Compare commits
34 Commits
spire-0.25
...
main
| Author | SHA1 | Date |
|---|---|---|
spire-helm-version-checker[bot]
|
86f0aecc57 | |
Eric Cavalcanti
|
3ef5fe6c49 | |
Faisal Memon
|
8443881250 | |
|
Faisal Memon
|
28c65d3458 | |
|
Faisal Memon
|
acfcc9d0a4 | |
|
spire-helm-version-checker[bot]
|
64b9c400cc | |
dependabot[bot]
|
0404934d37 | |
kfox1111
|
d516de01bd | |
|
spire-helm-version-checker[bot]
|
8904b96be8 | |
|
Eric Cavalcanti
|
6581b117a0 | |
|
Eric Cavalcanti
|
d2913ffca0 | |
|
spire-helm-version-checker[bot]
|
3218db7bbb | |
|
Eric Cavalcanti
|
57a61438be | |
|
Eric Cavalcanti
|
9a8e5a8398 | |
|
dependabot[bot]
|
b1f95b2c6b | |
Marco Franssen
|
093c593ff6 | |
|
Marco Franssen
|
a7d536c025 | |
|
spire-helm-version-checker[bot]
|
fc1791f2eb | |
|
Faisal Memon
|
d1f5c7e93d | |
|
Faisal Memon
|
88f0108e10 | |
Alan Cha
|
255106da84 | |
|
kfox1111
|
f37d681bc2 | |
|
kfox1111
|
892051c466 | |
|
spire-helm-version-checker[bot]
|
b74b10a0f6 | |
|
kfox1111
|
e78400ebcd | |
|
spire-helm-version-checker[bot]
|
38314ed6de | |
|
dependabot[bot]
|
fccc154b22 | |
|
spire-helm-version-checker[bot]
|
bfd08bcfd1 | |
|
spire-helm-version-checker[bot]
|
971e4be7d3 | |
|
dependabot[bot]
|
c19c7d51d9 | |
|
kfox1111
|
858eb2e4f6 | |
|
Faisal Memon
|
ce9b3737ff | |
|
dependabot[bot]
|
c8bb71bef7 | |
Pratik Lotia
|
ffe4390136 |
|
|
@ -2,16 +2,16 @@
|
|||
{
|
||||
"name": "kube-prometheus-stack",
|
||||
"repo": "https://prometheus-community.github.io/helm-charts",
|
||||
"version": "72.5.0"
|
||||
"version": "75.15.1"
|
||||
},
|
||||
{
|
||||
"name": "cert-manager",
|
||||
"repo": "https://charts.jetstack.io",
|
||||
"version": "v1.17.2"
|
||||
"version": "v1.18.2"
|
||||
},
|
||||
{
|
||||
"name": "ingress-nginx",
|
||||
"repo": "https://kubernetes.github.io/ingress-nginx",
|
||||
"version": "4.12.2"
|
||||
"version": "4.13.0"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@
|
|||
},
|
||||
{
|
||||
"query": "chown.image",
|
||||
"filter": "LATESTSHA",
|
||||
"sort-flags": []
|
||||
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
|
||||
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
|
||||
},
|
||||
{
|
||||
"query": "tools.bash.image",
|
||||
"filter": "LATESTSHA",
|
||||
"sort-flags": []
|
||||
"query": "tools.busybox.image",
|
||||
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
|
||||
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
|
||||
}
|
||||
],
|
||||
"spire-agent/values.yaml": [
|
||||
|
|
|
|||
|
|
@ -2,16 +2,16 @@
|
|||
{
|
||||
"name": "mysql",
|
||||
"registry": "docker.io/bitnamicharts/mysql",
|
||||
"version": "13.0.0"
|
||||
"version": "14.0.0"
|
||||
},
|
||||
{
|
||||
"name": "postgresql",
|
||||
"registry": "docker.io/bitnamicharts/postgresql",
|
||||
"version": "16.7.4"
|
||||
"version": "16.7.9"
|
||||
},
|
||||
{
|
||||
"name": "envoy-gateway",
|
||||
"registry": "docker.io/envoyproxy/gateway-helm",
|
||||
"version": "v1.4.0"
|
||||
"version": "v1.4.2"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ type: application
|
|||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
version: 0.1.1
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
|
|
|
|||
|
|
@ -123,8 +123,8 @@ kubectl:
|
|||
## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ name: spire-nested
|
|||
description: >
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
type: application
|
||||
version: 0.25.0
|
||||
appVersion: "1.12.2"
|
||||
version: 0.26.1
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# spire
|
||||
|
||||
  
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
|
|
@ -350,6 +350,6 @@ Now you can interact with the Spire agent socket from your own application. The
|
|||
| `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` |
|
||||
| `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` |
|
||||
| `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
|
||||
| `external-spire-server.notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` |
|
||||
| `external-spire-server.bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `false` |
|
||||
| `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` |
|
||||
| `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` |
|
||||
|
|
|
|||
|
|
@ -384,9 +384,9 @@ external-spire-server:
|
|||
server:
|
||||
## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
|
||||
nameOverride: root-server
|
||||
notifier:
|
||||
k8sBundle:
|
||||
## @param external-spire-server.notifier.k8sBundle.enabled Enable local k8s bundle uploader
|
||||
bundlePublisher:
|
||||
k8sConfigMap:
|
||||
## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
|
||||
enabled: false
|
||||
nodeAttestor:
|
||||
k8sPSAT:
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ name: spire
|
|||
description: >
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
type: application
|
||||
version: 0.25.0
|
||||
appVersion: "1.12.2"
|
||||
version: 0.26.1
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
|
|
@ -55,6 +55,18 @@ dependencies:
|
|||
condition: tornjak-frontend.enabled
|
||||
repository: file://./charts/tornjak-frontend
|
||||
version: 0.1.0
|
||||
- name: spike-keeper
|
||||
condition: spike-keeper.enabled
|
||||
repository: file://./charts/spike-keeper
|
||||
version: 0.1.0
|
||||
- name: spike-nexus
|
||||
condition: spike-nexus.enabled
|
||||
repository: file://./charts/spike-nexus
|
||||
version: 0.1.0
|
||||
- name: spike-pilot
|
||||
condition: spike-pilot.enabled
|
||||
repository: file://./charts/spike-pilot
|
||||
version: 0.1.0
|
||||
annotations:
|
||||
artifacthub.io/category: security
|
||||
artifacthub.io/license: Apache-2.0
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# spire
|
||||
|
||||
  
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
|
|
@ -24,11 +24,6 @@ Preparing a production deployment requires a few steps.
|
|||
|
||||
1. Save the following to your-values.yaml, ideally in your git repo.
|
||||
|
||||
> [!NOTE]
|
||||
> Please note that `rancher/kubectl` image does not always correspond to the most
|
||||
> recent version of Kubernetes. In order to find the most up-to-date version,
|
||||
> please visit their [releases](https://github.com/rancher/kubectl/releases) page.
|
||||
|
||||
```yaml
|
||||
global:
|
||||
openshift: false # If running on openshift, set to true
|
||||
|
|
@ -45,10 +40,6 @@ global:
|
|||
country: ARPA
|
||||
organization: Example
|
||||
commonName: example.org
|
||||
# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update:
|
||||
# tools:
|
||||
# kubectl:
|
||||
# tag: "v1.23.3"
|
||||
```
|
||||
|
||||
2. If you need a non default storageClass, append the following to the global.spire section and update:
|
||||
|
|
@ -88,6 +79,11 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid
|
|||
|
||||
We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.
|
||||
|
||||
### 0.26.X
|
||||
|
||||
- The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
|
||||
- The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
|
||||
|
||||
### 0.24.X
|
||||
|
||||
- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
|
||||
|
|
@ -373,3 +369,21 @@ Now you can interact with the Spire agent socket from your own application. The
|
|||
| Name | Description | Value |
|
||||
| -------------------------- | -------------------------------------------------------------- | ------- |
|
||||
| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
|
||||
|
||||
### SPIKE Keeper parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------- | ------------------------------------------------------- | ------- |
|
||||
| `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
|
||||
|
||||
### SPIKE Nexus parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------------- | ------------------------------------------------------ | ------- |
|
||||
| `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
|
||||
|
||||
### SPIKE Pilot parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------------- | ------------------------------------------------------ | ------- |
|
||||
| `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
|
|||
description: A Helm chart to install the SPIFFE OIDC discovery provider.
