:22.04
RUN \
apt-get update && \
apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \
curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \
mkdir -p /etc/apt/keyrings && \
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \
apt-get update && \
apt-get install -y nodejs && \
apt-get clean && \
curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \
chmod +x /usr/local/bin/yq
RUN \
curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \
cd /usr/local && \
tar -xvf /tmp/go.tgz && \
rm -f /tmp/go.tgz && \
cd /
RUN \
curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \
chmod +x /usr/local/bin/minikube && \
curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
chmod +x /usr/local/bin/kubectl
RUN \
curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
chmod +x /tmp/get_helm.sh && \
/tmp/get_helm.sh && \
rm /tmp/get_helm.sh
RUN \
groupadd -g 10001 dev && \
useradd --uid 10001 -g 10001 -m dev && \
echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \
chmod 400 /etc/sudoers.d/dev
ENV PATH /usr/local/go/bin:$PATH
RUN \
npm install -g "@bitnami/readme-generator-for-helm@2.6.0"
RUN \
go install github.com/onsi/ginkgo/v2/ginkgo@latest
RUN \
apt-get install -y git zsh strace lsof graphviz && \
mv /root/go/bin/ginkgo /usr/local/bin
RUN \
curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \
cd /usr/local/bin && \
tar -xvf /tmp/ct.tar.gz ct && \
cd / && \
tar -xvf /tmp/ct.tar.gz etc && \
mkdir /etc/ct && \
mv /etc/chart_schema.yaml /etc/ct/ && \
mv /etc/lintconf.yaml /etc/ct/ && \
curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \
cd && \
cd /tmp && \
tar -zxvf gh.tar.gz && \
mv gh_*_linux_amd64/bin/* /usr/local/bin && \
mkdir -p /usr/local/share/main/man1/ && \
mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \
cd
RUN \
cd /tmp && \
git clone https://github.com/devcontainers/features && \
cd features/src/docker-in-docker && \
export MOBY=true && \
export INSTALLDOCKERBUILDX=false && \
./install.sh && \
cd ../../../ && \
rm -rf features
RUN \
usermod -a -G docker dev
USER dev

30
.devcontainer/devcontainer.json
View File

@ -1,30 +0,0 @@
{
"name": "spiffe-helm-charts-hardened",
"image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest",
"features": {
"ghcr.io/devcontainers/features/docker-in-docker:2": {
"version": "latest",
"moby": true,
"installDockerBuildx": false
}
},
"customizations": {
"vscode": {
"extensions": [
"ms-kubernetes-tools.vscode-kubernetes-tools"
],
"settings": {
"terminal.integrated.defaultProfile.linux": "bash",
"terminal.integrated.profiles.linux": {
"zsh": { "path": "/bin/zsh" },
"bash": { "path": "/bin/bash" }
}
}
}
},
"postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version",
"hostRequirements": {
"cpus": 1
},
"remoteUser": "dev"
}

5
.github/scripts/parse-versions.sh vendored
View File

@ -7,8 +7,3 @@ REPOS=$(jq -r '.[] | "export " + ("HELM_REPO_" + .name | ascii_upcase | gsub("-"
VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/charts.json")
eval "$REPOS"
eval "$VERSIONS"
REGISTRIES=$(jq -r '.[] | "export " + ("HELM_REGISTRY_" + .name | ascii_upcase | gsub("-";"_")) + "=oci://" + .registry' "${TESTS_PATH}/oci-charts.json")
VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/oci-charts.json")
eval "$REGISTRIES"
eval "$VERSIONS"

18
.github/scripts/update-versions.sh vendored
View File

@ -22,21 +22,3 @@ jq -r ".[].name" "${CHARTJSON}" | while read -r CHART; do
mv /tmp/$$ "${CHARTJSON}"
fi
done
CHARTJSON="${SCRIPTPATH}/../tests/oci-charts.json"
jq -r ".[].name" "${CHARTJSON}" | while read -r NAME; do
ENTRYQUERY='.[] | select(.name == "'$NAME'")'
REGISTRY="$(jq -r "$ENTRYQUERY | .registry" "${CHARTJSON}")"
VERSION="$(jq -r "$ENTRYQUERY | .version" "${CHARTJSON}")"
echo Processing: "${NAME}"
echo " chart: ${REGISTRY}"
echo " current version: ${VERSION}"
LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v\?[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
echo " latest version: ${LATEST_VERSION}"
if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
echo " New version found!"
jq "(${ENTRYQUERY}).version |= \"${LATEST_VERSION}\"" "${CHARTJSON}" > /tmp/$$
mv /tmp/$$ "${CHARTJSON}"
fi
done

16
.github/tests/charts.json vendored
View File

@ -2,16 +2,26 @@
{
"name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts",
"version": "75.15.1"
"version": "52.1.0"
},
{
"name": "cert-manager",
"repo": "https://charts.jetstack.io",
"version": "v1.18.2"
"version": "v1.13.2"
},
{
"name": "ingress-nginx",
"repo": "https://kubernetes.github.io/ingress-nginx",
"version": "4.13.0"
"version": "4.8.3"
},
{
"name": "mysql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "9.14.1"
},
{
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "13.2.1"
}
]

46
.github/tests/common.sh vendored
View File

@ -21,8 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
#### Logs
\`\`\`shell
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
\`\`\`
EOF
@ -37,7 +36,7 @@ k_rollout_status () {
}
get_spire_release_name () {
helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}'
helm ls -A | grep '^spire' | awk '{print $1}'
}
print_spire_workload_status () {
@ -55,7 +54,6 @@ print_spire_workload_status () {
| Namespace | Workload | Status |
| --------- | ---------------------------------------------- | ------ |
| ${ns1} | ${release_name}-server | <pre>$(k_rollout_status "${ns1}" statefulset "${release_name}-server")</pre> |
| ${ns1} | ${release_name}-server | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-server")</pre> |
| ${ns2} | ${release_name}-spiffe-csi-driver | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver")</pre> |
| ${ns2} | ${release_name}-agent | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-agent")</pre> |
| ${ns1} | ${release_name}-spiffe-oidc-discovery-provider | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider")</pre> |
@ -71,43 +69,3 @@ $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.
EOF
}
common_test_url () (
count=10
while true; do
if curl "$1"; then exit 0; fi
sleep 2
count=$((count-1))
[ $count -le 0 ] && exit 1
done
)
common_test_file_exists () (
count=20
while true; do
if [ -f "$1" ]; then exit 0; fi
sleep 2
count=$((count-1))
[ $count -le 0 ] && exit 1
done
)
# Used just for testing. You should provide your own values as described in the install instructions.
common_test_your_values () {
cat > /tmp/$$.example-your-values.yaml <<EOF
global:
spire:
recommendations:
enabled: true
clusterName: production
trustDomain: production.other
caSubject:
country: US
organization: Production
commonName: production.other
EOF
echo "/tmp/$$.example-your-values.yaml"
}
COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
export COMMON_TEST_YOUR_VALUES

30
.github/tests/dependencies/spire-root-server-values.yaml vendored Normal file
View File

@ -0,0 +1,30 @@
global:
spire:
clusterName: production
trustDomain: production.other
spire-server:
controllerManager:
identities:
namespaceSelector:
kubernetes.io/metadata.name: spire-server
podSelector:
app.kubernetes.io/component: server
app.kubernetes.io/instance: spire
app.kubernetes.io/name: server
downstream: true
nodeAttestor:
k8sPsat:
serviceAccountAllowList:
- spire-system:spire-agent-upstream
bundleConfigMap: spire-bundle-upstream
notifier:
k8sbundle:
namespace: spire-system
spire-agent:
enabled: false
spiffe-csi-driver:
enabled: false

26
.github/tests/images.json vendored
View File

@ -4,26 +4,11 @@
"query": "tests.bash.image",
"filter": "LATESTSHA",
"sort-flags": []
},
{
"query": "chown.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
},
{
"query": "tools.busybox.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
}
],
"spire-agent/values.yaml": [
{
"query": "socketAlternate.image",
"filter": "LATESTSHA",
"sort-flags": []
},
{
"query": "hostCert.image",
"query": "waitForIt.image",
"filter": "LATESTSHA",
"sort-flags": []
},
@ -49,10 +34,6 @@
"query": "telemetry.prometheus.nginxExporter.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
}, {
"query": "tests.step.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
},
{
"query": "tests.bash.image",
@ -68,11 +49,6 @@
"query": "tests.busybox.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
},
{
"query": "spiffeHelper.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
}
],
"tornjak-frontend/values.yaml": [

17
.github/tests/oci-charts.json vendored
View File

@ -1,17 +0,0 @@
[
{
"name": "mysql",
"registry": "docker.io/bitnamicharts/mysql",
"version": "14.0.0"
},
{
"name": "postgresql",
"registry": "docker.io/bitnamicharts/postgresql",
"version": "16.7.9"
},
{
"name": "envoy-gateway",
"registry": "docker.io/envoyproxy/gateway-helm",
"version": "v1.4.2"
}
]

4
.github/tests/pre-install.sh vendored
View File

@ -37,13 +37,13 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod -
# external database
# mysql
"${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
"${helm_install[@]}" mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
--namespace mysql \
--values "${DEPS}/mysql.yaml" \
--wait
# postgres
"${helm_install[@]}" postgresql "${HELM_REGISTRY_POSTGRESQL}" --version "$VERSION_POSTGRESQL" \
"${helm_install[@]}" postgresql postgresql --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
--namespace postgresql \
--values "${DEPS}/postgresql.yaml" \
--wait

21
.github/workflows/check-versions.yaml vendored
View File

@ -27,21 +27,21 @@ jobs:
with:
version: ${{ env.HELM_VERSION }}
- name: Setup crane
uses: imjasonh/setup-crane@v0.3
- name: Update test chart versions
run: |
./.github/scripts/update-versions.sh
git diff
- name: Setup go
uses: actions/setup-go@v5.0.0
uses: actions/setup-go@v4.1.0
with:
go-version: '1.21'
cache: false
- uses: actions/setup-python@v5
- name: Setup crane
uses: imjasonh/setup-crane@v0.3
- uses: actions/setup-python@v4.6.1
with:
python-version: '3.9'
@ -59,18 +59,11 @@ jobs:
./.github/scripts/update-tags.sh
git diff
- name: Generate Token
uses: tibdex/github-app-token@v2.1.0
id: generate-token
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@v6.0.2
uses: peter-evans/create-pull-request@v5.0.2
with:
token: ${{ steps.generate-token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
title: Bump test chart dependencies
branch: bump-test-chart-deps
commit-message: Bump test chart dependencies

59
.github/workflows/helm-chart-ci-ignore.yaml vendored
View File

@ -30,9 +30,9 @@ jobs:
strategy:
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
- v1.27.2
- v1.26.4
- v1.25.9
steps:
- run: 'echo "Skipping tests"'
@ -45,7 +45,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4.1.1
- id: set-matrix-example
- id: set-matrix
name: Collect all examples
run: |
examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
@ -53,17 +53,8 @@ jobs:
echo "${examples_json}"
echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
- id: set-matrix-integration
name: Collect all integration tests
run: |
integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${integrationtests_json}"
echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
outputs:
examples: ${{ steps.set-matrix-example.outputs.examples }}
integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
examples: ${{ steps.set-matrix.outputs.examples }}
example-test:
runs-on: ubuntu-22.04
@ -74,45 +65,11 @@ jobs:
strategy:
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
- v1.27.2
- v1.26.4
- v1.25.9
example:
- ${{ fromJson(needs.build-matrix.outputs.examples) }}
steps:
- run: 'echo "Skipping example-test"'
integration-test:
runs-on: ubuntu-22.04
needs:
- build-matrix
strategy:
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
example:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
steps:
- run: 'echo "Skipping integration-test"'
upgrade-test:
runs-on: ubuntu-22.04
needs:
- build-matrix
strategy:
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
steps:
- run: 'echo "Skipping upgrade-test"'

114
.github/workflows/helm-chart-ci.yaml vendored
View File

@ -21,9 +21,9 @@ concurrency:
cancel-in-progress: true
env:
HELM_VERSION: v3.16.2
HELM_VERSION: v3.12.0
PYTHON_VERSION: 3.11.3
KIND_VERSION: v0.24.0
KIND_VERSION: v0.19.0
CHART_TESTING_VERSION: v3.8.0
jobs:
@ -73,7 +73,7 @@ jobs:
fi
- name: Setup Go
uses: actions/setup-go@v5.0.0
uses: actions/setup-go@v4.1.0
with:
go-version-file: tests/go.mod
cache-dependency-path: tests/go.sum
@ -104,7 +104,7 @@ jobs:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
@ -130,9 +130,9 @@ jobs:
# Kubernetes, but can go back farther as long as we don't need heroics
# to pull it off (i.e. kubectl version juggling).
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
- v1.27.2
- v1.26.4
- v1.25.9
steps:
- name: Checkout
@ -146,7 +146,7 @@ jobs:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
@ -156,7 +156,7 @@ jobs:
version: ${{ env.CHART_TESTING_VERSION }}
- name: Create kind ${{ matrix.k8s }} cluster
uses: helm/kind-action@v1.9.0
uses: helm/kind-action@v1.8.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
@ -171,7 +171,7 @@ jobs:
- name: Run chart-testing (install)
run: |
helm install -n spire-server spire-crds charts/spire-crds
ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
ct install --config ct.yaml --excluded-charts spire-crds \
--target-branch ${{ github.base_ref }}
- name: Test summary
@ -187,7 +187,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4.1.1
- id: set-matrix-example
- id: set-matrix
name: Collect all examples
run: |
examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
@ -195,17 +195,8 @@ jobs:
echo "${examples_json}"
echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
- id: set-matrix-integration
name: Collect all integration tests
run: |
integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${integrationtests_json}"
echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
outputs:
examples: ${{ steps.set-matrix-example.outputs.examples }}
integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
examples: ${{ steps.set-matrix.outputs.examples }}
example-test:
runs-on: ubuntu-22.04
@ -218,9 +209,9 @@ jobs:
fail-fast: false
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
- v1.27.2
- v1.26.4
- v1.25.9
example:
- ${{ fromJson(needs.build-matrix.outputs.examples) }}
@ -234,76 +225,25 @@ jobs:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Create kind cluster
uses: helm/kind-action@v1.9.0
uses: helm/kind-action@v1.8.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:${{ matrix.k8s }}
node_image: kindest/node:v1.26.4
config: .github/kind/conf/kind-config.yaml
verbosity: 1
- name: Install and test example
run: |
if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
kubectl create namespace spire-mgmt
helm install -n spire-mgmt spire-crds charts/spire-crds
else
kubectl create namespace spire-server
helm install -n spire-server spire-crds charts/spire-crds
fi
export K8S="${{ matrix.k8s }}"
kubectl create namespace spire-server
helm install -n spire-server spire-crds charts/spire-crds
${{ matrix.example }}/run-tests.sh
integration-test:
runs-on: ubuntu-22.04
needs:
- lint-chart
- build-matrix
strategy:
fail-fast: false
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
integrationtest:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
steps:
- name: Checkout
uses: actions/checkout@v4.1.1
- name: Set up Helm
uses: azure/setup-helm@v3.5
with:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Create kind cluster
uses: helm/kind-action@v1.9.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:${{ matrix.k8s }}
config: .github/kind/conf/kind-config.yaml
verbosity: 1
- name: Install and test integration
run: |
helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
${{ matrix.integrationtest }}/run-tests.sh
upgrade-test:
runs-on: ubuntu-22.04
@ -315,9 +255,9 @@ jobs:
fail-fast: false
matrix:
k8s:
- v1.31.1
- v1.30.4
- v1.29.8
- v1.27.2
- v1.26.4
- v1.25.9
steps:
- name: Checkout
@ -329,18 +269,18 @@ jobs:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Create kind cluster
uses: helm/kind-action@v1.9.0
uses: helm/kind-action@v1.8.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:${{ matrix.k8s }}
node_image: kindest/node:v1.26.4
config: .github/kind/conf/kind-config.yaml
verbosity: 1
- name: Install and test example
run: tests/integration/production/run-tests.sh -u
run: examples/production/run-tests.sh -u