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "1.12.2"
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "oidc"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
|
||||
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
|
||||
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
|
||||
| `bundleSource` | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap. | `CSI` |
|
||||
| `bundleConfigMap` | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap | `spire-bundle` |
|
||||
| `replicaCount` | Replica count | `1` |
|
||||
| `namespaceOverride` | Namespace override | `""` |
|
||||
| `annotations` | Annotations for the deployment | `{}` |
|
||||
|
|
@ -41,7 +43,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
|
||||
| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` |
|
||||
| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.0` |
|
||||
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.1` |
|
||||
| `spiffeHelper.resources` | Resource requests and limits | `{}` |
|
||||
| `resources` | Resource requests and limits | `{}` |
|
||||
| `service.type` | Service type | `ClusterIP` |
|
||||
|
|
@ -71,7 +73,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` |
|
||||
| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` |
|
||||
| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` |
|
||||
| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.28.0-alpine` |
|
||||
| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.29.0-alpine` |
|
||||
| `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` |
|
||||
| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` |
|
||||
| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` |
|
||||
|
|
@ -120,15 +122,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
|
||||
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3e5ee5ed41e764999f8e499b48d2e62d1f8ffd526aad5b4c3aa7a0759e0139db` |
|
||||
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
|
||||
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
|
||||
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.6` |
|
||||
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.7` |
|
||||
| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `tests.busybox.image.repository` | The repository within the registry | `busybox` |
|
||||
| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
|
|
@ -137,7 +139,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` |
|
||||
| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
{{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
|
||||
{{- fail "Bundle source must be CSI or ConfigmMap" }}
|
||||
{{- end }}
|
||||
{{- $tlsCount := 0 }}
|
||||
{{- if and .Values.enabled .Values.tls.spire.enabled }}
|
||||
{{- $tlsCount = add $tlsCount 1 }}
|
||||
|
|
@ -44,9 +47,14 @@ serving_cert_file:
|
|||
jwks_uri: {{ .Values.config.jwksUri | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if eq .Values.bundleSource "ConfigMap" }}
|
||||
file:
|
||||
path: /bundle/bundle.spiffe
|
||||
{{- else }}
|
||||
workload_api:
|
||||
socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
|
||||
trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
|
||||
{{- end }}
|
||||
|
||||
health_checks:
|
||||
bind_port: "8008"
|
||||
|
|
|
|||
|
|
@ -86,9 +86,15 @@ spec:
|
|||
name: https
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.bundleSource "ConfigMap" }}
|
||||
- name: spiffe-bundle
|
||||
mountPath: /bundle
|
||||
readOnly: true
|
||||
{{- else }}
|
||||
- name: spiffe-workload-api
|
||||
mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: spire-oidc-sockets
|
||||
mountPath: /run/spire/oidc-sockets
|
||||
readOnly: false
|
||||
|
|
@ -171,10 +177,17 @@ spec:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
|
||||
- name: spiffe-workload-api
|
||||
csi:
|
||||
driver: "{{ .Values.csiDriverName }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if eq .Values.bundleSource "ConfigMap" }}
|
||||
- name: spiffe-bundle
|
||||
configMap:
|
||||
name: {{ include "spire-lib.bundle-configmap" . }}
|
||||
{{- end }}
|
||||
- name: spire-oidc-sockets
|
||||
emptyDir: {}
|
||||
- name: spire-oidc-config
|
||||
|
|
|
|||
|
|
@ -11,6 +11,12 @@ agentSocketName: spire-agent.sock
|
|||
## @param csiDriverName The csi driver to use
|
||||
csiDriverName: csi.spiffe.io
|
||||
|
||||
## @param bundleSource Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.
|
||||
bundleSource: CSI
|
||||
|
||||
## @param bundleConfigMap ConfigMap name for SPIRE bundle when bundleSource is ConfigMap
|
||||
bundleConfigMap: spire-bundle
|
||||
|
||||
## @param replicaCount Replica count
|
||||
replicaCount: 1
|
||||
|
||||
|
|
@ -47,7 +53,7 @@ spiffeHelper:
|
|||
registry: ghcr.io
|
||||
repository: spiffe/spiffe-helper
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 0.10.0
|
||||
tag: 0.10.1
|
||||
## @param spiffeHelper.resources [object] Resource requests and limits
|
||||
resources: {}
|
||||
|
||||
|
|
@ -170,7 +176,7 @@ insecureScheme:
|
|||
registry: docker.io
|
||||
repository: nginxinc/nginx-unprivileged
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.28.0-alpine
|
||||
tag: 1.29.0-alpine
|
||||
## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]
|
||||
ipMode: both
|
||||
## @param insecureScheme.nginx.resources Resource requests and limits
|
||||
|
|
@ -340,7 +346,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
toolkit:
|
||||
## @param tests.toolkit.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -352,7 +358,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/min-toolkit-debug
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:3e5ee5ed41e764999f8e499b48d2e62d1f8ffd526aad5b4c3aa7a0759e0139db
|
||||
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
|
||||
|
||||
step:
|
||||
## @param tests.step.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -364,7 +370,7 @@ tests:
|
|||
registry: "docker.io"
|
||||
repository: smallstep/step-cli
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 0.28.6
|
||||
tag: 0.28.7
|
||||
|
||||
busybox:
|
||||
## @param tests.busybox.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -398,7 +404,7 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v2
|
||||
name: spike-keeper
|
||||
description: A Helm chart to deploy SPIKE Keeper
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
icon: https://spike.ist/assets/spike-banner.png
|
||||
maintainers:
|
||||
- name: kfox1111
|
||||
email: Kevin.Fox@pnnl.gov
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
# spike-keeper
|
||||
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart to deploy spike keepers
|
||||
|
||||
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
|
||||
|
||||
## Version support
|
||||
|
||||
> [!Note]
|
||||
> This Chart is still in development and still subject to change the API (`values.yaml`).
|
||||
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
|
||||
> we do aim for as much stability as possible.
|
||||
|
||||
| Dependency | Supported Versions |
|
||||
|:-----------|:-------------------|
|
||||
| Helm | `3.x` |
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/spiffe/spike>
|
||||
|
||||
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
|
||||
|
||||
## Parameters
|
||||
|
||||
### Chart parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
|
||||
| `image.repository` | The repository within the registry | `spiffe/spike-keeper` |
|
||||
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `replicas` | The number of keepers to launch | `3` |
|
||||
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
|
||||
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
|
||||
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
|
||||
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
|
||||
| `imagePullSecrets` | Pull secrets for images | `[]` |
|
||||
| `nameOverride` | Name override | `""` |
|
||||
| `namespaceOverride` | Namespace override | `""` |
|
||||
| `fullnameOverride` | Fullname override | `""` |
|
||||
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
|
||||
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
|
||||
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
|
||||
| `labels` | Labels for pods | `{}` |
|
||||
| `podSecurityContext` | Pod security context | `{}` |
|
||||
| `securityContext` | Security context | `{}` |
|
||||
| `service.type` | Service type | `ClusterIP` |
|
||||
| `service.port` | Service port | `443` |
|
||||
| `service.annotations` | Annotations for service resource | `{}` |
|
||||
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
|
||||
| `affinity` | Affinity rules | `{}` |
|
||||
| `tolerations` | List of tolerations | `[]` |
|
||||
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
|
||||
| `startupProbe.enabled` | Enable startupProbe | `true` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
|
||||
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
|
||||
| `ingress.enabled` | Flag to enable ingress | `false` |
|
||||
| `ingress.className` | Ingress class name | `""` |
|
||||
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
|
||||
| `ingress.annotations` | Annotations | `{}` |
|
||||
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `keeper` |
|
||||
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
|
||||
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
|
||||
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |
|
||||
|
|
@ -0,0 +1 @@
|
|||
Installed {{ .Chart.Name }}…
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "spike-keeper.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "spike-keeper.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||
*/}}
|
||||
{{- define "spike-keeper.namespace" -}}
|
||||
{{- if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride -}}
|
||||
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
|
||||
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
|
||||
{{- .Values.global.spire.namespaces.server.name }}
|
||||
{{- else }}
|
||||
{{- printf "spire-server" }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "spike-keeper.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "spike-keeper.labels" -}}
|
||||
helm.sh/chart: {{ include "spike-keeper.chart" . }}
|
||||
{{ include "spike-keeper.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "spike-keeper.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "spike-keeper.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "spike-keeper.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "spike-keeper.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "spike-keeper.workload-api-socket-path" -}}
|
||||
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
{{- if .Values.ingress.enabled -}}
|
||||
{{ $root := . }}
|
||||
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
|
||||
{{- $fullName := include "spike-keeper.fullname" . -}}
|
||||
{{- $tlsSection := true }}
|
||||
{{- $annotations := deepCopy .Values.ingress.annotations }}
|
||||
{{- if eq $ingressControllerType "ingress-nginx" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
|
||||
{{- else if eq $ingressControllerType "openshift" }}
|
||||
{{- $path = "" }}
|
||||
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
|
||||
{{- $tlsSection = false }}
|
||||
{{- end }}
|
||||
{{ $last := sub (.Values.replicas | int) 1 | int }}
|
||||
{{ range (seq 0 ($last) | toString | split " ") }}
|
||||
{{ $i := . }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}-{{ $i }}
|
||||
namespace: {{ include "spike-keeper.namespace" $root }}
|
||||
labels:
|
||||
{{ include "spike-keeper.labels" $root | nindent 4}}
|
||||
{{- with $annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $host := $root.Values.ingress.host }}
|
||||
{{- if contains "." $host }}
|
||||
{{- $hostParts := regexSplit "[.]" $host 2 }}
|
||||
{{- $host = printf "%s-%s.%s" (index $hostParts 0) $i (index $hostParts 1) }}
|
||||
{{- else }}
|
||||
{{- $host = printf "%s-%s" $host $i }}
|
||||
{{- end }}
|
||||
{{ $ingress := deepCopy $root.Values.ingress }}
|
||||
{{ $_ := set $ingress "host" $host }}
|
||||
{{ include "spire-lib.ingress-spec" (dict "ingress" $ingress "svcName" (printf "%s-%s" $fullName $i) "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
{{ $root := . }}
|
||||
{{ $last := sub (.Values.replicas | int) 1 | int }}
|
||||
{{ range (seq 0 ($last) | toString | split " ") }}
|
||||
{{ $i := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: {{ include "spike-keeper.namespace" $root }}
|
||||
name: {{ include "spike-keeper.fullname" $root }}-{{ $i }}
|
||||
{{- with $root.Values.service.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
apps.kubernetes.io/pod-index: {{ $i | quote }}
|
||||
{{- include "spike-keeper.labels" $root | nindent 4 }}
|
||||
spec:
|
||||
type: {{ $root.Values.service.type }}
|
||||
selector:
|
||||
apps.kubernetes.io/pod-index: {{ $i | quote }}
|
||||
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
|
||||
ports:
|
||||
- name: {{ include "spike-keeper.fullname" $root }}
|
||||
port: {{ $root.Values.service.port }}
|
||||
targetPort: http
|
||||
{{ end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: {{ include "spike-keeper.namespace" $root }}
|
||||
name: {{ include "spike-keeper.fullname" $root }}-headless
|
||||
{{- with $root.Values.service.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "spike-keeper.labels" $root | nindent 4 }}
|
||||
spec:
|
||||
type: {{ $root.Values.service.type }}
|
||||
clusterIP: None
|
||||
selector:
|
||||
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
|
||||
ports:
|
||||
- name: {{ include "spike-keeper.fullname" $root }}
|
||||
port: {{ $root.Values.service.port }}
|
||||
targetPort: http
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "spike-keeper.serviceAccountName" . }}
|
||||
namespace: {{ include "spike-keeper.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-keeper.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "spike-keeper.fullname" . }}
|
||||
namespace: {{ include "spike-keeper.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-keeper.labels" . | nindent 4 }}
|
||||
spec:
|
||||
serviceName: {{ include "spike-keeper.fullname" . }}-headless
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "spike-keeper.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "spike-keeper.selectorLabels" . | nindent 8 }}
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-keeper
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "spike-keeper.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ include "spike-keeper.fullname" . }}
|
||||
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 12 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8443
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: SPIFFE_ENDPOINT_SOCKET
|
||||
value: unix://{{ include "spike-keeper.workload-api-socket-path" . }}
|
||||
- name: SPIKE_SYSTEM_LOG_LEVEL
|
||||
value: {{ .Values.logLevel | upper }}
|
||||
- name: SPIKE_TRUST_ROOT
|
||||
value: {{ include "spire-lib.trust-domain" . }}
|
||||
- name: SPIKE_TRUST_ROOT_NEXUS
|
||||
value: {{if eq .Values.trustRoot.nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.nexus }}{{ end }}
|
||||
- name: SPIKE_KEEPER_TLS_PORT
|
||||
value: ":8443"
|
||||
{{- if .Values.startupProbe.enabled }}
|
||||
startupProbe:
|
||||
tcpSocket:
|
||||
port: 8443
|
||||
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
|
||||
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
|
||||
successThreshold: {{ .Values.startupProbe.successThreshold }}
|
||||
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: spiffe-workload-api
|
||||
mountPath: {{ include "spike-keeper.workload-api-socket-path" . | dir }}
|
||||
readOnly: true
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: spiffe-workload-api
|
||||
csi:
|
||||
driver: "{{ .Values.csiDriverName }}"
|
||||
readOnly: true
|
||||
|
|
@ -0,0 +1,139 @@
|
|||
# Default configuration for SPIKE Keeper
|
||||
# SPDX-License-Identifier: APACHE-2.0
|
||||
|
||||
## @skip global
|
||||
global: {}
|
||||
|
||||
## @section Chart parameters
|
||||
##
|
||||
## @param image.registry The OCI registry to pull the image from
|
||||
## @param image.repository The repository within the registry
|
||||
## @param image.pullPolicy The image pull policy
|
||||
## @param image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: ghcr.io
|
||||
repository: spiffe/spike-keeper
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
## @param replicas The number of keepers to launch
|
||||
replicas: 3
|
||||
|
||||
trustRoot:
|
||||
## @param trustRoot.nexus Override which trustRoot Nexus is in
|
||||
nexus: ""
|
||||
|
||||
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
|
||||
logLevel: debug
|
||||
|
||||
## @param agentSocketName The name of the spire-agent unix socket
|
||||
agentSocketName: spire-agent.sock
|
||||
## @param csiDriverName The csi driver to use
|
||||
csiDriverName: csi.spiffe.io
|
||||
|
||||
## @param imagePullSecrets [array] Pull secrets for images
|
||||
imagePullSecrets: []
|
||||
|
||||
## @param nameOverride Name override
|
||||
nameOverride: ""
|
||||
|
||||
## @param namespaceOverride Namespace override
|
||||
namespaceOverride: ""
|
||||
|
||||
## @param fullnameOverride Fullname override
|
||||
fullnameOverride: ""
|
||||
|
||||
## @param serviceAccount.create Specifies whether a service account should be created
|
||||
## @param serviceAccount.annotations [object] Annotations to add to the service account
|
||||
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
|
||||
##
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations: {}
|
||||
name: ""
|
||||
|
||||
## @param labels [object] Labels for pods
|
||||
labels: {}
|
||||
|
||||
## @param podSecurityContext [object] Pod security context
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
## @param securityContext [object] Security context
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
|
||||
## @param service.type Service type
|
||||
## @param service.port Service port
|
||||
## @param service.annotations Annotations for service resource
|
||||
##
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 443
|
||||
annotations: {}
|
||||
|
||||
## @param nodeSelector (Optional) Select specific nodes to run on.
|
||||
nodeSelector: {}
|
||||
|
||||
## @param affinity [object] Affinity rules
|
||||
affinity: {}
|
||||
|
||||
## @param tolerations [array] List of tolerations
|
||||
tolerations: []
|
||||
|
||||
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
|
||||
topologySpreadConstraints: []
|
||||
|
||||
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
|
||||
# resources:
|
||||
# requests:
|
||||
# cpu: 50m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 512Mi
|
||||
|
||||
## Configure extra options for startup probe
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
|
||||
## @param startupProbe.enabled Enable startupProbe
|
||||
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
||||
## @param startupProbe.periodSeconds Period seconds for startupProbe
|
||||
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
||||
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
|
||||
## @param startupProbe.successThreshold Success threshold count for startupProbe
|
||||
##
|
||||
startupProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
|
||||
## @param ingress.enabled Flag to enable ingress
|
||||
## @param ingress.className Ingress class name
|
||||
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
|
||||
## @param ingress.annotations [object] Annotations
|
||||
ingress:
|
||||
enabled: false
|
||||
className: ""
|
||||
controllerType: ""
|
||||
annotations: {}
|
||||
|
||||
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
|
||||
host: "keeper"
|
||||
|
||||
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
|
||||
tlsSecret: ""
|
||||
|
||||
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
|
||||
hosts: []
|
||||
|
||||
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
|
||||
tls: []
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v2
|
||||
name: spike-nexus
|
||||
description: A Helm chart to deploy SPIKE Nexus
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
icon: https://spike.ist/assets/spike-banner.png
|
||||
maintainers:
|
||||
- name: kfox1111
|
||||
email: Kevin.Fox@pnnl.gov
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
# spike-nexus
|
||||
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart to deploy spike nexus
|
||||
|
||||
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
|
||||
|
||||
## Version support
|
||||
|
||||
> [!Note]
|
||||
> This Chart is still in development and still subject to change the API (`values.yaml`).
|
||||
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
|
||||
> we do aim for as much stability as possible.