6
.github/workflows/helm-release.yaml vendored
View File

@ -29,9 +29,9 @@ jobs:
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Setup cosign
uses: sigstore/cosign-installer@v3.4.0
uses: sigstore/cosign-installer@v3.2.0
with:
cosign-release: v2.2.3
cosign-release: v2.2.0
- name: Set up Helm
uses: azure/setup-helm@v3.5
@ -44,7 +44,7 @@ jobs:
CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.1.0
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}

44
.github/workflows/update-devcontainer-image.yaml vendored
View File

@ -1,44 +0,0 @@
name: Update devcontainer image
on:
schedule:
- cron: '0 8 * * 1'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
HELM_VERSION: v3.11.1
jobs:
build-and-push-devcontainer-image:
runs-on: ubuntu-20.04
permissions:
contents: read
id-token: write
packages: write
env:
COSIGN_EXPERIMENTAL: 1
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: v2.2.3
- name: Install regctl
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
- name: Log in to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build / Push images
run: |
set -e
cd .devcontainer/
docker build -t ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest .
docker push ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest

4
CONTRIBUTING.md
View File

@ -60,7 +60,3 @@ Any changes to Chart.yaml or values.yaml require an update of the README.md. Thi
In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning.
[readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts."
## devcontainer support
We have a usable devcontainer with all the dev tools preinstalled to make contributions easier. You should be able to use it via Codespaces (https://github.com/codespaces/), Visual Studio Code (https://code.visualstudio.com/), DevPod (https://devpod.sh), etc. Please consult the documentation for those tools for how to use them.

5
Makefile
View File

@ -63,8 +63,3 @@ test-example-%:
.PHONY: test-examples
test-examples: $(patsubst examples/%/values.yaml,test-example-%,$(wildcard examples/*/values.yaml)) ## Run `helm install` and `helm test` for all the examples containing `run-tests.sh`
.PHONY: diagrams
diagrams: ## Builds diagrams
@dot -Tpng examples/nested/singlehardened.dot > examples/nested/singlehardened.png
@dot -Tpng examples/nested/multicluster.dot > examples/nested/multicluster.png

4
README.md
View File

@ -1,4 +1,4 @@
> **Note**
> [!Note]
> Things to consider:
> 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags.
> 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of
## How to install or upgrade
You most likely want to do an integrated setup based on the spire chart.
See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions).
See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire).
## Contributing

42
charts/spiffe-step-ssh/Chart.yaml
View File

@ -1,42 +0,0 @@
apiVersion: v2
name: spiffe-step-ssh
description: sshd signed host certificates using SPIFFE for trust and step CA
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
keywords: ["spiffe", "step", "step-ca", "ssh"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov
dependencies:
- name: spire-lib
repository: file://../spire/charts/spire-lib
version: 0.1.0
- name: step-certificates
alias: step
repository: https://smallstep.github.io/helm-charts/
version: 1.27.4

65
charts/spiffe-step-ssh/README.md
View File

@ -1,65 +0,0 @@
spire-values.yaml
```
spire-server:
nodeAttestor:
httpChallenge:
enabled: true
controllerManager:
identities:
clusterSPIFFEIDs:
spiffe-step-ssh-config:
type: raw
namespaceSelector:
matchLabels:
"kubernetes.io/metadata.name": default
podSelector:
matchLabels:
app: spiffe-step-ssh
component: config
spiffe-step-ssh-fetchca:
type: raw
namespaceSelector:
matchLabels:
"kubernetes.io/metadata.name": default
podSelector:
matchLabels:
app: spiffe-step-ssh
component: fetchca
dnsNameTemplates:
- "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
```
```shell
helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
```
```shell
helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
```
```shell
PASSWORD=$(openssl rand -base64 48)
echo "$PASSWORD" > spiffe-step-ssh-password.txt
step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
```
ingress-values.yaml
```yaml
global:
spiffe:
ingressControllerType: ingress-nginx
stepIngress:
enabled: true
fetchCA:
ingress:
enabled: true
```
```shell
helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
```
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters

1
charts/spiffe-step-ssh/ci/default-values.yaml
View File

@ -1 +0,0 @@
trustDomain: example.org

13
charts/spiffe-step-ssh/files/ssh_x5c.tpl
View File

@ -1,13 +0,0 @@
{{- if eq (len .AuthorizationCrt.URIs) 1 }}
{{- $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
{{- if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
{{- $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
{
"type": {{ toJson .Type }},
"keyId": {{ toJson $name }},
"principals": [{{ toJson $name }}],
"extensions": {{ toJson .Extensions }},
"criticalOptions": {{ toJson .CriticalOptions }}
}
{{- end }}
{{- end }}

5
charts/spiffe-step-ssh/templates/NOTES.txt
View File

@ -1,5 +0,0 @@
Installed {{ .Chart.Name }}…
Configure your ssh clients with known_hosts file with:
@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}

83
charts/spiffe-step-ssh/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spiffe-step-ssh.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spiffe-step-ssh.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spiffe-step-ssh.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spiffe-step-ssh.labels" -}}
helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
{{ include "spiffe-step-ssh.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spiffe-step-ssh.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spiffe-step-ssh.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/* Takes in a dictionary with keys:
* global - the standard global object
* ingress - a standard format ingress config object
*/}}
{{- define "spiffe-step-ssh.ingress-controller-type" }}
{{- $type := "" }}
{{- if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
{{- $type = .global.spiffe.ingressControllerType }}
{{- else if ne .ingress.controllerType "" }}
{{- $type = .ingress.controllerType }}
{{- else if (dig "openshift" false .global) }}
{{- $type = "openshift" }}
{{- else }}
{{- $type = "other" }}
{{- end }}
{{- if not (has $type (list "ingress-nginx" "openshift" "other")) }}
{{- fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
{{- end }}
{{- $type }}
{{- end }}

25
charts/spiffe-step-ssh/templates/config-configmap.yaml
View File

@ -1,25 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
spiffe-helper.conf: |
agent_address = "/spiffe-workload-api/spire-agent.sock"
cmd = "sh"
cmd_args = "/config-deployment/update.sh"
cert_dir = "/certs"
svid_file_name = "tls.crt"
svid_key_file_name = "tls.key"
svid_bundle_file_name = "ca.pem"
add_intermediates_to_bundle = false
update.sh: |
#!/bin/sh
export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
echo Updating Roots to "$ROOTS"
cat /config/ca.json > /work/ca.json
yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
/helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
/helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
echo $?

143
charts/spiffe-step-ssh/templates/config-deployment.yaml
View File

@ -1,143 +0,0 @@
{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-config
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
app: spiffe-step-ssh
component: config
spec:
replicas: 1
selector:
matchLabels:
{{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
app: spiffe-step-ssh
component: config
template:
metadata:
annotations:
checksum/config: {{ $configSum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app: spiffe-step-ssh
component: config
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: setup-volume-p1
image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
command:
- sh
- -c
- 'cp -a /bin/busybox /helper'
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- name: spiffe-helper
mountPath: /helper
resources:
{{- toYaml .Values.config.resources | nindent 12 }}
- name: setup-volume-p2
image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
command:
- /helper/busybox
- sh
- -c
- '/helper/busybox cp -a /bin/kubectl /helper'
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- name: spiffe-helper
mountPath: /helper
resources:
{{- toYaml .Values.config.resources | nindent 12 }}
- name: setup-volume-p3
image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
command:
- /helper/busybox
- sh
- -c
- '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- name: spiffe-helper
mountPath: /helper
resources:
{{- toYaml .Values.config.resources | nindent 12 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
command:
- /helper/spiffe-helper
- -config
- /config-deployment/spiffe-helper.conf
resources:
{{- toYaml .Values.config.resources | nindent 12 }}
volumeMounts:
- name: spiffe-helper
mountPath: /helper
readOnly: true
- name: config
mountPath: /config
readOnly: true
- name: config-deployment
mountPath: /config-deployment
readOnly: true
- name: certdir
mountPath: /certs
- name: spiffe-workload-api
mountPath: /spiffe-workload-api
readOnly: true
- name: workdir
mountPath: /work
volumes:
- name: spiffe-workload-api
csi:
driver: {{ .Values.csiDriver | quote }}
readOnly: true
- name: config-deployment
configMap:
name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
- name: config
configMap:
name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
- name: certdir
emptyDir: {}
- name: spiffe-helper-config
emptyDir: {}
- name: spiffe-helper
emptyDir: {}
- name: workdir
emptyDir: {}
{{- with .Values.config.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.config.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.config.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

41
charts/spiffe-step-ssh/templates/config-role.yaml
View File

@ -1,41 +0,0 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
rules:
- apiGroups: [""]
resources: [configmaps]
verbs:
- create
- apiGroups: [""]
resources: [configmaps]
resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
verbs:
- get
- update
- patch
- apiGroups: ["apps"]
resources: [statefulsets]
resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
verbs:
- get
- patch
- apiGroups: ["apps"]
resources: [deployments]
resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
verbs:
- get
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
subjects:
- kind: ServiceAccount
name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
apiGroup: rbac.authorization.k8s.io

13
charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
component: config
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

28
charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
View File

@ -1,28 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
spiffe-helper-init.conf: |
agent_address = "/spiffe-workload-api/spire-agent.sock"
cmd = ""
cmd_args = ""
cert_dir = "/certs"
svid_file_name = "tls.crt"
svid_key_file_name = "tls.key"
svid_bundle_file_name = "ca.pem"
add_intermediates_to_bundle = false
spiffe-helper-sidecar.conf: |
agent_address = "/spiffe-workload-api/spire-agent.sock"
cmd = "/busybox/busybox"
cmd_args = "sh /update.sh"
cert_dir = "/certs"
svid_file_name = "tls.crt"
svid_key_file_name = "tls.key"
svid_bundle_file_name = "ca.pem"
add_intermediates_to_bundle = false
update.sh: |
#!/bin/sh
/busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`

182
charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
View File

@ -1,182 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
app: spiffe-step-ssh
component: fetchca
spec:
{{- if not .Values.fetchCA.autoscaling.enabled }}
replicas: {{ .Values.fetchCA.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
app: spiffe-step-ssh
component: fetchca
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app: spiffe-step-ssh
component: fetchca
spec:
shareProcessNamespace: true
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: busybox-volume
image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
command:
- sh
- -c
- 'cp -a /bin/busybox /busybox'
volumeMounts:
- name: busybox
mountPath: /busybox
resources:
{{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
- name: init-tls
image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
command:
- /spiffe-helper
- -config
- /etc/spiffe-helper.conf
- -daemon-mode=false
volumeMounts:
- name: spiffe-workload-api
mountPath: /spiffe-workload-api
readOnly: true
- name: config
mountPath: /etc/spiffe-helper.conf
subPath: spiffe-helper-init.conf
readOnly: true
- name: certs
mountPath: /certs
resources:
{{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
containers:
- name: {{ .Chart.Name }}-fetchca
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
command:
- /bin/sh
- -c
- |
echo $$$$ > /pid/pid
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 8443 ssl;
server_name localhost;
ssl_certificate /certs/tls.crt;
ssl_certificate_key /certs/tls.key;
location / {
root /usr/share/nginx/html;
index root_ca.crt index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
exec nginx -g "daemon off;"
ports:
- name: http
containerPort: 8443
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
scheme: HTTPS
readinessProbe:
httpGet:
path: /
port: http
scheme: HTTPS
resources:
{{- toYaml .Values.fetchCA.resources | nindent 12 }}
volumeMounts:
- name: certs
mountPath: /certs
readOnly: true
- name: pid
mountPath: /pid
- name: share
mountPath: /usr/share/nginx/html
- name: update-tls
image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
command:
- /spiffe-helper
- -config
- /etc/spiffe-helper.conf
volumeMounts:
- name: certs
mountPath: /certs
- name: spiffe-workload-api
mountPath: /spiffe-workload-api
readOnly: true
- name: config
mountPath: /etc/spiffe-helper.conf
subPath: spiffe-helper-sidecar.conf
readOnly: true
- name: config
mountPath: /update.sh
subPath: update.sh
readOnly: true
- name: pid
mountPath: /pid
readOnly: true
- name: busybox
mountPath: /busybox
readOnly: true
resources:
{{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
volumes:
- name: certs
emptyDir: {}
- name: pid
emptyDir: {}
- name: busybox
emptyDir: {}
- name: config
configMap:
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
- name: spiffe-workload-api
csi:
driver: {{ .Values.csiDriver | quote }}
readOnly: true
- name: share
configMap:
name: {{ include "spiffe-step-ssh.fullname" . }}-certs
{{- with .Values.fetchCA.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.fetchCA.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.fetchCA.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
View File

@ -1,32 +0,0 @@
{{- if .Values.fetchCA.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
metrics:
{{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

31
charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.fetchCA.ingress.enabled -}}
{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
{{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
{{- $path := "/" }}
{{- $pathType := "Prefix" }}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $path = "" }}
{{- $pathType = "ImplementationSpecific" }}
{{- $tlsSection = false }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{ include "spiffe-step-ssh.labels" . | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{- end }}

17
charts/spiffe-step-ssh/templates/fetchca-service.yaml
View File

@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
app: spiffe-step-ssh
component: fetchca
spec:
type: {{ .Values.fetchCA.service.type }}
ports:
- port: {{ .Values.fetchCA.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}

12
charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
View File

@ -1,12 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

8
charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
password: {{ .Values.caPassword | b64enc }}

8
charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
password: {{ .Values.caPassword | b64enc }}

15
charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-certs
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
"root_ca.crt": |
{{- .Values.inject.certificates.root_ca | nindent 4}}
"intermediate_ca.crt": |
{{ .Values.inject.certificates.intermediate_ca | nindent 4}}
"ssh_host_ca_key.pub": |
{{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
"ssh_user_ca_key.pub": |
{{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}

32
charts/spiffe-step-ssh/templates/step-config.yaml
View File

@ -1,32 +0,0 @@
{{- define "spiffe-step-ssh.config-provisioners" }}
type: X5C
name: "x5c@spiffe"
roots: ""
claims:
maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
disableRenewal: true
enableSSHCA: true
disableCustomSANs: true
options:
ssh:
templateFile: /home/step/config/ssh_x5c.tpl
{{- end }}
{{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
{{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
"ca.json": |
{{- $ca | toPrettyJson | nindent 4 }}
"defaults.json": |
{{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
{{- if eq .Values.trustDomain "" }}
{{- fail "You must set trustDomain" }}
{{- end }}
"ssh_x5c.tpl": |
{{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}

31
charts/spiffe-step-ssh/templates/step-ingress.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.stepIngress.enabled -}}
{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
{{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
{{- $path := "/" }}
{{- $pathType := "Prefix" }}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.stepIngress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $path = "" }}
{{- $pathType = "ImplementationSpecific" }}
{{- $tlsSection = false }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{ include "spiffe-step-ssh.labels" . | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{- end }}

11
charts/spiffe-step-ssh/templates/step-secret.yaml
View File

@ -1,11 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}

8
charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
password: {{ .Values.caPassword | b64enc }}

8
charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
labels:
{{- include "spiffe-step-ssh.labels" . | nindent 4 }}
data:
password: {{ .Values.caPassword | b64enc }}

292
charts/spiffe-step-ssh/values.yaml
View File

@ -1,292 +0,0 @@
# Default values for spiffe-step-ssh.
# SPDX-License-Identifier: APACHE-2.0
global:
spiffe:
## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
ingressControllerType: ""
## @param trustDomain The trust domain for SPIRE
trustDomain: ""
## @param caPassword Password securing the SSH CA
caPassword: ""
## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
maxTLSCertDuration: 24h
## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
defaultTLSCertDuration: 1h
## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
prefix: sshd
## @param csiDriver The csi driver to use
csiDriver: csi.spiffe.io
## @skip inject
## These will be generated by the step-ca tool
inject:
secrets:
x509:
root_ca_key: ""
intermediate_ca_key: ""
ssh:
host_ca_key: ""
user_ca_key: ""
config:
files:
ca.json:
authority: {}
certificates:
root_ca: ""
intermediate_ca: ""
ssh_host_ca: ""
ssh_user_ca: ""
stepIngress:
## @param stepIngress.enabled Flag to enable ingress
enabled: false
## @param stepIngress.className Ingress class name
className: ""
## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
controllerType: ""
## @param stepIngress.annotations [object] Annotations for the ingress object
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# If Profile Type == https_spiffe:
# nginx.ingress.kubernetes.io/ssl-passthrough: "true"
## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "spiffe-step-ssh"
## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
# - host: spiffe-step-ssh.example.org
# paths:
# - path: /
# pathType: Prefix
## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []
# - hosts:
# - spiffe-step-ssh.example.org
## @skip step
step:
service:
port: 443
targetPort: 8443
inject:
enabled: false
bootstrap:
enabled: false
configmaps: false
secrets: false
existingSecrets:
enabled: true
ca: true
issuer: true
certsAsSecret: false
configAsSecret: false
sshHostCa: true
sshUserCa: true
spiffeHelper:
## @param spiffeHelper.image.registry The OCI registry to pull the image from
## @param spiffeHelper.image.repository The repository within the registry
## @param spiffeHelper.image.pullPolicy The image pull policy
## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spiffe-helper
pullPolicy: IfNotPresent
tag: 0.8.0
nginx:
## @param nginx.image.registry The OCI registry to pull the image from
## @param nginx.image.repository The repository within the registry
## @param nginx.image.pullPolicy The image pull policy
## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: docker.io
repository: nginxinc/nginx-unprivileged
pullPolicy: IfNotPresent
tag: 1.25.3-alpine
kubectl:
## @param kubectl.image.registry The OCI registry to pull the image from
## @param kubectl.image.repository The repository within the registry
## @param kubectl.image.pullPolicy The image pull policy
## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: registry.k8s.io
repository: kubectl
pullPolicy: IfNotPresent
tag: ""
yq:
## @param yq.image.registry The OCI registry to pull the image from
## @param yq.image.repository The repository within the registry
## @param yq.image.pullPolicy The image pull policy
## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: docker.io
repository: mikefarah/yq
pullPolicy: IfNotPresent
tag: "4.40.5"
busybox:
## @param busybox.image.registry The OCI registry to pull the image from
## @param busybox.image.repository The repository within the registry
## @param busybox.image.pullPolicy The image pull policy
## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: docker.io
repository: busybox
pullPolicy: IfNotPresent
tag: "1.36.1-uclibc"
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param podAnnotations [object] Additional pod annotations to add
podAnnotations: {}
## @param podLabels [object] Additional pod labels to add
podLabels: {}
## @param podSecurityContext [object} Specify pod security context settings
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Specify container security context settings
securityContext:
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# FIXME
runAsUser: 0
fetchCA:
## @param fetchCA.replicaCount Number of replicas to launch
replicaCount: 1
## @param fetchCA.service.type The type of service to deploy
## @param fetchCA.service.port The port number of the service port
service:
type: ClusterIP
port: 443
ingress:
## @param fetchCA.ingress.enabled Flag to enable ingress
enabled: false
## @param fetchCA.ingress.className Ingress class name
className: ""
## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
controllerType: ""
## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# If Profile Type == https_spiffe:
# nginx.ingress.kubernetes.io/ssl-passthrough: "true"
## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "spiffe-step-ssh-fetchca"
## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
# - host: spiffe-step-ssh-fetchca.example.org
# paths:
# - path: /
# pathType: Prefix
## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []
# - hosts:
# - spiffe-step-ssh-fetchca.example.org
## @param fetchCA.autoscaling.enabled Enable autoscaling
## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
## @param fetchCA.resources [object] Specify resources
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
spiffeHelper:
## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param fetchCA.nodeSelector [object] Specify node selector
nodeSelector: {}
## @param fetchCA.tolerations [array] Specify tolerations
tolerations: []
## @param fetchCA.affinity [object] Specify affinity
affinity: {}
config:
## @param config.resources [object] Specify resources
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param config.nodeSelector [object] Specify node selector
nodeSelector: {}
## @param config.tolerations [array] Specify tolerations
tolerations: []
## @param config.affinity [object] Specify affinity
affinity: {}

6
charts/spire-crds/Chart.yaml
View File

@ -3,12 +3,12 @@ name: spire-crds
description: >
A Helm chart for deploying the Spire CRDS
type: application
version: 0.5.0
version: 0.2.0
appVersion: "0.0.1"
keywords: ["spire-crds"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
- https://github.com/spiffe/helm-charts/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen

4
charts/spire-crds/README.md
View File

@ -4,7 +4,7 @@
A Helm chart to install the SPIRE CRDS.
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
## Maintainers
@ -17,7 +17,7 @@ A Helm chart to install the SPIRE CRDS.
## Source Code
* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire-crds>
* <https://github.com/spiffe/helm-charts/tree/main/charts/spire-crds>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->

8
charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
View File

@ -45,11 +45,6 @@ spec:
description: AutoPopulateDNSNames indicates whether or not to auto
populate service DNS names.
type: boolean
fallback:
description: |-
Apply this ID only if there are no other matching non fallback
ClusterSPIFFEIDs
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@ -71,9 +66,6 @@ spec:
items:
type: string
type: array
hint:
description: Set the entry hint
type: string
jwtTtl:
description: JWTTTL indicates an upper-bound time-to-live for JWT
SVIDs minted for this ClusterSPIFFEID.

2
charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml
View File

@ -64,8 +64,6 @@ spec:
type: array
spiffeID:
type: string
storeSVID:
type: boolean
x509SVIDTTL:
type: string
required:

60
charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
{{- .Values.annotations | toYaml | nindent 4 }}
creationTimestamp: null
name: controllermanagerconfigs.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ControllerManagerConfig
listKind: ControllerManagerConfigList
plural: controllermanagerconfigs
singular: controllermanagerconfig
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ControllerManagerConfig is the Schema for the controllermanagerconfigs
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ControllerManagerConfigSpec defines the desired state of
ControllerManagerConfig
properties:
foo:
description: Foo is an example field of ControllerManagerConfig. Edit
controllermanagerconfig_types.go to remove/update
type: string
type: object
status:
description: ControllerManagerConfigStatus defines the observed state
of ControllerManagerConfig
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

24
charts/spire-nested/.helmignore
View File

@ -1,24 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
ci/

116
charts/spire-nested/Chart.yaml
View File

@ -1,116 +0,0 @@
apiVersion: v2
name: spire-nested
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.26.1
appVersion: "1.12.4"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen
email: marco.franssen@gmail.com
url: https://marcofranssen.nl
- name: kfox1111
email: Kevin.Fox@pnnl.gov
- name: faisal-memon
email: fymemon@yahoo.com
kubeVersion: ">=1.21.0-0"
dependencies:
- name: spire-lib
repository: file://../spire/charts/spire-lib
version: 0.1.0
- name: spire-server
alias: root-spire-server
condition: root-spire-server.enabled
tags:
- nestedRoot
repository: file://../spire/charts/spire-server
version: 0.1.0
- name: spire-server
alias: external-root-spire-server-full
condition: external-root-spire-server-full.enabled
tags:
- nestedChildFull
repository: file://../spire/charts/spire-server
version: 0.1.0
- name: spire-server
alias: external-root-spire-server-security
condition: external-root-spire-server-security.enabled
tags:
- nestedChildSecurity
repository: file://../spire/charts/spire-server
version: 0.1.0
- name: spire-server
alias: internal-spire-server
condition: internal-spire-server.enabled
tags:
- nestedRoot
- nestedChildFull
repository: file://../spire/charts/spire-server
version: 0.1.0
- name: spire-server
alias: external-spire-server
condition: external-spire-server.enabled
tags:
- nestedRoot
repository: file://../spire/charts/spire-server
version: 0.1.0
- name: spire-agent
alias: downstream-spire-agent-full
condition: downstream-spire-agent-full.enabled
tags:
- nestedRoot
- nestedChildFull
repository: file://../spire/charts/spire-agent
version: 0.1.0
- name: spire-agent
alias: downstream-spire-agent-security
condition: downstream-spire-agent-security.enabled
tags:
- nestedChildSecurity
repository: file://../spire/charts/spire-agent
version: 0.1.0
- name: spire-agent
alias: upstream-spire-agent
condition: upstream-spire-agent.enabled
tags:
- nestedRoot
- nestedChildFull
repository: file://../spire/charts/spire-agent
version: 0.1.0
- name: spiffe-csi-driver
alias: downstream-spiffe-csi-driver
condition: downstream-spiffe-csi-driver.enabled
tags:
- nestedRoot
- nestedChildFull
- nestedChildSecurity
repository: file://../spire/charts/spiffe-csi-driver
version: 0.1.0
- name: spiffe-csi-driver
alias: upstream-spiffe-csi-driver
condition: upstream-spiffe-csi-driver.enabled
tags:
- nestedRoot
- nestedChildFull
repository: file://../spire/charts/spiffe-csi-driver
version: 0.1.0
- name: spiffe-oidc-discovery-provider
condition: spiffe-oidc-discovery-provider.enabled
tags:
- nestedRoot
- nestedChildFull
- nestedChildSecurity
repository: file://../spire/charts/spiffe-oidc-discovery-provider
version: 0.1.0
- name: tornjak-frontend
condition: tornjak-frontend.enabled
repository: file://../spire/charts/tornjak-frontend
version: 0.1.0
annotations:
artifacthub.io/category: security
artifacthub.io/license: Apache-2.0