|
||||
|
||||
| Dependency | Supported Versions |
|
||||
|:-----------|:-------------------|
|
||||
| Helm | `3.x` |
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/spiffe/spike>
|
||||
|
||||
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
|
||||
|
||||
## Parameters
|
||||
|
||||
### Chart parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
|
||||
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
|
||||
| `image.repository` | The repository within the registry | `spiffe/spike-nexus` |
|
||||
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `backendStore` | The backend store to use. Must be one of [sqlite, memory, lite] | `sqlite` |
|
||||
| `replicas` | The number of keepers to launch | `1` |
|
||||
| `shamir.shares` | How many shares to configure for shamir secrets | `3` |
|
||||
| `shamir.threshold` | How many shares needed to recover | `2` |
|
||||
| `keeperPeers` | Keeper peer configuration. If blank, it will be autodetected | `[]` |
|
||||
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
|
||||
| `trustRoot.keepers` | Override which trustRoot Keepers are in | `[]` |
|
||||
| `trustRoot.pilot` | Override which trustRoot Pilot is in | `""` |
|
||||
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
|
||||
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
|
||||
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
|
||||
| `imagePullSecrets` | Pull secrets for images | `[]` |
|
||||
| `nameOverride` | Name override | `""` |
|
||||
| `namespaceOverride` | Namespace override | `""` |
|
||||
| `fullnameOverride` | Fullname override | `""` |
|
||||
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
|
||||
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
|
||||
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
|
||||
| `labels` | Labels for pods | `{}` |
|
||||
| `podSecurityContext` | Pod security context | `{}` |
|
||||
| `securityContext` | Security context | `{}` |
|
||||
| `service.type` | Service type | `ClusterIP` |
|
||||
| `service.port` | Service port | `443` |
|
||||
| `service.annotations` | Annotations for service resource | `{}` |
|
||||
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
|
||||
| `affinity` | Affinity rules | `{}` |
|
||||
| `tolerations` | List of tolerations | `[]` |
|
||||
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
|
||||
| `startupProbe.enabled` | Enable startupProbe | `true` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
|
||||
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
|
||||
| `ingress.enabled` | Flag to enable ingress | `false` |
|
||||
| `ingress.className` | Ingress class name | `""` |
|
||||
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
|
||||
| `ingress.annotations` | Annotations | `{}` |
|
||||
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `nexus` |
|
||||
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
|
||||
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
|
||||
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |
|
||||
| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` |
|
||||
| `persistence.size` | What size volume to use for persistence | `1Gi` |
|
||||
| `persistence.accessMode` | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended) | `ReadWriteOnce` |
|
||||
| `persistence.storageClass` | What storage class to use for persistence | `nil` |
|
||||
| `persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `""` |
|
||||
|
|
@ -0,0 +1 @@
|
|||
Installed {{ .Chart.Name }}…
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "spike-nexus.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "spike-nexus.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||
*/}}
|
||||
{{- define "spike-nexus.namespace" -}}
|
||||
{{- if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride -}}
|
||||
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
|
||||
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
|
||||
{{- .Values.global.spire.namespaces.server.name }}
|
||||
{{- else }}
|
||||
{{- printf "spire-server" }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "spike-nexus.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "spike-nexus.labels" -}}
|
||||
helm.sh/chart: {{ include "spike-nexus.chart" . }}
|
||||
{{ include "spike-nexus.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "spike-nexus.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "spike-nexus.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "spike-nexus.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "spike-nexus.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "spike-nexus.workload-api-socket-path" -}}
|
||||
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
{{- if .Values.ingress.enabled -}}
|
||||
{{ $root := . }}
|
||||
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
|
||||
{{- $fullName := include "spike-nexus.fullname" . -}}
|
||||
{{- $tlsSection := true }}
|
||||
{{- $annotations := deepCopy .Values.ingress.annotations }}
|
||||
{{- if eq $ingressControllerType "ingress-nginx" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
|
||||
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
|
||||
{{- else if eq $ingressControllerType "openshift" }}
|
||||
{{- $path = "" }}
|
||||
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
|
||||
{{- $tlsSection = false }}
|
||||
{{- end }}
|
||||
{{ $last := sub (.Values.replicas | int) 1 | int }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ include "spike-nexus.namespace" $root }}
|
||||
labels:
|
||||
{{ include "spike-nexus.labels" $root | nindent 4}}
|
||||
{{- with $annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
{{ $root := . }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: {{ include "spike-nexus.namespace" $root }}
|
||||
name: {{ include "spike-nexus.fullname" $root }}
|
||||
{{- with $root.Values.service.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "spike-nexus.labels" $root | nindent 4 }}
|
||||
spec:
|
||||
type: {{ $root.Values.service.type }}
|
||||
selector:
|
||||
{{- include "spike-nexus.selectorLabels" $root | nindent 4 }}
|
||||
ports:
|
||||
- name: {{ include "spike-nexus.fullname" $root }}
|
||||
port: {{ $root.Values.service.port }}
|
||||
targetPort: http
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "spike-nexus.serviceAccountName" . }}
|
||||
namespace: {{ include "spike-nexus.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-nexus.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,114 @@
|
|||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "spike-nexus.fullname" . }}
|
||||
namespace: {{ include "spike-nexus.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-nexus.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "spike-nexus.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "spike-nexus.selectorLabels" . | nindent 8 }}
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-nexus
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "spike-nexus.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ include "spike-nexus.fullname" . }}
|
||||
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 12 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8443
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: SPIKE_NEXUS_BACKEND_STORE
|
||||
value: {{ .Values.backendStore | quote }}
|
||||
- name: SPIKE_NEXUS_SHAMIR_SHARES
|
||||
value: {{ .Values.shamir.shares | quote }}
|
||||
- name: SPIKE_NEXUS_SHAMIR_THRESHOLD
|
||||
value: {{ .Values.shamir.threshold | quote }}
|
||||
# Note: IP will depend on the testbed.
|
||||
- name: SPIKE_NEXUS_KEEPER_PEERS
|
||||
{{- if gt (len .Values.keeperPeers) 0 }}
|
||||
value: {{ .Values.keeperPeers | join "," | quote }}
|
||||
{{- else }}
|
||||
value: https://{{ .Release.Name }}-spike-keeper-0.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-1.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-2.{{ .Release.Name }}-spike-keeper-headless:8443
|
||||
{{- end }}
|
||||
- name: SPIFFE_ENDPOINT_SOCKET
|
||||
value: unix://{{ include "spike-nexus.workload-api-socket-path" . }}
|
||||
- name: SPIKE_SYSTEM_LOG_LEVEL
|
||||
value: {{ .Values.logLevel | upper }}
|
||||
- name: SPIKE_TRUST_ROOT
|
||||
value: {{ include "spire-lib.trust-domain" . }}
|
||||
- name: SPIKE_TRUST_ROOT_KEEPER
|
||||
value: {{ if gt (len .Values.trustRoot.keepers) 0 }}{{ .Values.trustRoot.keepers | join "," | quote}}{{ else }}{{ include "spire-lib.trust-domain" . }}{{ end }}
|
||||
- name: SPIKE_TRUST_ROOT_PILOT
|
||||
value: {{if eq .Values.trustRoot.pilot "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.pilot }}{{ end }}
|
||||
- name: SPIKE_NEXUS_TLS_PORT
|
||||
value: ":8443"
|
||||
{{- if .Values.startupProbe.enabled }}
|
||||
startupProbe:
|
||||
tcpSocket:
|
||||
port: 8443
|
||||
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
|
||||
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
|
||||
successThreshold: {{ .Values.startupProbe.successThreshold }}
|
||||
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: spiffe-workload-api
|
||||
mountPath: {{ include "spike-nexus.workload-api-socket-path" . | dir }}
|
||||
readOnly: true
|
||||
- name: nexus-data
|
||||
mountPath: /.spike
|
||||
{{- with .Values.nodeSelector }}
|
||||
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: spiffe-workload-api
|
||||
csi:
|
||||
driver: "{{ .Values.csiDriverName }}"
|
||||
readOnly: true
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: nexus-data
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.size }}
|
||||
{{- $storageClass := (dig "spire" "persistence" "storageClass" nil .Values.global) | default .Values.persistence.storageClass }}
|
||||
{{- if $storageClass }}
|
||||
storageClassName: {{ $storageClass }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,175 @@
|
|||
# Default configuration for SPIKE Keeper
|
||||
# SPDX-License-Identifier: APACHE-2.0
|
||||
|
||||
## @skip global
|
||||
global: {}
|
||||
|
||||
## @section Chart parameters
|
||||
##
|
||||
## @param image.registry The OCI registry to pull the image from
|
||||
## @param image.repository The repository within the registry
|
||||
## @param image.pullPolicy The image pull policy
|
||||
## @param image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: ghcr.io
|
||||
repository: spiffe/spike-nexus
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
|
||||
backendStore: sqlite
|
||||
|
||||
## @param replicas The number of keepers to launch
|
||||
replicas: 1
|
||||
|
||||
shamir:
|
||||
## @param shamir.shares How many shares to configure for shamir secrets
|
||||
shares: 3
|
||||
## @param shamir.threshold How many shares needed to recover
|
||||
threshold: 2
|
||||
|
||||
## @param keeperPeers Keeper peer configuration. If blank, it will be autodetected
|
||||
keeperPeers: []
|
||||
|
||||
trustRoot:
|
||||
## @param trustRoot.nexus Override which trustRoot Nexus is in
|
||||
nexus: ""
|
||||
## @param trustRoot.keepers Override which trustRoot Keepers are in
|
||||
keepers: []
|
||||
## @param trustRoot.pilot Override which trustRoot Pilot is in
|
||||
pilot: ""
|
||||
|
||||
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
|
||||
logLevel: debug
|
||||
|
||||
## @param agentSocketName The name of the spire-agent unix socket
|
||||
agentSocketName: spire-agent.sock
|
||||
## @param csiDriverName The csi driver to use
|
||||
csiDriverName: csi.spiffe.io
|
||||
|
||||
## @param imagePullSecrets [array] Pull secrets for images
|
||||
imagePullSecrets: []
|
||||
|
||||
## @param nameOverride Name override
|
||||
nameOverride: ""
|
||||
|
||||
## @param namespaceOverride Namespace override
|
||||
namespaceOverride: ""
|
||||
|
||||
## @param fullnameOverride Fullname override
|
||||
fullnameOverride: ""
|
||||
|
||||
## @param serviceAccount.create Specifies whether a service account should be created
|
||||
## @param serviceAccount.annotations [object] Annotations to add to the service account
|
||||
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
|
||||
##
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations: {}
|
||||
name: ""
|
||||
|
||||
## @param labels [object] Labels for pods
|
||||
labels: {}
|
||||
|
||||
## @param podSecurityContext [object] Pod security context
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
## @param securityContext [object] Security context
|
||||
securityContext:
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
|
||||
## @param service.type Service type
|
||||
## @param service.port Service port
|
||||
## @param service.annotations Annotations for service resource
|
||||
##
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 443
|
||||
annotations: {}
|
||||
|
||||
## @param nodeSelector (Optional) Select specific nodes to run on.
|
||||
nodeSelector: {}
|
||||
|
||||
## @param affinity [object] Affinity rules
|
||||
affinity: {}
|
||||
|
||||
## @param tolerations [array] List of tolerations
|
||||
tolerations: []
|
||||
|
||||
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
|
||||
topologySpreadConstraints: []
|
||||
|
||||
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
|
||||
# resources:
|
||||
# requests:
|
||||
# cpu: 50m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 512Mi
|
||||
|
||||
## Configure extra options for startup probe
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
|
||||
## @param startupProbe.enabled Enable startupProbe
|
||||
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
||||
## @param startupProbe.periodSeconds Period seconds for startupProbe
|
||||
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
||||
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
|
||||
## @param startupProbe.successThreshold Success threshold count for startupProbe
|
||||
##
|
||||
startupProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
|
||||
## @param ingress.enabled Flag to enable ingress
|
||||
## @param ingress.className Ingress class name
|
||||
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
|
||||
## @param ingress.annotations [object] Annotations
|
||||
ingress:
|
||||
enabled: false
|
||||
className: ""
|
||||
controllerType: ""
|
||||
annotations: {}
|
||||
|
||||
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
|
||||
host: "nexus"
|
||||
|
||||
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
|
||||
tlsSecret: ""
|
||||
|
||||
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
|
||||
hosts: []
|
||||
# - host: nexus.example.org
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
|
||||
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - nexus.example.org
|
||||
|
||||
## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
|
||||
## @param persistence.size What size volume to use for persistence
|
||||
## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
|
||||
## @param persistence.storageClass What storage class to use for persistence
|
||||
## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
|
||||
##
|
||||
persistence:
|
||||
type: pvc
|
||||
size: 1Gi
|
||||
accessMode: ReadWriteOnce
|
||||
storageClass: null
|
||||
hostPath: ""
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v2
|
||||
name: spike-pilot
|
||||
description: A Helm chart to deploy SPIKE Pilot
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
icon: https://spike.ist/assets/spike-banner.png
|
||||
maintainers:
|
||||
- name: kfox1111
|
||||
email: Kevin.Fox@pnnl.gov
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
# spike-pilot
|
||||
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart to deploy spike pilot
|
||||
|
||||
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
|
||||
|
||||
## Version support
|
||||
|
||||
> [!Note]
|
||||
> This Chart is still in development and still subject to change the API (`values.yaml`).
|
||||
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
|
||||
> we do aim for as much stability as possible.
|
||||
|
||||
| Dependency | Supported Versions |
|
||||
|:-----------|:-------------------|
|
||||
| Helm | `3.x` |
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/spiffe/spike>
|
||||
|
||||
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
|
||||
|
||||
## Parameters
|
||||
|
||||
### Chart parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------------- | ------------------------------------------------------------------------------------------- | -------------------- |
|
||||
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
|
||||
| `image.repository` | The repository within the registry | `spiffe/spike-pilot` |
|
||||
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `shell.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `shell.image.repository` | The repository within the registry | `busybox` |
|
||||
| `shell.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `shell.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
|
||||
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `tools.busybox.image.repository` | The repository within the registry | `busybox` |
|
||||
| `tools.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
|
||||
| `replicas` | The number of keepers to launch | `1` |
|
||||
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
|
||||
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
|
||||
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
|
||||
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
|
||||
| `imagePullSecrets` | Pull secrets for images | `[]` |
|
||||
| `nameOverride` | Name override | `""` |
|
||||
| `namespaceOverride` | Namespace override | `""` |
|
||||
| `fullnameOverride` | Fullname override | `""` |
|
||||
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
|
||||
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
|
||||
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
|
||||
| `labels` | Labels for pods | `{}` |
|
||||
| `podSecurityContext` | Pod security context | `{}` |
|
||||
| `securityContext` | Security context | `{}` |
|
||||
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
|
||||
| `affinity` | Affinity rules | `{}` |
|
||||
| `tolerations` | List of tolerations | `[]` |
|
||||
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
|
||||
|
|
@ -0,0 +1 @@
|
|||
Installed {{ .Chart.Name }}…
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "spike-pilot.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "spike-pilot.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||
*/}}
|
||||
{{- define "spike-pilot.namespace" -}}
|
||||
{{- if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride -}}
|
||||
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
|
||||
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
|
||||
{{- .Values.global.spire.namespaces.server.name }}
|
||||
{{- else }}
|
||||
{{- printf "spire-server" }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "spike-pilot.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "spike-pilot.labels" -}}
|
||||
helm.sh/chart: {{ include "spike-pilot.chart" . }}
|
||||
{{ include "spike-pilot.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "spike-pilot.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "spike-pilot.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "spike-pilot.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "spike-pilot.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "spike-pilot.workload-api-socket-path" -}}
|
||||
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,96 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "spike-pilot.fullname" . }}
|
||||
namespace: {{ include "spike-pilot.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-pilot.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "spike-pilot.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "spike-pilot.selectorLabels" . | nindent 8 }}
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-pilot
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "spike-pilot.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
|
||||
initContainers:
|
||||
- name: init
|
||||
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.busybox.image "global" .Values.global "ubi" true) }}
|
||||
imagePullPolicy: {{ .Values.tools.busybox.image.pullPolicy }}
|
||||
command: ["/bin/sh", "-c", "cp -a /bin/busybox /data"]
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: pilot
|
||||
mountPath: /data
|
||||
- name: init2
|
||||
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
command: ["/data/busybox", "sh", "-c", "/data/busybox cp -a /usr/local/bin/spike /data && /data/busybox rm -f /data/busybox"]
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: pilot
|
||||
mountPath: /data
|
||||
containers:
|
||||
- name: {{ include "spike-pilot.fullname" . }}
|
||||
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.shell.image "global" .Values.global "ubi" true) }}
|
||||
imagePullPolicy: {{ .Values.shell.image.pullPolicy }}
|
||||
command: ["/bin/sh", "-c", "echo I live; while true; do sleep 1000; done"]
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 12 }}
|
||||
env:
|
||||
#FIXME make this configurable
|
||||
- name: SPIKE_NEXUS_API_URL
|
||||
value: https://{{ .Release.Name }}-spike-nexus:443
|
||||
- name: SPIFFE_ENDPOINT_SOCKET
|
||||
value: unix://{{ include "spike-pilot.workload-api-socket-path" . }}
|
||||
- name: SPIKE_SYSTEM_LOG_LEVEL
|
||||
value: {{ .Values.logLevel | upper }}
|
||||
- name: SPIKE_TRUST_ROOT
|
||||
value: {{ include "spire-lib.trust-domain" . }}
|
||||
- name: SPIKE_TRUST_ROOT_NEXUS
|
||||
value: {{if eq .Values.trustRoot.Nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.Nexus }}{{ end }}
|
||||
volumeMounts:
|
||||
- name: spiffe-workload-api
|
||||
mountPath: {{ include "spike-pilot.workload-api-socket-path" . | dir }}
|
||||
readOnly: true
|
||||
- name: pilot
|
||||
mountPath: /bin/spike
|
||||
subPath: spike
|
||||
readOnly: true
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pilot
|
||||
emptyDir: {}
|
||||
- name: spiffe-workload-api
|
||||
csi:
|
||||
driver: "{{ .Values.csiDriverName }}"
|
||||
readOnly: true
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "spike-pilot.serviceAccountName" . }}
|
||||
namespace: {{ include "spike-pilot.namespace" . }}
|
||||
labels:
|
||||
{{- include "spike-pilot.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,116 @@
|
|||
# Default configuration for SPIKE Keeper
|
||||
# SPDX-License-Identifier: APACHE-2.0
|
||||
|
||||
## @skip global
|
||||
global: {}
|
||||
|
||||
## @section Chart parameters
|
||||
##
|
||||
## @param image.registry The OCI registry to pull the image from
|
||||
## @param image.repository The repository within the registry
|
||||
## @param image.pullPolicy The image pull policy
|
||||
## @param image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: ghcr.io
|
||||
repository: spiffe/spike-pilot
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
shell:
|
||||
## @param shell.image.registry The OCI registry to pull the image from
|
||||
## @param shell.image.repository The repository within the registry
|
||||
## @param shell.image.pullPolicy The image pull policy
|
||||
## @param shell.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: ""
|
||||
repository: busybox
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.37.0-uclibc
|
||||
|
||||
tools:
|
||||
busybox:
|
||||
## @param tools.busybox.image.registry The OCI registry to pull the image from
|
||||
## @param tools.busybox.image.repository The repository within the registry
|
||||
## @param tools.busybox.image.pullPolicy The image pull policy
|
||||
## @param tools.busybox.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: ""
|
||||
repository: busybox
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.37.0-uclibc
|
||||
|
||||
## @param replicas The number of keepers to launch
|
||||
replicas: 1
|
||||
|
||||
trustRoot:
|
||||
## @param trustRoot.nexus Override which trustRoot Nexus is in
|
||||
nexus: ""
|
||||
|
||||
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
|
||||
logLevel: debug
|
||||
|
||||
## @param agentSocketName The name of the spire-agent unix socket
|
||||
agentSocketName: spire-agent.sock
|
||||
## @param csiDriverName The csi driver to use
|
||||
csiDriverName: csi.spiffe.io
|
||||
|
||||
## @param imagePullSecrets [array] Pull secrets for images
|
||||
imagePullSecrets: []
|
||||
|
||||
## @param nameOverride Name override
|
||||
nameOverride: ""
|
||||
|
||||
## @param namespaceOverride Namespace override
|
||||
namespaceOverride: ""
|
||||
|
||||
## @param fullnameOverride Fullname override
|
||||
fullnameOverride: ""
|
||||
|
||||
## @param serviceAccount.create Specifies whether a service account should be created
|
||||
## @param serviceAccount.annotations [object] Annotations to add to the service account
|
||||
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
|
||||
##
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations: {}
|
||||
name: ""
|
||||
|
||||
## @param labels [object] Labels for pods
|
||||
labels: {}
|
||||
|
||||
## @param podSecurityContext [object] Pod security context
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
## @param securityContext [object] Security context
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
|
||||
## @param nodeSelector (Optional) Select specific nodes to run on.
|
||||
nodeSelector: {}
|
||||
|
||||
## @param affinity [object] Affinity rules
|
||||
affinity: {}
|
||||
|
||||
## @param tolerations [array] List of tolerations
|
||||
tolerations: []
|
||||
|
||||
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
|
||||
topologySpreadConstraints: []
|
||||
|
||||
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
|
||||
# resources:
|
||||
# requests:
|
||||
# cpu: 50m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 512Mi
|
||||
|
|
@ -3,7 +3,7 @@ name: spire-agent
|
|||
description: A Helm chart to install the SPIRE agent.