201
charts/spire-nested/LICENSE
View File

@ -1,201 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

355
charts/spire-nested/README.md
View File

@ -1,355 +0,0 @@
# spire
![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Install Instructions
### Non Production
To do a quick install suitable for testing in something like minikube:
```shell
helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm upgrade --install -n spire-server spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/
```
### Production
Preparing a production deployment requires a few steps.
1. Save the following to your-values.yaml, ideally in your git repo.
```yaml
global:
openshift: false # If running on openshift, set to true
spire:
recommendations:
enabled: true
namespaces:
create: true
ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
# Update these
clusterName: example-cluster
trustDomain: example.org
caSubject:
country: ARPA
organization: Example
commonName: example.org
```
2. If you need a non default storageClass, append the following to the spire-server section and update:
```
persistence:
storageClass: your-storage-class
```
3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
```shell
oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
```
4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
In particular, consider using an external database.
5. Deploy
```shell
helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm upgrade --install -n spire-mgmt spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
```
## Clean up
```shell
helm -n spire-mgmt uninstall spire-crds
helm -n spire-mgmt uninstall spire
kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
```
## Upgrade notes
We only support upgrading one major version at a time. Version skipping isn't supported.
### 0.17.X
- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)
- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
### 0.16.X
The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
### 0.15.X
The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field. By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`.
If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified.
### 0.14.X
If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart
run the following:
Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in.
```shell
kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
helm install -n spire-server spire-crds charts/spire-crds
```
## Version support
> [!Warning]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
| Kubernetes | `1.22+` |
> [!Note]
> For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.
## FAQ
For any issues see our [FAQ](../../FAQ.md)…
## Usage
To utilize Spire in your own workloads you should add the following to your workload:
```diff
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: my-app
image: "my-app:latest"
imagePullPolicy: Always
+ volumeMounts:
+ - name: spiffe-workload-api
+ mountPath: /spiffe-workload-api
+ readOnly: true
resources:
requests:
cpu: 200m
memory: 32Mi
limits:
cpu: 500m
memory: 64Mi
+ volumes:
+ - name: spiffe-workload-api
+ csi:
+ driver: "csi.spiffe.io"
+ readOnly: true
```
Now you can interact with the Spire agent socket from your own application. The socket is mounted on `/spiffe-workload-api/spire-agent.sock`.
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
| kfox1111 | <Kevin.Fox@pnnl.gov> | |
| faisal-memon | <fymemon@yahoo.com> | |
| edwbuck | <edwbuck@gmail.com> | |
## Source Code
* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Requirements
| Repository | Name | Version |
|------------|------|---------|
| file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
| file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
| file://./charts/spire-agent | spire-agent | 0.1.0 |
| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
| file://./charts/spire-server | spire-server | 0.1.0 |
| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Global parameters
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.caSubject.country` | Country for Spire server CA | `""` |
| `global.spire.caSubject.organization` | Organization for Spire server CA | `""` |
| `global.spire.caSubject.commonName` | Common Name for Spire server CA | `""` |
| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` |
| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` |
| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` |
| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` |
| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` |
| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` |
| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` |
| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` |
| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` |
| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` |
| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` |
| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` |
| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` |
| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` |
| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
| `tags.nestedRoot` | Set the chart architecture to root nested | `false` |
| `tags.nestedChildFull` | Set the chart mode to a child cluster with its own nested server | `false` |
| `tags.nestedChildSecurity` | Set the chart mode to a child cluster for use with a security cluster | `false` |
### Spire agent parameters
| Name | Description | Value |
| -------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------- |
| `downstream-spire-agent-full.nameOverride` | Overrides the name of Spire agent pods | `agent-downstream` |
| `downstream-spire-agent-full.server.nameOverride` | The name override setting of the internal SPIRE server | `internal-server` |
| `downstream-spire-agent-full.bundleConfigMap` | The name of the configmap that contains the downstream bundle | `spire-bundle-downstream` |
| `downstream-spire-agent-full.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
### Spire agent parameters
| Name | Description | Value |
| ------------------------------------------------------ | -------------------------------------------------------------- | ------------------------------------- |
| `downstream-spire-agent-security.nameOverride` | Overrides the name of Spire agent pods | `agent-downstream` |
| `downstream-spire-agent-security.bundleConfigMap` | The name of the configmap that contains the downstream bundle | `spire-bundle-upstream` |
| `downstream-spire-agent-security.serviceAccount.name` | The name of the service account to use | `spire-agent-upstream` |
| `downstream-spire-agent-security.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
### Upstream Spire agent parameters
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` |
| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` |
| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` |
| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` |
| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` |
| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` |
| `upstream-spire-agent.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
| `upstream-spire-agent.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent` |
### SPIFFE CSI Driver parameters
| Name | Description | Value |
| ----------------------------------------------- | ----------------- | ------------------------------ |
| `downstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-downstream` |
### Upstream SPIFFE CSI Driver parameters
| Name | Description | Value |
| ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-upstream` |
| `upstream-spiffe-csi-driver.pluginName` | The plugin name for configuring upstream Spiffe CSI driver | `upstream.csi.spiffe.io` |
| `upstream-spiffe-csi-driver.agentSocketPath` | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed | `9810` |
### SPIFFE oidc discovery provider parameters
| Name | Description | Value |
| ------------------------------------------------- | ----------------- | -------------------------------- |
| `spiffe-oidc-discovery-provider.fullnameOverride` | Fullname override | `spiffe-oidc-discovery-provider` |
### Tornjak frontend parameters
| Name | Description | Value |
| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
| `root-spire-server.nameOverride` | Name override | `root-server` |
| `root-spire-server.crNameOverride` | Custom Resource name override | `root` |
| `root-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `root-spire-server.controllerManager.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` |
| `root-spire-server.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` |
| `root-spire-server.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-root-server` |
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable child servers | `true` |
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` |
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` |
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` |
| `root-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` |
| `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `root-spire-server.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |
| `external-root-spire-server-full.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` |
| `external-root-spire-server-full.nameOverride` | Name override | `root-server` |
| `external-root-spire-server-full.crNameOverride` | Custom Resource name override | `root` |
| `external-root-spire-server-full.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` |
| `external-root-spire-server-full.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable child servers | `true` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` |
| `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `external-root-spire-server-full.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |
| `external-root-spire-server-security.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` |
| `external-root-spire-server-security.nameOverride` | Name override | `root-server` |
| `external-root-spire-server-security.crNameOverride` | Custom Resource name override | `root` |
| `external-root-spire-server-security.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` |
| `external-root-spire-server-security.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` |
| `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `external-root-spire-server-security.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |
### Spire server parameters
| Name | Description | Value |
| ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | ---------------------------- |
| `internal-spire-server.nameOverride` | Overrides the name of Spire server pods | `internal-server` |
| `internal-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate dns entries | `false` |
| `internal-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` |
| `internal-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` |
| `internal-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` |
| `internal-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
| `internal-spire-server.bundleConfigMap` | The name of the configmap to store the downstream bundle | `spire-bundle-downstream` |
| `external-spire-server.nameOverride` | Overrides the name of Spire server pods | `external-server` |
| `external-spire-server.crNameOverride` | Custom Resource name override | `external` |
| `external-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `external-spire-server.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` |
| `external-spire-server.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` |
| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default identity | `false` |
| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the oidc-discovery-provider identity | `false` |
| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` |
| `external-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` |
| `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` |
| `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` |
| `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
| `external-spire-server.bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `false` |
| `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` |
| `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` |

3
charts/spire-nested/templates/namespaces.yaml
View File

@ -1,3 +0,0 @@
{{- include "spire-lib.namespace.system" . }}
---
{{- include "spire-lib.namespace.server" . }}

397
charts/spire-nested/values.yaml
View File

@ -1,397 +0,0 @@
# Default configuration for Spire chart
# SPDX-License-Identifier: APACHE-2.0
## @section Global parameters
## Note: the parameter values specified here will override the chart level values for these parameters.
##
global:
k8s:
## @param global.k8s.clusterDomain Cluster domain name configured for Spire install
clusterDomain: cluster.local
spire:
## @param global.spire.clusterName The name of the k8s cluster for Spire install
clusterName: example-cluster
## @param global.spire.jwtIssuer The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset
jwtIssuer: ""
## @param global.spire.trustDomain The trust domain for Spire install
trustDomain: example.org
## @param global.spire.caSubject.country Country for Spire server CA
## @param global.spire.caSubject.organization Organization for Spire server CA
## @param global.spire.caSubject.commonName Common Name for Spire server CA
caSubject:
country: ""
organization: ""
commonName: ""
## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off.
## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces
## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels
## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts
## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring
recommendations:
enabled: false
namespaceLayout: true
namespacePSS: true
priorityClassName: true
strictMode: true
securityContexts: true
prometheus: true
image:
## @param global.spire.image.registry Override all Spire image registries at once
registry: ""
namespaces:
## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.
create: false
system:
## @param global.spire.namespaces.system.name Name of the Spire system Namespace.
name: "spire-system"
## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources.
create: false
## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace.
annotations: {}
## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace.
labels: {}
server:
## @param global.spire.namespaces.server.name Name of the Spire server Namespace.
name: "spire-server"
## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources.
create: false
## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace.
annotations: {}
## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace.
labels: {}
## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
strictMode: false
## @param global.spire.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
ingressControllerType: ""
tools:
kubectl:
## @param global.spire.tools.kubectl.tag Set to force the tag to use for all kubectl instances
tag: ""
installAndUpgradeHooks:
## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
enabled: true
deleteHooks:
## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)
enabled: true
# telemetry:
# prometheus:
# enabled: true
# podMonitor:
# enabled: true
# # -- Allows to install the PodMonitor in another namespace then the spire components are installed into.
# namespace: "kube-prometheus-system"
# labels: {}
tags:
## @param tags.nestedRoot Set the chart architecture to root nested
nestedRoot: false
## @param tags.nestedChildFull Set the chart mode to a child cluster with its own nested server
nestedChildFull: false
## @param tags.nestedChildSecurity Set the chart mode to a child cluster for use with a security cluster
nestedChildSecurity: false
## subcharts
## @section Spire agent parameters
## Parameter values for Spire agent
##
# Used with tags [nestedRoot, nestedChildFull]
downstream-spire-agent-full:
# enabled: true
## @param downstream-spire-agent-full.nameOverride Overrides the name of Spire agent pods
nameOverride: agent-downstream
server:
## @param downstream-spire-agent-full.server.nameOverride The name override setting of the internal SPIRE server
nameOverride: internal-server
## @param downstream-spire-agent-full.bundleConfigMap The name of the configmap that contains the downstream bundle
bundleConfigMap: spire-bundle-downstream
## @param downstream-spire-agent-full.persistence.hostPath Which path to use on the host when persistence.type = hostPath
persistence:
hostPath: /var/lib/spire/k8s/downstream-agent
## @section Spire agent parameters
## Parameter values for Spire agent
##
# Used with tags [nestedChildSecurity]
downstream-spire-agent-security:
# enabled: true
## @param downstream-spire-agent-security.nameOverride Overrides the name of Spire agent pods
nameOverride: agent-downstream
## @param downstream-spire-agent-security.bundleConfigMap The name of the configmap that contains the downstream bundle
bundleConfigMap: spire-bundle-upstream
serviceAccount:
## @param downstream-spire-agent-security.serviceAccount.name The name of the service account to use
name: spire-agent-upstream
## @param downstream-spire-agent-security.persistence.hostPath Which path to use on the host when persistence.type = hostPath
persistence:
hostPath: /var/lib/spire/k8s/downstream-agent
## @section Upstream Spire agent parameters
## Parameter values for upstream Spire agent
##
# Used with tags [nestedRoot, nestedChildFull]
upstream-spire-agent:
# enabled: true
## @param upstream-spire-agent.upstream Flag for enabling upstream Spire agent
upstream: true
## @param upstream-spire-agent.nameOverride Name override for upstream Spire agent
nameOverride: agent-upstream
## @param upstream-spire-agent.bundleConfigMap The configmap name for upstream Spire agent bundle
bundleConfigMap: spire-bundle-upstream
## @param upstream-spire-agent.socketPath Socket path where Spire agent socket is mounted
socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
serviceAccount:
## @param upstream-spire-agent.serviceAccount.name Service account name for upstream Spire agent
name: spire-agent-upstream
healthChecks:
## @param upstream-spire-agent.healthChecks.port Health check port number for upstream Spire agent
port: 9981
telemetry:
prometheus:
## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available
port: 9989
server:
## @param upstream-spire-agent.server.nameOverride The name override setting of the root SPIRE server
nameOverride: root-server
## @param upstream-spire-agent.persistence.hostPath Which path to use on the host when persistence.type = hostPath
persistence:
hostPath: /var/lib/spire/k8s/upstream-agent
## @section SPIFFE CSI Driver parameters
## Parameter values for spiffe-csi-driver
##
# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
downstream-spiffe-csi-driver:
# enabled: true
## @param downstream-spiffe-csi-driver.fullnameOverride Fullname override
fullnameOverride: spiffe-csi-driver-downstream
## @section Upstream SPIFFE CSI Driver parameters
## Parameter values for upstream spiffe-csi-driver
##
# Used with tags [nestedRoot, nestedChildFull]
upstream-spiffe-csi-driver:
# enabled: true
## @param upstream-spiffe-csi-driver.fullnameOverride Fullname override
fullnameOverride: spiffe-csi-driver-upstream
## @param upstream-spiffe-csi-driver.pluginName The plugin name for configuring upstream Spiffe CSI driver
pluginName: upstream.csi.spiffe.io
## @param upstream-spiffe-csi-driver.agentSocketPath The socket path where Spiffe CSI driver mounts agent socket
agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
healthChecks:
## @param upstream-spiffe-csi-driver.healthChecks.port The port where Spiffe CSI driver health checks are exposed
port: 9810
## @section SPIFFE oidc discovery provider parameters
## Parameter values for spiffe-oidc-discovery-provider
##
# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
spiffe-oidc-discovery-provider:
# enabled: true
## @param spiffe-oidc-discovery-provider.fullnameOverride Fullname override
fullnameOverride: spiffe-oidc-discovery-provider
## @section Tornjak frontend parameters
## Parameter values for Tornjak frontend
##
tornjak-frontend:
## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production)
enabled: false
# Used with tags [nestedRoot]
root-spire-server:
# enabled: true
## @param root-spire-server.nameOverride Name override
nameOverride: root-server
## @param root-spire-server.crNameOverride Custom Resource name override
crNameOverride: root
controllerManager:
## @param root-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
externalControllerManagers:
## @param root-spire-server.controllerManager.externalControllerManagers.enabled Flag to enable external controller managers
enabled: true
validatingWebhookConfiguration:
## @param root-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
enabled: false
## @param root-spire-server.controllerManager.className specify to use an explicit class name.
className: spire-mgmt-root-server
identities:
clusterSPIFFEIDs:
child-servers:
## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
enabled: true
default:
## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
enabled: false
oidc-discovery-provider:
## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
enabled: false
test-keys:
## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
enabled: false
externalControllerManagers:
## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
enabled: true
nodeAttestor:
k8sPSAT:
## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle
bundleConfigMap: spire-bundle-upstream
# Used with tags [nestedChildFull]
external-root-spire-server-full:
## @param external-root-spire-server-full.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
externalServer: true
## @param external-root-spire-server-full.nameOverride Name override
nameOverride: root-server
## @param external-root-spire-server-full.crNameOverride Custom Resource name override
crNameOverride: root
controllerManager:
## @param external-root-spire-server-full.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
validatingWebhookConfiguration:
## @param external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
enabled: false
## @param external-root-spire-server-full.controllerManager.className specify to use an explicit class name.
className: spire-mgmt-external-server
identities:
clusterSPIFFEIDs:
child-servers:
## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
enabled: true
default:
## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
enabled: false
oidc-discovery-provider:
## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
enabled: false
test-keys:
## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
enabled: false
nodeAttestor:
k8sPSAT:
## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle
bundleConfigMap: spire-bundle-upstream
# Used with tags [nestedChildSecurity]
external-root-spire-server-security:
## @param external-root-spire-server-security.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
externalServer: true
## @param external-root-spire-server-security.nameOverride Name override
nameOverride: root-server
## @param external-root-spire-server-security.crNameOverride Custom Resource name override
crNameOverride: root
controllerManager:
## @param external-root-spire-server-security.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
validatingWebhookConfiguration:
## @param external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
enabled: false
## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name.
className: spire-mgmt-external-server
nodeAttestor:
k8sPSAT:
## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle
bundleConfigMap: spire-bundle-upstream
## @section Spire server parameters
## Parameter values for Spire server
##
# Used with tags [nestedRoot, nestedChildFull]
internal-spire-server:
# enabled: true
## @param internal-spire-server.nameOverride Overrides the name of Spire server pods
nameOverride: internal-server
controllerManager:
## @param internal-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
identities:
clusterSPIFFEIDs:
oidc-discovery-provider:
## @param internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate dns entries
autoPopulateDNSNames: false
externalControllerManagers:
## @param internal-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
enabled: true
upstreamAuthority:
spire:
## @param internal-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
enabled: true
## @param internal-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
upstreamDriver: upstream.csi.spiffe.io
server:
## @param internal-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
nameOverride: root-server
## @param internal-spire-server.bundleConfigMap The name of the configmap to store the downstream bundle
bundleConfigMap: spire-bundle-downstream
# Used with tags [nestedRoot]
external-spire-server:
# enabled: true
## @param external-spire-server.nameOverride Overrides the name of Spire server pods
nameOverride: external-server
## @param external-spire-server.crNameOverride Custom Resource name override
crNameOverride: external
controllerManager:
## @param external-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
validatingWebhookConfiguration:
## @param external-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
enabled: false
## @param external-spire-server.controllerManager.className specify to use an explicit class name.
className: spire-mgmt-external-server
identities:
clusterSPIFFEIDs:
default:
## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default identity
enabled: false
oidc-discovery-provider:
## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the oidc-discovery-provider identity
enabled: false
test-keys:
## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
enabled: false
externalControllerManagers:
## @param external-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
enabled: true
upstreamAuthority:
spire:
## @param external-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
enabled: true
## @param external-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
upstreamDriver: upstream.csi.spiffe.io
server:
## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
nameOverride: root-server
bundlePublisher:
k8sConfigMap:
## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
enabled: false
nodeAttestor:
k8sPSAT:
## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor
enabled: false
joinToken:
## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
enabled: true