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "1.12.2"
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire-agent"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ A Helm chart to install the SPIRE agent.
|
|||
| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` |
|
||||
| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` |
|
||||
| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` |
|
||||
| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` |
|
||||
| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `spiffe` |
|
||||
| `trustBundleHostPath` | If set, obtain trust bundle from a file on the host instead of from the ConfigMap | `""` |
|
||||
| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` |
|
||||
| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` |
|
||||
|
|
@ -70,9 +70,10 @@ A Helm chart to install the SPIRE agent.
|
|||
| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` |
|
||||
| `keyManager.disk.enabled` | Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled) | `false` |
|
||||
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` |
|
||||
| `nodeAttestor.httpChallenge.enabled` | Enable the http challenge Node Attestor | `false` |
|
||||
| `nodeAttestor.httpChallenge.agentname` | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port. | `default` |
|
||||
|
|
@ -90,6 +91,7 @@ A Helm chart to install the SPIRE agent.
|
|||
| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `spiffe/spire-tpm-plugin-get-tpm-pubhash` |
|
||||
| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.9.0` |
|
||||
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid Node Attestor | `false` |
|
||||
| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` |
|
||||
| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` |
|
||||
| `workloadAttestors.k8s.verification.type` | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip] | `skip` |
|
||||
|
|
@ -108,18 +110,21 @@ A Helm chart to install the SPIRE agent.
|
|||
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
|
||||
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
|
||||
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
|
||||
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
|
||||
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
|
||||
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
|
||||
| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` |
|
||||
| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
|
||||
| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` |
|
||||
| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
|
||||
| `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3e5ee5ed41e764999f8e499b48d2e62d1f8ffd526aad5b4c3aa7a0759e0139db` |
|
||||
| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
|
||||
| `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` |
|
||||
| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` |
|
||||
|
|
@ -136,8 +141,8 @@ A Helm chart to install the SPIRE agent.
|
|||
| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` |
|
||||
| `experimental.featureFlags` | List of developer feature flags | `[]` |
|
||||
| `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` |
|
||||
|
|
|
|||
|
|
@ -19,8 +19,11 @@
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
|
||||
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
|
||||
{{- end }}
|
||||
{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
|
||||
{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
|
||||
{{- fail "The sockets.hostBasePath can not be located under the socketPath directory" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- define "spire-agent.yaml-config" -}}
|
||||
|
|
@ -38,13 +41,13 @@ agent:
|
|||
server_address: {{ include "spire-agent.server-address" . | trim | quote }}
|
||||
server_port: {{ .Values.server.port | quote }}
|
||||
socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }}
|
||||
trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
|
||||
{{- if ne (len .Values.trustBundleURL) 0 }}
|
||||
trust_bundle_url: {{ .Values.trustBundleURL | quote }}
|
||||
trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
|
||||
{{- else if ne (len .Values.trustBundleHostPath) 0 }}
|
||||
trust_bundle_path: {{ .Values.trustBundleHostPath | quote }}
|
||||
{{- else }}
|
||||
trust_bundle_path: "/run/spire/bundle/bundle.crt"
|
||||
trust_bundle_path: {{ printf "/run/spire/bundle/bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.trustBundleFormat)) | quote }}
|
||||
{{- end }}
|
||||
trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
|
||||
{{- with .Values.availabilityTarget }}
|
||||
|
|
@ -104,6 +107,13 @@ plugins:
|
|||
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeAttestor.awsIID }}
|
||||
{{- if eq (.enabled | toString) "true" }}
|
||||
aws_iid:
|
||||
plugin_data: {}
|
||||
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if ne $nodeAttestorUsed 1 }}
|
||||
{{- fail (printf "You have to enable exactly one Node Attestor. There are %d enabled." $nodeAttestorUsed) }}
|
||||
{{- end }}
|
||||
|
|
@ -114,6 +124,12 @@ plugins:
|
|||
plugin_data:
|
||||
{{- $keyManagerUsed = add1 $keyManagerUsed }}
|
||||
{{- end }}
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
disk:
|
||||
plugin_data:
|
||||
directory: {{ .Values.persistence.hostPath }}
|
||||
{{- $keyManagerUsed = add1 $keyManagerUsed }}
|
||||
{{- end }}
|
||||
{{- if ne $keyManagerUsed 1 }}
|
||||
{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
|
||||
{{- end }}
|
||||
|
|
@ -154,6 +170,13 @@ telemetry:
|
|||
- host: "0.0.0.0"
|
||||
port: {{ .Values.telemetry.prometheus.port }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.telemetry.datadog.enabled }}
|
||||
telemetry:
|
||||
- DogStatsd:
|
||||
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- $root := . }}
|
||||
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@
|
|||
{{- if hasKey .Values.sds "disableSpiffeCertValidation" }}
|
||||
{{- fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }}
|
||||
{{- end }}
|
||||
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
|
||||
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
|
||||
{{- end }}
|
||||
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
|
||||
{{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
|
||||
{{- $nameSuffix := "" }}
|
||||
|
|
@ -256,6 +259,11 @@ spec:
|
|||
- name: spire-config
|
||||
mountPath: /opt/spire/conf/agent
|
||||
readOnly: true
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
- name: spire-key-manager
|
||||
mountPath: {{ .Values.persistence.hostPath }}
|
||||
readOnly: false
|
||||
{{- end }}
|
||||
- name: spire-agent-persistence
|
||||
mountPath: /var/lib/spire
|
||||
{{- if .Values.sockets.admin.enabled }}
|
||||
|
|
@ -324,6 +332,12 @@ spec:
|
|||
- name: spire-config
|
||||
configMap:
|
||||
name: {{ include "spire-agent.fullname" . }}
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
- name: spire-key-manager
|
||||
hostPath:
|
||||
path: {{ .Values.persistence.hostPath }}
|
||||
type: DirectoryOrCreate
|
||||
{{- end }}
|
||||
{{- if .Values.sockets.admin.mountOnHost }}
|
||||
- name: spire-agent-admin-socket-dir
|
||||
hostPath:
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ trustDomain: example.org
|
|||
## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap
|
||||
trustBundleURL: ""
|
||||
## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"
|
||||
trustBundleFormat: pem
|
||||
trustBundleFormat: spiffe
|
||||
## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap
|
||||
trustBundleHostPath: ""
|
||||
## @param bundleConfigMap Configmap name for Spire bundle
|
||||
|
|
@ -153,7 +153,7 @@ fsGroupFix:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -162,6 +162,9 @@ keyManager:
|
|||
memory:
|
||||
## @param keyManager.memory.enabled Enable the memory based Key Manager
|
||||
enabled: true
|
||||
disk:
|
||||
## @param keyManager.disk.enabled Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)
|
||||
enabled: false
|
||||
|
||||
nodeAttestor:
|
||||
k8sPSAT:
|
||||
|
|
@ -207,6 +210,9 @@ nodeAttestor:
|
|||
repository: spiffe/spire-tpm-plugin-get-tpm-pubhash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: "v1.9.0"
|
||||
awsIID:
|
||||
## @param nodeAttestor.awsIID.enabled Enable the aws_iid Node Attestor
|
||||
enabled: false
|
||||
|
||||
# workloadAttestors determine a workload's properties and then generate a set of selectors associated with it.
|
||||
workloadAttestors:
|
||||
|
|
@ -257,6 +263,13 @@ telemetry:
|
|||
namespace: ""
|
||||
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
|
||||
labels: {}
|
||||
datadog:
|
||||
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
|
||||
enabled: false
|
||||
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
|
||||
address: "datadog.kube-system.svc"
|
||||
## @param telemetry.datadog.port The port of the datadog service to send metrics to
|
||||
port: 8125
|
||||
|
||||
## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.
|
||||
kubeletConnectByHostname: ""
|
||||
|
|
@ -280,7 +293,7 @@ socketAlternate:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -295,7 +308,7 @@ hostCert:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/min-toolkit-debug
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:3e5ee5ed41e764999f8e499b48d2e62d1f8ffd526aad5b4c3aa7a0759e0139db
|
||||
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
|
||||
|
||||
## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -370,8 +383,8 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
|
|
|
|||
|
|
@ -336,3 +336,11 @@ Anything lower has an incompatible API.
|
|||
{{- fail "Unsupported autoscaling API version" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "spire-lib.trust-bundle-ext" -}}
|
||||
{{- if eq .trustBundleFormat "spiffe" }}
|
||||
{{- print "spiffe" }}
|
||||
{{- else }}
|
||||
{{- print "crt" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spire-server
|
|||
description: A Helm chart to install the SPIRE server.