23
charts/spire/Chart.yaml
View File

@ -3,12 +3,12 @@ name: spire
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.26.1
appVersion: "1.12.4"
version: 0.15.1
appVersion: "1.8.4"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
- https://github.com/spiffe/helm-charts/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen
@ -22,9 +22,6 @@ maintainers:
email: edwbuck@gmail.com
kubeVersion: ">=1.21.0-0"
dependencies:
- name: spire-lib
repository: file://./charts/spire-lib
version: 0.1.0
- name: spire-server
condition: spire-server.enabled
repository: file://./charts/spire-server
@ -55,18 +52,6 @@ dependencies:
condition: tornjak-frontend.enabled
repository: file://./charts/tornjak-frontend
version: 0.1.0
- name: spike-keeper
condition: spike-keeper.enabled
repository: file://./charts/spike-keeper
version: 0.1.0
- name: spike-nexus
condition: spike-nexus.enabled
repository: file://./charts/spike-nexus
version: 0.1.0
- name: spike-pilot
condition: spike-pilot.enabled
repository: file://./charts/spike-pilot
version: 0.1.0
annotations:
artifacthub.io/category: security
artifacthub.io/license: Apache-2.0

255
charts/spire/README.md
View File

@ -1,164 +1,37 @@
# spire
![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
![Version: 0.15.1](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
## Install Instructions
## Install notes
### Non Production
To do a quick install suitable for testing in something like minikube:
To do a quick non production install suitable for quick testing in something like minikube:
```shell
helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
helm install -n spire-server spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/
```
### Production
Preparing a production deployment requires a few steps.
1. Save the following to your-values.yaml, ideally in your git repo.
```yaml
global:
openshift: false # If running on openshift, set to true
spire:
recommendations:
enabled: true
namespaces:
create: true
ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
# Update these
clusterName: example-cluster
trustDomain: example.org
caSubject:
country: ARPA
organization: Example
commonName: example.org
```
2. If you need a non default storageClass, append the following to the global.spire section and update:
```
persistence:
storageClass: your-storage-class
```
3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
To customize, start with a base values file and edit as needed:
```shell
oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
curl -o your-values.yaml https://raw.githubusercontent.com/spiffe/helm-charts-hardened/main/examples/production/example-your-values.yaml
```
4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
In particular, consider using an external database.
5. Deploy
Then:
```shell
helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
```
## Clean up
```shell
helm -n spire-mgmt uninstall spire-crds
helm -n spire-mgmt uninstall spire
kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
```
For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/main/examples/production).
## Upgrade notes
We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.
### 0.26.X
- The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
- The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
### 0.24.X
- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
- In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
- We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.
- We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`.
- For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade.
- Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted:
- `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint`
- `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT`
- `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT`
- `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle`
- `spire-server.ca_subject` -> `spire-server.caSubject`
- `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName`
- `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName`
- `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind`
- `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup`
- `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile`
- `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
- `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation`
- `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
- `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT`
### 0.23.X
In previous versions, the setting spire-agent.workloadAttestors.k8s.skipKubeletVerification was set to true by default. Starting in 0.23.x, we removed that setting and replaced it with
spire-agent.workloadAttestors.k8s.verification.type. It defaults to "skip" which will have the same behavior as before. In a future version, it will be set to "auto". Please try
setting it to this with your deployment and let us know if you run into any problems so we can fix it before we change the default for everyone.
### 0.21.X
- In previous versions, spire-server.upstreamAuthority.certManager.issuer_name would incorrectly have '-ca' appended. Starting with this version, that is no longer the case. If you previously set this
value, you likely want to update your value to include the '-ca' suffix in the value to have your deployment continue to function properly.
- The default value of spire-server.controllerManager.entryIDPrefixCleanup changed from "" to false. Prior to this release upgrades cleaned up old entries in the database. After upgrading to 0.21.X, manual entries will not be overridden by the spire-controller-manager. Skipping over chart releases (unsupported), requires manual setting of this value to "" to trigger the cleanup.
### 0.20.X
- The default service port for the spire-server was changed to be port 443 to allow easier switching between internal access and external access through an ingress controller. For most users, this will be a transparent
change.
- This release configures the entries managed by the spire-controller-manager to move into their own managed space within SPIRE. This should be transparent. In a future release, we will
disable cleanup by default of the old space. This release lays the groundwork for future support for manually created entries in the SPIRE database without the spire-controller-manager
destroying them. It is supported in this release by manually setting spire-server.controllerManager.entryIDPrefixCleanup=false after successfully upgrading to the chart without the
setting and waiting for a spire-controller-manager sync.
### 0.19.X
- The spire-agent daemonset gained a new label. For those disabling the upgrade hooks, you need to delete the spire-agent daemonset before issuing the helm upgrade.
### 0.18.X
- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See <https://github.com/spiffe/spire/pull/4862> for details.
- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See <https://github.com/spiffe/spire/pull/4791> for details.
### 0.17.X
- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)
- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
### 0.16.X
The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
### 0.15.X
The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
@ -251,7 +124,7 @@ Now you can interact with the Spire agent socket from your own application. The
## Source Code
* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
## Requirements
@ -271,52 +144,27 @@ Now you can interact with the Spire agent socket from your own application. The
### Global parameters
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.caSubject.country` | Country for Spire server CA | `""` |
| `global.spire.caSubject.organization` | Organization for Spire server CA | `""` |
| `global.spire.caSubject.commonName` | Common Name for Spire server CA | `""` |
| `global.spire.persistence.storageClass` | What storage class to use for persistence | `nil` |
| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` |
| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` |
| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` |
| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` |
| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` |
| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` |
| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` |
| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` |
| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` |
| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` |
| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` |
| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` |
| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` |
| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` |
| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.installAndUpgradeHooks.resources` | Resource requests and limits for installAndUpgradeHooks | `{}` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.resources` | Resource requests and limits for deleteHooks | `{}` |
| Name | Description | Value |
| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` |
| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
### Spire server parameters
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- |
| `spire-server.enabled` | Flag to enable Spire server | `true` |
| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `spire-server.externalControllerManagers.enabled` | Enable external controller manager support | `true` |
| Name | Description | Value |
| ---------------------------------------- | --------------------------------------------- | -------- |
| `spire-server.enabled` | Flag to enable Spire server | `true` |
| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
### Spire agent parameters
@ -333,16 +181,15 @@ Now you can interact with the Spire agent socket from your own application. The
### Upstream Spire agent parameters
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` |
| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` |
| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` |
| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` |
| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` |
| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` |
| `upstream-spire-agent.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent` |
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` |
| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` |
| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` |
| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` |
| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` |
| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` |
### SPIFFE CSI Driver parameters
@ -360,30 +207,12 @@ Now you can interact with the Spire agent socket from your own application. The
### SPIFFE oidc discovery provider parameters
| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------- | ------ |
| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `true` |
| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------- | ------- |
| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `false` |
### Tornjak frontend parameters
| Name | Description | Value |
| -------------------------- | -------------------------------------------------------------- | ------- |
| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
### SPIKE Keeper parameters
| Name | Description | Value |
| ---------------------- | ------------------------------------------------------- | ------- |
| `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
### SPIKE Nexus parameters
| Name | Description | Value |
| --------------------- | ------------------------------------------------------ | ------- |
| `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
### SPIKE Pilot parameters
| Name | Description | Value |
| --------------------- | ------------------------------------------------------ | ------- |
| `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |

6
charts/spire/charts/spiffe-csi-driver/Chart.yaml
View File

@ -3,11 +3,11 @@ name: spiffe-csi-driver
description: A Helm chart to install the SPIFFE CSI driver.
type: application
version: 0.1.0
appVersion: "0.2.7"
appVersion: "0.2.3"
keywords: ["spiffe", "csi-driver"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
- https://github.com/spiffe/helm-charts/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen

100
charts/spire/charts/spiffe-csi-driver/README.md
View File

@ -1,10 +1,14 @@
# spiffe-csi-driver
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.7](https://img.shields.io/badge/AppVersion-0.2.7-informational?style=flat-square)
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square)
A Helm chart to install the SPIFFE CSI driver.
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
> [!Note]
> The recommended version is `0.2.3` to support arm64 nodes. If running with any
> prior version to `0.2.3` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`.
## Maintainers
@ -17,7 +21,7 @@ A Helm chart to install the SPIFFE CSI driver.
## Source Code
* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
@ -25,54 +29,42 @@ A Helm chart to install the SPIFFE CSI driver.
### SPIFFE CSI Driver Chart parameters
| Name | Description | Value |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------- |
| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` |
| `extraEnvVars` | Extra environment variables to be added to the spiffe-csi-driver container | `[]` |
| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` |
| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` |
| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` |
| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` |
| `nameOverride` | Name override for spiffe-csi-driver | `""` |
| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` |
| `serverNamespaceOverride` | Override the namespace that the spire-server is installed into | `""` |
| `validatingAdmissionPolicy.enabled` | When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] | `auto` |
| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` |
| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` |
| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` |
| `podSecurityContext` | Security context for CSI driver pods | `{}` |
| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` |
| `securityContext.privileged` | Flag for specifying privileged mode | `true` |
| `nodeSelector` | Node selector for CSI driver pods | `{}` |
| `tolerations` | Tolerations for CSI driver pods | `[]` |
| `affinity` | Node affinity | `{}` |
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.4` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `nodeDriverRegistrar.extraEnvVars` | Extra environment variables to be added to the nodeDriverRegistrar container | `[]` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` |
| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` |
| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` |
| `restrictedScc.version` | Version of the restricted SCC | `2` |
| `selinux.enabled` | Enable selinux support | `false` |
| `selinux.context` | Which selinux context to use | `container_file_t` |
| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` |
| `selinux.image.repository` | The repository within the registry | `ubi9` |
| `selinux.image.pullPolicy` | The image pull policy | `Always` |
| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` |
| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` |
| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` |
| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` |
| `nameOverride` | Name override for spiffe-csi-driver | `""` |
| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` |
| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` |
| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` |
| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` |
| `podSecurityContext` | Security context for CSI driver pods | `{}` |
| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` |
| `securityContext.privileged` | Flag for specifying privileged mode | `true` |
| `nodeSelector` | Node selector for CSI driver pods | `{}` |
| `tolerations` | Tolerations for CSI driver pods | `[]` |
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
| `priorityClassName` | Priority class assigned to daemonset pods | `""` |
| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` |
| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` |
| `restrictedScc.version` | Version of the restricted SCC | `2` |

23
charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl
View File

@ -29,29 +29,6 @@ Allow the release namespace to be overridden for multi-namespace deployments in
{{- define "spiffe-csi-driver.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.system.name }}
{{- else }}
{{- printf "spire-system" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spiffe-csi-driver.server-namespace" -}}
{{- if .Values.serverNamespaceOverride -}}
{{- .Values.serverNamespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}

52
charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
View File

@ -9,17 +9,8 @@ spec:
selector:
matchLabels:
{{- include "spiffe-csi-driver.selectorLabels" . | nindent 6 }}
{{- with .Values.updateStrategy }}
updateStrategy:
{{- if not (has .type (list "RollingUpdate" "OnDelete")) }}
{{- fail "updateStrategy.type can only be RollingUpdate or OnDelete"}}
{{- end }}
type: {{ .type }}
{{- if eq .type "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
{{- end }}
{{- end }}
type: RollingUpdate
template:
metadata:
{{- with .Values.podAnnotations }}
@ -38,40 +29,16 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }}
{{- if or (gt (len .Values.initContainers) 0) (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.initContainers }}
initContainers:
{{- if or (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }}
- name: set-context
command:
- chcon
- '-Rvt'
- {{ .Values.selinux.context }}
- spire-agent-socket/
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.selinux.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.selinux.image.pullPolicy }}
securityContext:
capabilities:
drop:
- all
privileged: true
volumeMounts:
- name: spire-agent-socket-dir
mountPath: /spire-agent-socket
terminationMessagePolicy: File
terminationMessagePath: /dev/termination-log
{{- end }}
{{- if gt (len .Values.initContainers) 0 }}
{{- toYaml .Values.initContainers | nindent 8 }}
{{- end }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
# This is the container which runs the SPIFFE CSI driver.
@ -90,9 +57,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- with .Values.extraEnvVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
# The volume containing the SPIRE agent socket. The SPIFFE CSI
# driver will mount this directory into containers.
@ -126,10 +90,6 @@ spec:
"-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock",
"-health-port", "{{ .Values.healthChecks.port }}"
]
env:
{{- with .Values.nodeDriverRegistrar.extraEnvVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
# The registrar needs access to the SPIFFE CSI driver socket
- mountPath: /spiffe-csi

37
charts/spire/charts/spiffe-csi-driver/templates/policy.yaml
View File

@ -1,37 +0,0 @@
{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
{{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}}
{{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }}
{{- $auto := eq $policyEnabled "auto" }}
{{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: {{ .Values.pluginName | quote }}
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
validations:
- expression: |
!object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }})
message: 'you may not use the upstream.csi.spiffe.io csi driver'
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: {{ .Values.pluginName | quote }}
spec:
policyName: {{ .Values.pluginName | quote }}
validationActions: ["Deny"]
matchResources:
namespaceSelector:
matchExpressions:
- key: "kubernetes.io/metadata.name"
operator: NotIn
values:
- {{ include "spiffe-csi-driver.server-namespace" . | quote }}
{{- end }}

4
charts/spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml
View File

@ -16,7 +16,6 @@ volumes:
- configmap
- hostPath
- secret
allowedCapabilities: null
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
@ -24,11 +23,8 @@ allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
requiredDropCapabilities: null
{{ end }}

7
charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml
View File

@ -1,13 +1,8 @@
{{- $labels := dict }}
{{- if (dig "openshift" false .Values.global) }}
{{- $_ := set $labels "security.openshift.io/csi-ephemeral-volume-profile" "restricted" }}
{{- end }}
{{- $labels = mergeOverwrite $labels .Values.csiDriverLabels }}
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: {{ .Values.pluginName | quote }}
{{- with $labels }}
{{- with .Values.csiDriverLabels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}

45
charts/spire/charts/spiffe-csi-driver/values.yaml
View File

@ -12,12 +12,14 @@ pluginName: csi.spiffe.io
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spiffe-csi-driver
pullPolicy: IfNotPresent
version: ""
tag: ""
## @param resources [object] Resource requests and limits for spiffe-csi-driver
@ -33,20 +35,10 @@ resources: {}
# cpu: 100m
# memory: 64Mi
## @param extraEnvVars [array] Extra environment variables to be added to the spiffe-csi-driver container
extraEnvVars: []
healthChecks:
## @param healthChecks.port The healthcheck port for spiffe-csi-driver
port: 9809
## @param updateStrategy.type The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.
## @param updateStrategy.rollingUpdate.maxUnavailable Max unavailable pods during update. Can be a number or a percentage.
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout value in seconds for livenessProbe
##
@ -63,13 +55,6 @@ nameOverride: ""
## @param namespaceOverride Namespace to install spiffe-csi-driver
namespaceOverride: ""
## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
serverNamespaceOverride: ""
validatingAdmissionPolicy:
## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false]
enabled: auto
## @param fullnameOverride Full name override for spiffe-csi-driver
fullnameOverride: ""
@ -113,20 +98,19 @@ nodeSelector: {}
## @param tolerations [array] Tolerations for CSI driver pods
tolerations: []
## @param affinity [object] Node affinity
affinity: {}
nodeDriverRegistrar:
## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from
## @param nodeDriverRegistrar.image.repository The repository within the registry
## @param nodeDriverRegistrar.image.pullPolicy The image pull policy
## @param nodeDriverRegistrar.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param nodeDriverRegistrar.image.tag Overrides the image tag
##
image:
registry: registry.k8s.io
repository: sig-storage/csi-node-driver-registrar
pullPolicy: IfNotPresent
tag: v2.9.4
version: ""
tag: v2.9.0
## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
@ -139,8 +123,6 @@ nodeDriverRegistrar:
# limits:
# cpu: 100m
# memory: 64Mi
## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container
extraEnvVars: []
## @param agentSocketPath The unix socket path to the spire-agent
agentSocketPath: /run/spire/agent-sockets/spire-agent.sock
@ -148,7 +130,7 @@ agentSocketPath: /run/spire/agent-sockets/spire-agent.sock
## @param kubeletPath Path to kubelet file
kubeletPath: /var/lib/kubelet
## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.
## @param priorityClassName Priority class assigned to daemonset pods
priorityClassName: ""
restrictedScc:
@ -159,18 +141,3 @@ restrictedScc:
name: ""
## @param restrictedScc.version Version of the restricted SCC
version: 2
selinux:
## @param selinux.enabled Enable selinux support
enabled: false
## @param selinux.context Which selinux context to use
context: container_file_t
## @param selinux.image.registry The OCI registry to pull the image from
## @param selinux.image.repository The repository within the registry
## @param selinux.image.pullPolicy The image pull policy
## @param selinux.image.tag Overrides the image tag whose default is the chart appVersion
image:
registry: registry.access.redhat.com
repository: ubi9
pullPolicy: Always
tag: latest

6
charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
View File

@ -3,11 +3,11 @@ name: spiffe-oidc-discovery-provider
description: A Helm chart to install the SPIFFE OIDC discovery provider.
type: application
version: 0.1.0
appVersion: "1.12.4"
appVersion: "1.8.4"
keywords: ["spiffe", "oidc"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
- https://github.com/spiffe/helm-charts/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen

76
charts/spire/charts/spiffe-oidc-discovery-provider/README.md
View File

@ -4,7 +4,12 @@
A Helm chart to install the SPIFFE OIDC discovery provider.
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
> [!Note]
> Minimum Spire version is `1.5.3`.
> The recommended version is `1.6.0` to support arm64 nodes. If running with any
> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`.
## Maintainers
@ -17,7 +22,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
## Source Code
* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
@ -28,27 +33,17 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| Name | Description | Value |
| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `bundleSource` | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap. | `CSI` |
| `bundleConfigMap` | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap | `spire-bundle` |
| `replicaCount` | Replica count | `1` |
| `namespaceOverride` | Namespace override | `""` |
| `annotations` | Annotations for the deployment | `{}` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `expandEnv` | Set to true to enable environment variable substitution of config file options | `false` |
| `extraEnv` | Extra environment variables to add to the spiffe oidc discovery provider | `[]` |
| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` |
| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.1` |
| `spiffeHelper.resources` | Resource requests and limits | `{}` |
| `resources` | Resource requests and limits | `{}` |
| `service.type` | Service type | `ClusterIP` |
| `service.ports.http` | Insecure port for the service | `80` |
| `service.ports.https` | Secure port for the service | `443` |
| `service.port` | Service port | `80` |
| `service.annotations` | Annotations for service resource | `{}` |
| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` |
| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` |
@ -58,29 +53,20 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` |
| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` |
| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` |
| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` |
| `tls.externalSecret.secretName` | Specify which Secret to use | `""` |
| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` |
| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` |
| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` |
| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` |
| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` |
| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` |
| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` |
| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` |
| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` |
| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` |
| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` |
| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` |
| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.29.0-alpine` |
| `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` |
| `insecureScheme.enabled` | Flag to enable insecure schema | `false` |
| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` |
| `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.2-alpine` |
| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` |
| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` |
| `config.jwtDomain` | The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset | `""` |
| `config.jwksUri` | The JWKS URI | `""` |
| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` |
| `config.acme.tosAccepted` | Flag for Terms of Service acceptance | `false` |
| `config.acme.cacheDir` | Path for cache directory | `/run/spire` |
| `config.acme.directoryUrl` | URL for acme directory | `https://acme-v02.api.letsencrypt.org/directory` |
| `config.acme.emailAddress` | Email address for registration | `letsencrypt@example.org` |
| `imagePullSecrets` | Image pull secret names | `[]` |
| `nameOverride` | Name override | `""` |
| `fullnameOverride` | Full name override | `""` |
@ -106,7 +92,8 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` |
| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.4.2` |
| `telemetry.prometheus.nginxExporter.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.11.0` |
| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` |
| `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
@ -122,24 +109,25 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` |
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.7` |
| `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d1fc4d296994f28d7e0264c933a12ba75c9a80478ff1eb4b6f692bb91a073a4c` |
| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` |
| `tests.busybox.image.repository` | The repository within the registry | `busybox` |
| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `tests.busybox.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` |
| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` |
| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.agent.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |

28
charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl
View File

@ -29,12 +29,6 @@ Allow the release namespace to be overridden for multi-namespace deployments in
{{- define "spiffe-oidc-discovery-provider.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
@ -91,25 +85,3 @@ Create the name of the service account to use
{{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}
{{- define "spiffe-oidc-discovery-provider.tls-enabled" -}}
{{- if or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled }}
{{- true }}
{{- else }}
{{- false }}
{{- end }}
{{- end }}
{{- define "spiffe-oidc-discovery-provider.podSecurityContext" -}}
{{- $podSecurityContext := include "spire-lib.podsecuritycontext" . | fromYaml }}
{{- $openshift := ((.Values).global).openshift | default false }}
{{- if and .Values.tls.spire.enabled (not $openshift) }}
{{- if not (hasKey $podSecurityContext "runAsUser") }}
{{- $_ := set $podSecurityContext "runAsUser" 1000 }}
{{- end }}
{{- if not (hasKey $podSecurityContext "runAsGroup") }}
{{- $_ := set $podSecurityContext "runAsGroup" 1000 }}
{{- end }}
{{- end }}
{{- toYaml $podSecurityContext }}
{{- end }}

26
charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml
View File

@ -1,26 +0,0 @@
{{- define "spiffe-oidc-discovery-provider.cert-manager-default-cert" }}
{{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }}
dnsNames:
{{- if ne (len .Values.tls.certManager.certificate.dnsNames) 0 }}
{{- toYaml .Values.tls.certManager.certificate.dnsNames | nindent 4 }}
{{- else }}
- {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.ingress "Values" .Values) }}
{{- end }}
issuerRef:
{{- with .Values.tls.certManager.certificate.issuerRef.group }}
group: {{ . }}
{{- end }}
kind: {{ default "Issuer" .Values.tls.certManager.certificate.issuerRef.kind }}
name: {{ default $fullName .Values.tls.certManager.certificate.issuerRef.name }}
secretName: {{ $fullName }}-cert
{{- end }}
{{- if .Values.tls.certManager.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
spec:
{{ merge (include "spiffe-oidc-discovery-provider.cert-manager-default-cert" . | fromYaml) .Values.tls.certManager.certificate | toYaml | nindent 2 }}
{{- end }}

59
charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
View File

@ -1,19 +1,3 @@
{{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
{{- fail "Bundle source must be CSI or ConfigmMap" }}
{{- end }}
{{- $tlsCount := 0 }}
{{- if and .Values.enabled .Values.tls.spire.enabled }}
{{- $tlsCount = add $tlsCount 1 }}
{{- end }}
{{- if and .Values.enabled .Values.tls.externalSecret.enabled }}
{{- $tlsCount = add $tlsCount 1 }}
{{- end }}
{{- if and .Values.enabled .Values.tls.certManager.enabled }}
{{- $tlsCount = add $tlsCount 1 }}
{{- end }}
{{- if gt $tlsCount 1 }}
{{- fail "You can only have one TLS configuration enabled" }}
{{- end }}
{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
{{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
{{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
@ -26,35 +10,24 @@ domains:
- "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
- "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
- "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
{{- $jwtDomain := .Values.config.jwtDomain }}
{{- if not $jwtDomain }}
{{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
{{- $jwtDomain = (default $uri.path $uri.host) }}
{{- end }}
{{- uniq (concat (list $jwtDomain) .Values.config.additionalDomains) | toYaml | nindent 2 }}
{{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
{{- $jwtIssuer := (default $uri.path $uri.host) }}
{{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
allow_insecure_scheme: true
{{- if .Values.insecureScheme.enabled }}
allow_insecure_scheme: {{ .Values.insecureScheme.enabled }}
listen_socket_path: {{ $oidcSocket | quote }}
{{- else }}
serving_cert_file:
cert_file_path: /certs/tls.crt
key_file_path: /certs/tls.key
addr: ':8443'
acme:
directory_url: {{ .Values.config.acme.directoryUrl | quote }}
cache_dir: {{ .Values.config.acme.cacheDir | quote }}
tos_accepted: {{ .Values.config.acme.tosAccepted }}
email: {{ .Values.config.acme.emailAddress | quote }}
{{- end }}
{{- if .Values.config.jwksUri}}
jwks_uri: {{ .Values.config.jwksUri | quote }}
{{- end }}
{{- if eq .Values.bundleSource "ConfigMap" }}
file:
path: /bundle/bundle.spiffe
{{- else }}
workload_api:
socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
{{- end }}
health_checks:
bind_port: "8008"
@ -74,19 +47,15 @@ metadata:
data:
oidc-discovery-provider.conf: |
{{- include "spiffe-oidc-discovery-provider.yaml-config" (dict "oidcSocket" $oidcSocket "root" .) | fromYaml | toPrettyJson | nindent 4 }}
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
{{- if .Values.insecureScheme.enabled }}
default.conf: |
upstream oidc {
server unix:{{ $oidcSocket }};
}
server {
{{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv4") (eq .Values.insecureScheme.nginx.ipMode "both") }}
listen 8080;
{{- end }}
{{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv6") (eq .Values.insecureScheme.nginx.ipMode "both") }}
listen [::]:8080;
{{- end }}
location / {
proxy_pass http://oidc;
@ -100,9 +69,3 @@ data:
}
}
{{- end }}
spiffe-helper.conf: |
agent_address = {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
cert_dir = "/certs"
svid_file_name = "tls.crt"
svid_key_file_name = "tls.key"
svid_bundle_file_name = "ca.pem"

101
charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
View File

@ -1,4 +1,3 @@
{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }}
{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
apiVersion: apps/v1
kind: Deployment
@ -27,9 +26,6 @@ spec:
{{- end }}
labels:
{{- include "spiffe-oidc-discovery-provider.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: oidc-discovery-provider
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
@ -37,64 +33,27 @@ spec:
{{- end }}
serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}
securityContext:
{{- include "spiffe-oidc-discovery-provider.podSecurityContext" . | nindent 8 }}
initContainers:
{{- if .Values.tls.spire.enabled }}
- name: init
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
resources:
{{- toYaml .Values.spiffeHelper.resources | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
args:
- -config
- /etc/spiffe-helper.conf
- -daemon-mode=false
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
readOnly: true
- name: spire-oidc-config
mountPath: /etc/spiffe-helper.conf
subPath: spiffe-helper.conf
readOnly: true
- name: certdir
mountPath: /certs
{{- end }}
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- -config
- /run/spire/oidc/config/oidc-discovery-provider.conf
{{- if .Values.expandEnv }}
- -expandEnv
{{- end }}
{{- with .Values.extraEnv }}
env:
{{- . | toYaml | nindent 12 }}
{{- end }}
ports:
- containerPort: 8008
name: healthz
{{- if $tlsEnabled }}
- containerPort: 8443
{{- if not .Values.insecureScheme.enabled }}
- containerPort: 443
name: https
{{- end }}
volumeMounts:
{{- if eq .Values.bundleSource "ConfigMap" }}
- name: spiffe-bundle
mountPath: /bundle
readOnly: true
{{- else }}
- name: spiffe-workload-api
mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
readOnly: true
{{- end }}
- name: spire-oidc-sockets
mountPath: /run/spire/oidc-sockets
readOnly: false
@ -102,9 +61,6 @@ spec:
mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf
subPath: oidc-discovery-provider.conf
readOnly: true
- name: certdir
mountPath: /certs
readOnly: true
readinessProbe:
httpGet:
path: /ready
@ -117,32 +73,10 @@ spec:
{{- toYaml .Values.livenessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.tls.spire.enabled }}
- name: spiffe-helper
resources:
{{- toYaml .Values.spiffeHelper.resources | nindent 12 }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
args:
- -config
- /etc/spiffe-helper.conf
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
readOnly: true
- name: spire-oidc-config
mountPath: /etc/spiffe-helper.conf
subPath: spiffe-helper.conf
readOnly: true
- name: certdir
mountPath: /certs
{{- end }}
{{- if not $tlsEnabled }}
{{- if .Values.insecureScheme.enabled }}
- name: nginx
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.insecureScheme.nginx.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.insecureScheme.nginx.image.pullPolicy }}
ports:
@ -161,10 +95,10 @@ spec:
readOnly: false
resources:
{{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }}
{{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }}
{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }}
- name: nginx-exporter
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire-lib.image" (dict "image" .Values.telemetry.prometheus.nginxExporter.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }}
args:
@ -177,17 +111,10 @@ spec:
{{- end }}
{{- end }}
volumes:
{{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
driver: "csi.spiffe.io"
readOnly: true
{{- end }}
{{- if eq .Values.bundleSource "ConfigMap" }}
- name: spiffe-bundle
configMap:
name: {{ include "spire-lib.bundle-configmap" . }}
{{- end }}
- name: spire-oidc-sockets
emptyDir: {}
- name: spire-oidc-config
@ -195,16 +122,6 @@ spec:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
- name: nginx-tmp
emptyDir: {}
- name: certdir
{{- if .Values.tls.externalSecret.enabled }}
secret:
secretName: {{ .Values.tls.externalSecret.secretName }}
{{- else if .Values.tls.certManager.enabled }}
secret:
secretName: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-cert
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