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "1.12.2"
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire-server", "spire-controller-manager"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
|
|
|
|||
|
|
@ -159,7 +159,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` |
|
||||
| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` |
|
||||
| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` |
|
||||
| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` |
|
||||
| `bundleConfigMap` | Set the Configmap name for SPIRE bundle | `spire-bundle` |
|
||||
| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` |
|
||||
| `federation.enabled` | Flag to enable federation | `false` |
|
||||
| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` |
|
||||
|
|
@ -256,11 +256,11 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` |
|
||||
| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` |
|
||||
| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` |
|
||||
| `notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `true` |
|
||||
| `notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` |
|
||||
| `notifier.k8sBundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
|
||||
| `notifier.k8sBundle.apiServiceLabel` | If set, rotate the CA Bundle in API services with this label set to true. | `""` |
|
||||
| `notifier.k8sBundle.webhookLabel` | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to true. | `""` |
|
||||
| `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `true` |
|
||||
| `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `false` |
|
||||
| `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` |
|
||||
| `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` |
|
||||
| `notifier.externalK8sBundle.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `bundle.crt` |
|
||||
|
|
@ -311,6 +311,15 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates` | DNS name template for issued identities | `[]` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable this identity for controller manager | `true` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.test-keys.type` | The type of rule this is. | `test-keys` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.enabled` | Enable this identity for controller manager | `true` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.type` | The type of rule this is. | `spike-keeper` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/keeper` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.enabled` | Enable this identity for controller manager | `true` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.type` | The type of rule this is. | `spike-nexus` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/nexus` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.enabled` | Enable this identity for controller manager | `true` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.type` | The type of rule this is. | `spike-pilot` |
|
||||
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/pilot/role/superuser` |
|
||||
| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` |
|
||||
| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` |
|
||||
| `controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another chart instance on the k8s cluster with webhooks enabled. | `true` |
|
||||
|
|
@ -332,8 +341,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` |
|
||||
| `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` |
|
||||
| `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
|
|
@ -344,6 +353,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
|
||||
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
|
||||
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
|
||||
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
|
||||
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
|
||||
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
|
||||
| `ingress.enabled` | Flag to enable ingress | `false` |
|
||||
| `ingress.className` | Ingress class name | `""` |
|
||||
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
|
||||
|
|
@ -359,6 +371,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `initContainers` | Additional init containers to create | `[]` |
|
||||
| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` |
|
||||
| `caTTL` | TTL for CA | `24h` |
|
||||
| `agentTTL` | The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used. | `""` |
|
||||
| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` |
|
||||
| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` |
|
||||
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `true` |
|
||||
|
|
@ -387,6 +400,17 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `nodeAttestor.tpmDirect.pluginPath` | The filename in the container of the plugin | `/app/tpm_attestor_server` |
|
||||
| `nodeAttestor.tpmDirect.cas` | A dictionary of TPM CA PEM or DER files that are allowed to connect. | `{}` |
|
||||
| `nodeAttestor.tpmDirect.hashes` | A list of TPM hashes that are allowed to connect. | `[]` |
|
||||
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid node attestor | `false` |
|
||||
| `nodeAttestor.awsIID.assumeRole` | AWS IAM Role NAME to use for the attestation | `""` |
|
||||
| `bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `true` |
|
||||
| `bundlePublisher.k8sConfigMap.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
|
||||
| `bundlePublisher.k8sConfigMap.format` | Format of the trust bundle. Can be pem or spiffe | `spiffe` |
|
||||
| `bundlePublisher.externalK8sConfigMap.enabled` | Enable external k8s bundle uploader | `true` |
|
||||
| `bundlePublisher.externalK8sConfigMap.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` |
|
||||
| `bundlePublisher.externalK8sConfigMap.defaults.configMapName` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` |
|
||||
| `bundlePublisher.externalK8sConfigMap.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `""` |
|
||||
| `bundlePublisher.externalK8sConfigMap.defaults.format` | Format of the trust bundle. Can be pem or spiffe | `spiffe` |
|
||||
| `bundlePublisher.externalK8sConfigMap.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
|
||||
| `bundlePublisher.awsRolesAnywhereTrustAnchor.enabled` | Enable the AWS S3 bundle publisher | `false` |
|
||||
| `bundlePublisher.awsRolesAnywhereTrustAnchor.region` | AWS region to store the trust bundle | `""` |
|
||||
| `bundlePublisher.awsRolesAnywhereTrustAnchor.trustAnchorID` | AWS trust anchor ID to publish to | `""` |
|
||||
|
|
@ -410,7 +434,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` |
|
||||
| `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` |
|
||||
| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.6.0` |
|
||||
| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v2.1.0` |
|
||||
| `tornjak.service.type` | Type of service resource | `ClusterIP` |
|
||||
| `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` |
|
||||
| `tornjak.service.ports.https` | Secure port for tornjak service | `10443` |
|
||||
|
|
@ -448,10 +472,10 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` |
|
||||
| `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` |
|
||||
| `customPlugins.notifier` | Custom plugins of type notifier are configured here | `{}` |
|
||||
| `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `chown.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `chown.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `chown.image.repository` | The repository within the registry | `busybox` |
|
||||
| `chown.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
|
||||
| `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `experimental.enabled` | Allow configuration of experimental features | `false` |
|
||||
| `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` |
|
||||
|
|
@ -464,5 +488,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` |
|
||||
|
|
|
|||
|
|
@ -65,7 +65,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "spire-server.bundle-namespace" -}}
|
||||
{{- define "spire-server.bundle-namespace-bundlepublisher" -}}
|
||||
{{- if .Values.bundlePublisher.k8sConfigMap.namespace }}
|
||||
{{- .Values.bundlePublisher.k8sConfigMap.namespace }}
|
||||
{{- else if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride -}}
|
||||
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
|
||||
{{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
|
||||
{{- .Values.global.spire.namespaces.system.name }}
|
||||
{{- else }}
|
||||
{{- printf "spire-system" }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "spire-server.bundle-namespace-notifier" -}}
|
||||
{{- if .Values.notifier.k8sBundle.namespace }}
|
||||
{{- .Values.notifier.k8sBundle.namespace }}
|
||||
{{- else if .Values.namespaceOverride -}}
|
||||
|
|
@ -81,6 +97,14 @@ Allow the release namespace to be overridden for multi-namespace deployments in
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "spire-server.bundle-namespace" -}}
|
||||
{{- if .Values.notifier.k8sBundle.namespace }}
|
||||
{{- .Values.notifier.k8sBundle.namespace }}
|
||||
{{- else }}
|
||||
{{- include "spire-server.bundle-namespace-bundlepublisher" . -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "spire-server.podMonitor.namespace" -}}
|
||||
{{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }}
|
||||
{{- .Values.telemetry.prometheus.podMonitor.namespace }}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
{{- if and .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }}
|
||||
{{- fail "You can only enable either notifier.k8sBundle or bundlePublisher.k8sConfigMap." }}
|
||||
{{- end }}
|
||||
{{- if .Values.notifier.k8sBundle.enabled }}
|
||||
{{- $namespace := include "spire-server.bundle-namespace" . }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
|
@ -8,3 +12,4 @@ metadata:
|
|||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -58,6 +58,9 @@ server:
|
|||
ca_key_type: {{ .Values.caKeyType | quote }}
|
||||
ca_ttl: {{ .Values.caTTL | quote }}
|
||||
|
||||
{{- if .Values.agentTTL }}
|
||||
agent_ttl: {{ .Values.agentTTL | quote }}
|
||||
{{- end }}
|
||||
default_x509_svid_ttl: {{ .Values.defaultX509SvidTTL | quote }}
|
||||
default_jwt_svid_ttl: {{ .Values.defaultJwtSvidTTL | quote }}
|
||||
|
||||
|
|
@ -139,7 +142,7 @@ plugins:
|
|||
{{- end }}
|
||||
disable_migration: {{ .Values.dataStore.sql.disableMigration }}
|
||||
|
||||
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
|
||||
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled .Values.nodeAttestor.awsIID.enabled }}
|
||||
NodeAttestor:
|
||||
{{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }}
|
||||
{{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }}