20
charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml
View File

@ -1,5 +1,5 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: {{ include "spire-lib.autoscalingVersion" . }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
@ -14,20 +14,16 @@ spec:
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

27
charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml
View File

@ -1,36 +1,13 @@
{{- if .Values.ingress.enabled -}}
{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }}
{{- $port := .Values.service.ports.https }}
{{- if not $tlsEnabled }}
{{- $port = .Values.service.ports.http }}
{{- end }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
{{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }}
{{- $path := "/" }}
{{- $pathType := "Prefix" }}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- if $tlsEnabled }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- if not (and .Values.ingress.enabled .Values.ingress.tlsSecret) }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- end }}
{{- end }}
{{- else if eq $ingressControllerType "openshift" }}
{{- if not $tlsEnabled }}
{{- $_ := set $annotations "route.openshift.io/termination" "edge" }}
{{- else }}
{{- if and .Values.ingress.enabled .Values.ingress.tlsSecret }}
{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }}
{{- else }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- end }}
{{- end }}
{{- $path = "" }}
{{- $pathType = "ImplementationSpecific" }}
{{- $_ := set $annotations "route.openshift.io/termination" "edge" }}
{{- $tlsSection = false }}
{{- end }}
apiVersion: networking.k8s.io/v1
@ -45,5 +22,5 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
{{- end }}

22
charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml
View File

@ -1,22 +0,0 @@
{{- define "spiffe-oidc-discovery-provider.cert-manager-default-issuer" }}
{{- if not .Values.tls.certManager.issuer.acme.email }}
{{- fail "You must specify an email address via certManager.issuer.acme.email" }}
{{- end }}
email: {{ .Values.tls.certManager.issuer.acme.email | quote}}
server: {{ .Values.tls.certManager.issuer.acme.server | quote}}
privateKeySecretRef:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-issuer
solvers:
- http01:
ingress: {}
{{- end }}
{{- if and .Values.tls.certManager.enabled .Values.tls.certManager.issuer.create }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
spec:
acme:
{{ mergeOverwrite (include "spiffe-oidc-discovery-provider.cert-manager-default-issuer" . | fromYaml) .Values.tls.certManager.issuer.acme | toYaml | nindent 4 }}
{{- end }}

2
charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml
View File

@ -1,4 +1,4 @@
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
{{- if .Values.insecureScheme.enabled }}
{{- if (dig "telemetry" "prometheus" "podMonitor" "enabled" .Values.telemetry.prometheus.podMonitor.enabled .Values.global) }}
{{- $namespace := include "spiffe-oidc-discovery-provider.podMonitor.namespace" . }}
{{- $podNamespace := ( include "spiffe-oidc-discovery-provider.namespace" . ) }}

8
charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml
View File

@ -59,11 +59,11 @@ spec:
restartPolicy: Never
serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: pre-delete-job
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 10 }}
{{- toYaml .Values.securityContext | nindent 10 }}
image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
args:
- delete
@ -72,8 +72,4 @@ spec:
- deployment
- {{ include "spiffe-oidc-discovery-provider.fullname" . }}
- --wait
{{- with (((.Values).global).deleteHooks).resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}

12
charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml
View File

@ -15,14 +15,13 @@ users:
- system:serviceaccount:{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- hostPath
- projected
- secret
allowedCapabilities: null
- ephemeral
- downwardAPI
- csi
- emptyDir
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
@ -30,12 +29,9 @@ allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
requiredDropCapabilities: null
seccompProfiles:
- '*'

6
charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml
View File

@ -10,14 +10,14 @@ metadata:
spec:
type: {{ .Values.service.type }}
ports:
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
{{- if .Values.insecureScheme.enabled }}
- name: http
port: {{ .Values.service.ports.http }}
port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
{{- else }}
- name: https
port: {{ .Values.service.ports.https }}
port: 443
targetPort: https
protocol: TCP
{{- end }}

22
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml
View File

@ -1,11 +1,5 @@
{{- $values := merge .Values }}
{{- $host := include "spire-lib.ingress-calculated-name" (dict "Values" .Values "ingress" .Values.ingress) }}
{{- $protocol := "https" }}
{{- $port := .Values.service.ports.https }}
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
{{- $protocol = "http" }}
{{- $port = .Values.service.ports.http }}
{{- end }}
{{- if gt (len .Values.ingress.hosts) 0 }}
{{- $host = (index .Values.ingress.hosts 0).host }}
{{- end }}
@ -20,26 +14,26 @@ metadata:
"helm.sh/hook": test
spec:
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 4 }}
{{- toYaml .Values.podSecurityContext | nindent 4 }}
containers:
- name: curl-service-name
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl']
args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ $port }}/.well-known/openid-configuration']
args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml .Values.securityContext | nindent 8 }}
- name: curl-service-name-namespace
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl']
args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ $port }}/.well-known/openid-configuration']
args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml .Values.securityContext | nindent 8 }}
- name: curl-service-name-namespace-svc-cluster-local
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl']
args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }}/.well-known/openid-configuration']
args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml .Values.securityContext | nindent 8 }}
{{- if .Values.ingress.enabled }}
- name: curl-ingress
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
@ -59,7 +53,7 @@ spec:
args: ['-s', '-f', 'http://{{ $host }}/.well-known/openid-configuration']
{{- end }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }}
hostAliases:

57
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
View File

@ -1,9 +1,3 @@
{{- $protocol := "https" }}
{{- $port := .Values.service.ports.https }}
{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
{{- $protocol = "http" }}
{{- $port = .Values.service.ports.http }}
{{- end }}
apiVersion: v1
kind: Pod
metadata:
@ -11,14 +5,13 @@ metadata:
namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
labels:
{{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: test-keys
annotations:
"helm.sh/hook": test
spec:
{{- with .Values.podSecurityContext }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}
initContainers:
- name: static-busybox
@ -29,21 +22,10 @@ spec:
- |
cp /bin/busybox /data/busybox
chmod +x /data/busybox
{{- with .Values.securityContext }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
volumeMounts:
- name: data-volume
mountPath: /data
- name: install-step
image: {{ template "spire-lib.image" (dict "image" .Values.tests.step.image "global" .Values.global) }}
workingDir: /data
command:
- sh
- -c
- |
cp /usr/local/bin/step /data/step
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
@ -59,8 +41,10 @@ spec:
[ $? -eq 0 ] && break
sleep 1
done
{{- with .Values.securityContext }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- name: data-volume
mountPath: /data
@ -72,24 +56,23 @@ spec:
image: {{ template "spire-lib.image" (dict "image" .Values.tests.toolkit.image "global" .Values.global) }}
command:
- bash
workingDir: /data
env:
- name: TMPDIR
value: /data
args:
- -cx
- -c
- |
URL={{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }}
cat /data/token.svid
JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs)
KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid')
# Retrieve public key from JWK set, match kid from JWT to locate the correct one
curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem
# Verify JWT with public pem
echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle
URL=http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}
curl -k -s -f "${URL}"/keys
JWT=$(cat /data/token.svid | jq -r '.[].svids[0].svid' | xargs)
cat <<'EOF' >> /data/jwt-decode.sh
{{- (.Files.Get "files/test/jwt-decode.sh") | nindent 10 }}
EOF
bash /data/jwt-decode.sh "${URL}"/keys "${JWT}"
{{- with .Values.securityContext }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- mountPath: /data
name: data-volume

151
charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
View File

@ -8,14 +8,6 @@ global: {}
##
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param bundleSource Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.
bundleSource: CSI
## @param bundleConfigMap ConfigMap name for SPIRE bundle when bundleSource is ConfigMap
bundleConfigMap: spire-bundle
## @param replicaCount Replica count
replicaCount: 1
@ -30,33 +22,15 @@ image:
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
registry: ghcr.io
repository: spiffe/oidc-discovery-provider
pullPolicy: IfNotPresent
version: ""
tag: ""
## @param expandEnv Set to true to enable environment variable substitution of config file options
expandEnv: false
## @param extraEnv [array] Extra environment variables to add to the spiffe oidc discovery provider
extraEnv: []
spiffeHelper:
image:
## @param spiffeHelper.image.registry The OCI registry to pull the image from
## @param spiffeHelper.image.repository The repository within the registry
## @param spiffeHelper.image.pullPolicy The image pull policy
## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
##
registry: ghcr.io
repository: spiffe/spiffe-helper
pullPolicy: IfNotPresent
tag: 0.10.1
## @param spiffeHelper.resources [object] Resource requests and limits
resources: {}
## @param resources [object] Resource requests and limits
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
@ -71,15 +45,12 @@ resources: {}
# memory: 64Mi
## @param service.type Service type
## @param service.ports.http Insecure port for the service
## @param service.ports.https Secure port for the service
## @param service.port Service port
## @param service.annotations Annotations for service resource
##
service:
type: ClusterIP
ports:
http: 80
https: 443
port: 80
annotations: {}
# external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.org
@ -117,53 +88,16 @@ livenessProbe:
## @param podAnnotations [object] Pod annotations for Spire OIDC discovery provider
podAnnotations: {}
# Select from one of the options below to be the source of certificates for OIDC Discovery Provider.
# If none are enabled, connections won't be TLS encrypted.
tls:
spire:
## @param tls.spire.enabled Use spire to secure the oidc-discovery-provider
enabled: true
externalSecret:
## @param tls.externalSecret.enabled Provide your own certificate/key via tls style Kubernetes Secret
enabled: false
## @param tls.externalSecret.secretName Specify which Secret to use
secretName: ""
certManager:
## @param tls.certManager.enabled Use certificateManager to create the certificate
enabled: false
issuer:
## @param tls.certManager.issuer.create Create an issuer to use to issue the certificate
create: true
acme:
## @param tls.certManager.issuer.acme.email Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service
email: ""
## @param tls.certManager.issuer.acme.server Server to use to get certificate. Defaults to LetsEncrypt
server: https://acme-v02.api.letsencrypt.org/directory
# Testing server: https://acme-staging-v02.api.letsencrypt.org/directory
## @param tls.certManager.issuer.acme.solvers [object] Configure the issuer solvers. Defaults to http01 via ingress.
solvers: {}
# - http01:
# ingress:
# ingressClassName: nginx
certificate:
## @param tls.certManager.certificate.dnsNames Override the dnsNames on the certificate request. Defaults to the same settings as Ingress
dnsNames: []
## @param tls.certManager.certificate.issuerRef.group If you are using an external plugin, specify the group for it here
## @param tls.certManager.certificate.issuerRef.kind Kind of the issuer reference. Override if you want to use a ClusterIssuer
## @param tls.certManager.certificate.issuerRef.name Name of the issuer to use. If unset, it will use the name of the built in issuer
issuerRef:
group: ""
kind: Issuer
name: ""
insecureScheme:
## @param insecureScheme.enabled Flag to enable insecure schema
enabled: false
nginx:
## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from. Only used when TLS is disabled.
## @param insecureScheme.nginx.image.repository The repository within the registry. Only used when TLS is disabled.
## @param insecureScheme.nginx.image.pullPolicy The image pull policy. Only used when TLS is disabled.
## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.
## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from
## @param insecureScheme.nginx.image.repository The repository within the registry
## @param insecureScheme.nginx.image.pullPolicy The image pull policy
## @param insecureScheme.nginx.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion
## Example:
## chainguard image does not support the templates feature
## https://github.com/chainguard-images/nginx/issues/43
@ -176,9 +110,8 @@ insecureScheme:
registry: docker.io
repository: nginxinc/nginx-unprivileged
pullPolicy: IfNotPresent
tag: 1.29.0-alpine
## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]
ipMode: both
version: ""
tag: 1.25.2-alpine
## @param insecureScheme.nginx.resources Resource requests and limits
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
@ -198,13 +131,19 @@ jwtIssuer: ""
config:
## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: info
## @param config.jwtDomain [string] The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset
jwtDomain: ""
## @param config.jwksUri [string] The JWKS URI
jwksUri: ""
## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery
additionalDomains: []
# - localhost
additionalDomains:
- localhost
acme:
## @param config.acme.tosAccepted Flag for Terms of Service acceptance
tosAccepted: false
## @param config.acme.cacheDir Path for cache directory
cacheDir: /run/spire
## @param config.acme.directoryUrl URL for acme directory
directoryUrl: https://acme-v02.api.letsencrypt.org/directory
## @param config.acme.emailAddress Email address for registration
emailAddress: letsencrypt@example.org
## @param imagePullSecrets [array] Image pull secret names
imagePullSecrets: []
@ -274,13 +213,15 @@ telemetry:
## @param telemetry.prometheus.nginxExporter.image.registry The OCI registry to pull the image from
## @param telemetry.prometheus.nginxExporter.image.repository The repository within the registry
## @param telemetry.prometheus.nginxExporter.image.pullPolicy The image pull policy
## @param telemetry.prometheus.nginxExporter.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param telemetry.prometheus.nginxExporter.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: docker.io
repository: nginx/nginx-prometheus-exporter
pullPolicy: IfNotPresent
tag: "1.4.2"
version: ""
tag: "0.11.0"
## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits
resources: {}
@ -340,60 +281,56 @@ tests:
## @param tests.bash.image.registry The OCI registry to pull the image from
## @param tests.bash.image.repository The repository within the registry
## @param tests.bash.image.pullPolicy The image pull policy
## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: IfNotPresent
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
version: ""
tag: latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214
toolkit:
## @param tests.toolkit.image.registry The OCI registry to pull the image from
## @param tests.toolkit.image.repository The repository within the registry
## @param tests.toolkit.image.pullPolicy The image pull policy
## @param tests.toolkit.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param tests.toolkit.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: cgr.dev
repository: chainguard/min-toolkit-debug
repository: chainguard/slim-toolkit-debug
pullPolicy: IfNotPresent
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
step:
## @param tests.step.image.registry The OCI registry to pull the image from
## @param tests.step.image.repository The repository within the registry
## @param tests.step.image.pullPolicy The image pull policy
## @param tests.step.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: "docker.io"
repository: smallstep/step-cli
pullPolicy: IfNotPresent
tag: 0.28.7
version: ""
tag: latest@sha256:d1fc4d296994f28d7e0264c933a12ba75c9a80478ff1eb4b6f692bb91a073a4c
busybox:
## @param tests.busybox.image.registry The OCI registry to pull the image from
## @param tests.busybox.image.repository The repository within the registry
## @param tests.busybox.image.pullPolicy The image pull policy
## @param tests.busybox.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param tests.busybox.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ""
repository: busybox
pullPolicy: IfNotPresent
tag: 1.37.0-uclibc
version: ""
tag: 1.36.1-uclibc
agent:
## @param tests.agent.image.registry The OCI registry to pull the image from
## @param tests.agent.image.repository The repository within the registry
## @param tests.agent.image.pullPolicy The image pull policy
## @param tests.agent.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param tests.agent.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spire-agent
pullPolicy: IfNotPresent
version: ""
tag: ""
tools:
@ -401,10 +338,12 @@ tools:
## @param tools.kubectl.image.registry The OCI registry to pull the image from
## @param tools.kubectl.image.repository The repository within the registry
## @param tools.kubectl.image.pullPolicy The image pull policy
## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release)
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: registry.k8s.io
repository: kubectl
registry: docker.io
repository: rancher/kubectl
pullPolicy: IfNotPresent
version: ""
tag: ""

13
charts/spire/charts/spike-keeper/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-keeper
description: A Helm chart to deploy SPIKE Keeper
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

72
charts/spire/charts/spike-keeper/README.md
View File

@ -1,72 +0,0 @@
# spike-keeper
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike keepers
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-keeper` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `replicas` | The number of keepers to launch | `3` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `443` |
| `service.annotations` | Annotations for service resource | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
| `startupProbe.enabled` | Enable startupProbe | `true` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
| `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `ingress.annotations` | Annotations | `{}` |
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `keeper` |
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |

1
charts/spire/charts/spike-keeper/templates/NOTES.txt
View File

@ -1 +0,0 @@
Installed {{ .Chart.Name }}…

83
charts/spire/charts/spike-keeper/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spike-keeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spike-keeper.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spike-keeper.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spike-keeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spike-keeper.labels" -}}
helm.sh/chart: {{ include "spike-keeper.chart" . }}
{{ include "spike-keeper.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spike-keeper.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spike-keeper.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spike-keeper.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spike-keeper.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spike-keeper.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}

44
charts/spire/charts/spike-keeper/templates/ingress.yaml
View File

@ -1,44 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{ $root := . }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
{{- $fullName := include "spike-keeper.fullname" . -}}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $path = "" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $tlsSection = false }}
{{- end }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
{{ range (seq 0 ($last) | toString | split " ") }}
{{ $i := . }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}-{{ $i }}
namespace: {{ include "spike-keeper.namespace" $root }}
labels:
{{ include "spike-keeper.labels" $root | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- $host := $root.Values.ingress.host }}
{{- if contains "." $host }}
{{- $hostParts := regexSplit "[.]" $host 2 }}
{{- $host = printf "%s-%s.%s" (index $hostParts 0) $i (index $hostParts 1) }}
{{- else }}
{{- $host = printf "%s-%s" $host $i }}
{{- end }}
{{ $ingress := deepCopy $root.Values.ingress }}
{{ $_ := set $ingress "host" $host }}
{{ include "spire-lib.ingress-spec" (dict "ingress" $ingress "svcName" (printf "%s-%s" $fullName $i) "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
{{- end }}
{{- end }}

48
charts/spire/charts/spike-keeper/templates/service.yaml
View File

@ -1,48 +0,0 @@
{{ $root := . }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
{{ range (seq 0 ($last) | toString | split " ") }}
{{ $i := . }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-keeper.namespace" $root }}
name: {{ include "spike-keeper.fullname" $root }}-{{ $i }}
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
apps.kubernetes.io/pod-index: {{ $i | quote }}
{{- include "spike-keeper.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
selector:
apps.kubernetes.io/pod-index: {{ $i | quote }}
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-keeper.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http
{{ end }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-keeper.namespace" $root }}
name: {{ include "spike-keeper.fullname" $root }}-headless
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "spike-keeper.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
clusterIP: None
selector:
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-keeper.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http

13
charts/spire/charts/spike-keeper/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spike-keeper.serviceAccountName" . }}
namespace: {{ include "spike-keeper.namespace" . }}
labels:
{{- include "spike-keeper.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

84
charts/spire/charts/spike-keeper/templates/statefulset.yaml
View File

@ -1,84 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "spike-keeper.fullname" . }}
namespace: {{ include "spike-keeper.namespace" . }}
labels:
{{- include "spike-keeper.labels" . | nindent 4 }}
spec:
serviceName: {{ include "spike-keeper.fullname" . }}-headless
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "spike-keeper.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "spike-keeper.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-keeper
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spike-keeper.serviceAccountName" . }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
containers:
- name: {{ include "spike-keeper.fullname" . }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
ports:
- name: http
containerPort: 8443
protocol: TCP
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix://{{ include "spike-keeper.workload-api-socket-path" . }}
- name: SPIKE_SYSTEM_LOG_LEVEL
value: {{ .Values.logLevel | upper }}
- name: SPIKE_TRUST_ROOT
value: {{ include "spire-lib.trust-domain" . }}
- name: SPIKE_TRUST_ROOT_NEXUS
value: {{if eq .Values.trustRoot.nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.nexus }}{{ end }}
- name: SPIKE_KEEPER_TLS_PORT
value: ":8443"
{{- if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: 8443
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
{{- end }}
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spike-keeper.workload-api-socket-path" . | dir }}
readOnly: true
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
readOnly: true

139
charts/spire/charts/spike-keeper/values.yaml
View File

@ -1,139 +0,0 @@
# Default configuration for SPIKE Keeper
# SPDX-License-Identifier: APACHE-2.0
## @skip global
global: {}
## @section Chart parameters
##
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spike-keeper
pullPolicy: IfNotPresent
tag: ""
## @param replicas The number of keepers to launch
replicas: 3
trustRoot:
## @param trustRoot.nexus Override which trustRoot Nexus is in
nexus: ""
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: debug
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param namespaceOverride Namespace override
namespaceOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param labels [object] Labels for pods
labels: {}
## @param podSecurityContext [object] Pod security context
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Security context
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
## @param service.type Service type
## @param service.port Service port
## @param service.annotations Annotations for service resource
##
service:
type: ClusterIP
port: 443
annotations: {}
## @param nodeSelector (Optional) Select specific nodes to run on.
nodeSelector: {}
## @param affinity [object] Affinity rules
affinity: {}
## @param tolerations [array] List of tolerations
tolerations: []
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
topologySpreadConstraints: []
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 512Mi
## Configure extra options for startup probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
## @param startupProbe.successThreshold Success threshold count for startupProbe
##
startupProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
## @param ingress.enabled Flag to enable ingress
## @param ingress.className Ingress class name
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
## @param ingress.annotations [object] Annotations
ingress:
enabled: false
className: ""
controllerType: ""
annotations: {}
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "keeper"
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []

13
charts/spire/charts/spike-nexus/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-nexus
description: A Helm chart to deploy SPIKE Nexus
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

83
charts/spire/charts/spike-nexus/README.md
View File

@ -1,83 +0,0 @@
# spike-nexus
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike nexus
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-nexus` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `backendStore` | The backend store to use. Must be one of [sqlite, memory, lite] | `sqlite` |
| `replicas` | The number of keepers to launch | `1` |
| `shamir.shares` | How many shares to configure for shamir secrets | `3` |
| `shamir.threshold` | How many shares needed to recover | `2` |
| `keeperPeers` | Keeper peer configuration. If blank, it will be autodetected | `[]` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `trustRoot.keepers` | Override which trustRoot Keepers are in | `[]` |
| `trustRoot.pilot` | Override which trustRoot Pilot is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `443` |
| `service.annotations` | Annotations for service resource | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
| `startupProbe.enabled` | Enable startupProbe | `true` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
| `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `ingress.annotations` | Annotations | `{}` |
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `nexus` |
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |
| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` |
| `persistence.size` | What size volume to use for persistence | `1Gi` |
| `persistence.accessMode` | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended) | `ReadWriteOnce` |
| `persistence.storageClass` | What storage class to use for persistence | `nil` |
| `persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `""` |

1
charts/spire/charts/spike-nexus/templates/NOTES.txt
View File

@ -1 +0,0 @@
Installed {{ .Chart.Name }}…

83
charts/spire/charts/spike-nexus/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spike-nexus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spike-nexus.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spike-nexus.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spike-nexus.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spike-nexus.labels" -}}
helm.sh/chart: {{ include "spike-nexus.chart" . }}
{{ include "spike-nexus.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spike-nexus.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spike-nexus.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spike-nexus.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spike-nexus.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spike-nexus.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}

31
charts/spire/charts/spike-nexus/templates/ingress.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{ $root := . }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
{{- $fullName := include "spike-nexus.fullname" . -}}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $path = "" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $tlsSection = false }}
{{- end }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "spike-nexus.namespace" $root }}
labels:
{{ include "spike-nexus.labels" $root | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
{{- end }}

20
charts/spire/charts/spike-nexus/templates/service.yaml
View File

@ -1,20 +0,0 @@
{{ $root := . }}
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-nexus.namespace" $root }}
name: {{ include "spike-nexus.fullname" $root }}
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "spike-nexus.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
selector:
{{- include "spike-nexus.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-nexus.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http

13
charts/spire/charts/spike-nexus/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spike-nexus.serviceAccountName" . }}
namespace: {{ include "spike-nexus.namespace" . }}
labels:
{{- include "spike-nexus.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

114
charts/spire/charts/spike-nexus/templates/statefulset.yaml
View File

@ -1,114 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "spike-nexus.fullname" . }}
namespace: {{ include "spike-nexus.namespace" . }}
labels:
{{- include "spike-nexus.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "spike-nexus.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "spike-nexus.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-nexus
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spike-nexus.serviceAccountName" . }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
containers:
- name: {{ include "spike-nexus.fullname" . }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
ports:
- name: http
containerPort: 8443
protocol: TCP
env:
- name: SPIKE_NEXUS_BACKEND_STORE
value: {{ .Values.backendStore | quote }}
- name: SPIKE_NEXUS_SHAMIR_SHARES
value: {{ .Values.shamir.shares | quote }}
- name: SPIKE_NEXUS_SHAMIR_THRESHOLD
value: {{ .Values.shamir.threshold | quote }}
# Note: IP will depend on the testbed.
- name: SPIKE_NEXUS_KEEPER_PEERS
{{- if gt (len .Values.keeperPeers) 0 }}
value: {{ .Values.keeperPeers | join "," | quote }}
{{- else }}
value: https://{{ .Release.Name }}-spike-keeper-0.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-1.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-2.{{ .Release.Name }}-spike-keeper-headless:8443
{{- end }}
- name: SPIFFE_ENDPOINT_SOCKET
value: unix://{{ include "spike-nexus.workload-api-socket-path" . }}
- name: SPIKE_SYSTEM_LOG_LEVEL
value: {{ .Values.logLevel | upper }}
- name: SPIKE_TRUST_ROOT
value: {{ include "spire-lib.trust-domain" . }}
- name: SPIKE_TRUST_ROOT_KEEPER
value: {{ if gt (len .Values.trustRoot.keepers) 0 }}{{ .Values.trustRoot.keepers | join "," | quote}}{{ else }}{{ include "spire-lib.trust-domain" . }}{{ end }}
- name: SPIKE_TRUST_ROOT_PILOT
value: {{if eq .Values.trustRoot.pilot "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.pilot }}{{ end }}
- name: SPIKE_NEXUS_TLS_PORT
value: ":8443"
{{- if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: 8443
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
{{- end }}
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spike-nexus.workload-api-socket-path" . | dir }}
readOnly: true
- name: nexus-data
mountPath: /.spike
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
readOnly: true
volumeClaimTemplates:
- metadata:
name: nexus-data
spec:
accessModes:
- {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- $storageClass := (dig "spire" "persistence" "storageClass" nil .Values.global) | default .Values.persistence.storageClass }}
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}

175
charts/spire/charts/spike-nexus/values.yaml
View File

@ -1,175 +0,0 @@
# Default configuration for SPIKE Keeper
# SPDX-License-Identifier: APACHE-2.0
## @skip global
global: {}
## @section Chart parameters
##
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spike-nexus
pullPolicy: IfNotPresent
tag: ""
## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
backendStore: sqlite
## @param replicas The number of keepers to launch
replicas: 1
shamir:
## @param shamir.shares How many shares to configure for shamir secrets
shares: 3
## @param shamir.threshold How many shares needed to recover
threshold: 2
## @param keeperPeers Keeper peer configuration. If blank, it will be autodetected
keeperPeers: []
trustRoot:
## @param trustRoot.nexus Override which trustRoot Nexus is in
nexus: ""
## @param trustRoot.keepers Override which trustRoot Keepers are in
keepers: []
## @param trustRoot.pilot Override which trustRoot Pilot is in
pilot: ""
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: debug
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param namespaceOverride Namespace override
namespaceOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param labels [object] Labels for pods
labels: {}
## @param podSecurityContext [object] Pod security context
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Security context
securityContext:
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
## @param service.type Service type
## @param service.port Service port
## @param service.annotations Annotations for service resource
##
service:
type: ClusterIP
port: 443
annotations: {}
## @param nodeSelector (Optional) Select specific nodes to run on.
nodeSelector: {}
## @param affinity [object] Affinity rules
affinity: {}
## @param tolerations [array] List of tolerations
tolerations: []
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
topologySpreadConstraints: []
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 512Mi
## Configure extra options for startup probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
## @param startupProbe.successThreshold Success threshold count for startupProbe
##
startupProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
## @param ingress.enabled Flag to enable ingress
## @param ingress.className Ingress class name
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
## @param ingress.annotations [object] Annotations
ingress:
enabled: false
className: ""
controllerType: ""
annotations: {}
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "nexus"
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
# - host: nexus.example.org
# paths:
# - path: /
# pathType: Prefix
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []
# - secretName: chart-example-tls
# hosts:
# - nexus.example.org
## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
## @param persistence.size What size volume to use for persistence
## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
## @param persistence.storageClass What storage class to use for persistence
## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
##
persistence:
type: pvc
size: 1Gi
accessMode: ReadWriteOnce
storageClass: null
hostPath: ""

13
charts/spire/charts/spike-pilot/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-pilot
description: A Helm chart to deploy SPIKE Pilot
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

63
charts/spire/charts/spike-pilot/README.md
View File

@ -1,63 +0,0 @@
# spike-pilot
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike pilot
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| -------------------------------- | ------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-pilot` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `shell.image.registry` | The OCI registry to pull the image from | `""` |
| `shell.image.repository` | The repository within the registry | `busybox` |
| `shell.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `shell.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
| `tools.busybox.image.repository` | The repository within the registry | `busybox` |
| `tools.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `replicas` | The number of keepers to launch | `1` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |

Some files were not shown because too many files have changed in this diff Show More