|
||||
|
|
@ -219,6 +222,15 @@ plugins:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeAttestor.awsIID }}
|
||||
{{- if eq (.enabled | toString) "true" }}
|
||||
aws_iid:
|
||||
plugin_data:
|
||||
{{- if ne .assumeRole "" }}
|
||||
assume_role: {{ .assumeRole | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.keyManager.disk }}
|
||||
|
|
@ -274,7 +286,7 @@ plugins:
|
|||
k8sbundle:
|
||||
plugin_data:
|
||||
{{- if eq (.Values.notifier.k8sBundle.enabled | toString) "true" }}
|
||||
namespace: {{ include "spire-server.bundle-namespace" . | quote }}
|
||||
namespace: {{ include "spire-server.bundle-namespace-notifier" . | quote }}
|
||||
config_map: {{ include "spire-lib.bundle-configmap" . | quote }}
|
||||
{{- with .Values.notifier.k8sBundle.apiServiceLabel }}
|
||||
api_service_label: {{ . | quote }}
|
||||
|
|
@ -304,8 +316,51 @@ plugins:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled }}
|
||||
{{- $externalK8sConfigMapClusters := default .Values.kubeConfigs .Values.bundlePublisher.externalK8sConfigMap.clusters }}
|
||||
{{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
|
||||
BundlePublisher:
|
||||
{{- if or .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
|
||||
k8s_configmap:
|
||||
plugin_data:
|
||||
clusters:
|
||||
{{- $prefix := "-" }}
|
||||
{{- if eq (.Values.bundlePublisher.k8sConfigMap.enabled | toString) "true" }}
|
||||
{{ $prefix }} chart-internal:
|
||||
format: {{ .Values.bundlePublisher.k8sConfigMap.format | quote }}
|
||||
namespace: {{ include "spire-server.bundle-namespace-bundlepublisher" . | quote }}
|
||||
configmap_name: {{ include "spire-lib.bundle-configmap" . | quote }}
|
||||
configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.bundlePublisher.k8sConfigMap.format)) | quote }}
|
||||
{{- $prefix := " " }}
|
||||
{{- end }}
|
||||
{{- if and (eq (.Values.bundlePublisher.externalK8sConfigMap.enabled | toString) "true") (ne (len $externalK8sConfigMapClusters) 0) }}
|
||||
{{- $clusterDefaults := .Values.bundlePublisher.externalK8sConfigMap.defaults }}
|
||||
{{- range $name, $_ := $externalK8sConfigMapClusters }}
|
||||
{{ $prefix }} {{ $name | quote }}:
|
||||
{{- $clusterSettings := dict }}
|
||||
{{- if hasKey $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
|
||||
{{- $clusterSettings = index $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
|
||||
{{- end }}
|
||||
{{- if hasKey $clusterSettings "kubeConfigName" }}
|
||||
kubeconfig_path: /kubeconfigs/{{ $clusterSettings.kubeConfigName }}
|
||||
{{- else }}
|
||||
kubeconfig_path: /kubeconfigs/{{ $name }}
|
||||
{{- end }}
|
||||
{{- $format := $clusterDefaults.format }}
|
||||
{{- if hasKey $clusterSettings "format" }}{{- $format = $clusterSettings.format }}{{- end }}
|
||||
format: {{ $format | quote }}
|
||||
namespace: {{ if hasKey $clusterSettings "namespace" }}{{ $clusterSettings.namespace }}{{ else }}{{ $clusterDefaults.namespace }}{{ end }}
|
||||
configmap_name: {{ if hasKey $clusterSettings "configMapName" }}{{ $clusterSettings.configMapName }}{{ else }}{{ $clusterDefaults.configMapName }}{{ end }}
|
||||
{{- if hasKey $clusterSettings "configMapKey" }}
|
||||
configmap_key: {{ $clusterSettings.configMapKey | quote }}
|
||||
{{- else if ne $clusterDefaults.configMapKey "" }}
|
||||
configmap_key: {{ $clusterDefaults.configMapKey | quote }}
|
||||
{{- else }}
|
||||
configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" $format)) | quote }}
|
||||
{{- end }}
|
||||
{{- $prefix := " " }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled }}
|
||||
aws_rolesanywhere_trustanchor:
|
||||
plugin_data:
|
||||
|
|
@ -444,6 +499,13 @@ telemetry:
|
|||
- host: "0.0.0.0"
|
||||
port: 9988
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.telemetry.datadog.enabled }}
|
||||
telemetry:
|
||||
- DogStatsd:
|
||||
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- if not .Values.externalServer }}
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -17,6 +17,21 @@ matchLabels:
|
|||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: oidc-discovery-provider
|
||||
{{- else if eq .type "spike-keeper" }}
|
||||
matchLabels:
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-keeper
|
||||
{{- else if eq .type "spike-nexus" }}
|
||||
matchLabels:
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-nexus
|
||||
{{- else if eq .type "spike-pilot" }}
|
||||
matchLabels:
|
||||
release: {{ .Release.Name }}
|
||||
release-namespace: {{ .Release.Namespace }}
|
||||
component: spike-pilot
|
||||
{{- else if eq .type "test-keys" }}
|
||||
matchLabels:
|
||||
release: {{ .Release.Name }}
|
||||
|
|
@ -38,8 +53,8 @@ matchLabels:
|
|||
{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }}
|
||||
{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
|
||||
{{- $type := dig "type" "base" $value }}
|
||||
{{- if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "test-keys")) }}
|
||||
{{- fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, test-keys]" $type) }}
|
||||
{{- if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "spike-keeper" "spike-nexus" "spike-pilot" "test-keys")) }}
|
||||
{{- fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, spike-keeper, spike-nexus, spike-pilot, test-keys]" $type) }}
|
||||
{{- end }}
|
||||
{{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }}
|
||||
{{- if ne $type "raw" }}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{{- $subject := include "spire-server.subject" . }}
|
||||
{{- $namespace := include "spire-server.namespace" . }}
|
||||
{{- $bundleNamespace := include "spire-server.bundle-namespace" . }}
|
||||
{{- if .Values.notifier.k8sBundle.enabled }}
|
||||
{{- if or .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }}
|
||||
# Role to be able to push certificate bundles to a configmap
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -15,6 +15,9 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- patch
|
||||
{{- if .Values.bundlePublisher.k8sConfigMap.enabled }}
|
||||
- create
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.rbac.create }}
|
||||
---
|
||||
|
|
@ -48,7 +51,7 @@ roleRef:
|
|||
name: {{ include "spire-server.fullname" . }}-cm
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- if .Values.notifier.k8sBundle.enabled }}
|
||||
{{- if or .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }}
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -180,7 +180,7 @@ spec:
|
|||
- name: chown
|
||||
image: {{ template "spire-lib.image" (dict "image" .Values.chown.image "global" .Values.global) }}
|
||||
imagePullPolicy: {{ .Values.chown.image.pullPolicy }}
|
||||
command: ["bash", "-c"]
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.runAsGroup }} /var/lib/spire
|
||||
|
|
|
|||
|
|
@ -17,13 +17,13 @@ spec:
|
|||
- name: curl-tornjak-backend
|
||||
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
|
||||
command: ['curl']
|
||||
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/tornjak/serverinfo']
|
||||
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/v1/tornjak/serverinfo']
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 8 }}
|
||||
- name: curl-tornjak-backend-and-spire
|
||||
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
|
||||
command: ['curl']
|
||||
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/healthcheck']
|
||||
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/v1/spire/healthcheck']
|
||||
securityContext:
|
||||
{{- include "spire-lib.securitycontext" . | nindent 8 }}
|
||||
restartPolicy: Never
|
||||
|
|
|
|||
|
|
@ -10,25 +10,22 @@ data:
|
|||
spire_socket_path = "unix:///tmp/spire-server/private/api.sock" # socket to communicate with SPIRE server
|
||||
{{- if eq (include "spire-tornjak.connectionType" .) "http" }}
|
||||
http {
|
||||
enabled = true # if true, opens HTTP server
|
||||
port = "10000" # if HTTP enabled, opens HTTP listen port at specified container port
|
||||
}
|
||||
{{- end }}
|
||||
{{- if eq (include "spire-tornjak.connectionType" .) "tls" }}
|
||||
tls {
|
||||
enabled = true
|
||||
https {
|
||||
port = "10443" # container port for TLS connection
|
||||
cert = "/opt/spire/server/tls.crt" # TLS server cert
|
||||
key = "/opt/spire/server/tls.key" # TLS server key
|
||||
}
|
||||
{{- end }}
|
||||
{{- if eq (include "spire-tornjak.connectionType" .) "mtls" }}
|
||||
mtls {
|
||||
enabled = true
|
||||
https {
|
||||
port = "10443" # container port for mTLS connection
|
||||
cert = "/opt/spire/server/tls.crt" # mTLS server cert
|
||||
key = "/opt/spire/server/tls.key" # mTLS server key
|
||||
ca = "/opt/spire/user/ca.crt" # mTLS user CA
|
||||
client_ca = "/opt/spire/user/ca.crt" # mTLS user CA
|
||||
}
|
||||
{{- end }}
|
||||
}
|
||||
|
|
@ -43,7 +40,7 @@ data:
|
|||
}
|
||||
{{- end }}
|
||||
{{- if ne .Values.tornjak.config.userManagement.issuer "" }}
|
||||
UserManagement "KeycloakAuth" {
|
||||
Authenticator "Keycloak" {
|
||||
plugin_data {
|
||||
issuer = "{{ .Values.tornjak.config.userManagement.issuer }}"
|
||||
audience = "{{ .Values.tornjak.config.userManagement.audience }}"
|
||||
|
|
|
|||
|
|
@ -236,7 +236,7 @@ clusterName: example-cluster
|
|||
## @param trustDomain Set the trust domain to be used for the SPIFFE identifiers
|
||||
trustDomain: example.org
|
||||
|
||||
## @param bundleConfigMap Set the trust domain to be used for the SPIFFE identifiers
|
||||
## @param bundleConfigMap Set the Configmap name for SPIRE bundle
|
||||
bundleConfigMap: spire-bundle
|
||||
|
||||
## @param clusterDomain This is the value of your clusters `kubeadm init --service-dns-domain` flag
|
||||
|
|
@ -514,7 +514,7 @@ upstreamAuthority:
|
|||
notifier:
|
||||
k8sBundle:
|
||||
## @param notifier.k8sBundle.enabled Enable local k8s bundle uploader
|
||||
enabled: true
|
||||
enabled: false
|
||||
## @param notifier.k8sBundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace
|
||||
namespace: ""
|
||||
## @param notifier.k8sBundle.apiServiceLabel If set, rotate the CA Bundle in API services with this label set to true.
|
||||
|
|
@ -523,7 +523,7 @@ notifier:
|
|||
webhookLabel: ""
|
||||
externalK8sBundle:
|
||||
## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader
|
||||
enabled: true
|
||||
enabled: false
|
||||
defaults:
|
||||
## @param notifier.externalK8sBundle.defaults.namespace Namespace to push the bundle into on clusters
|
||||
namespace: "spire-system"
|
||||
|
|
@ -695,6 +695,28 @@ controllerManager:
|
|||
## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.type The type of rule this is.
|
||||
type: test-keys
|
||||
|
||||
spike-keeper:
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.enabled Enable this identity for controller manager
|
||||
enabled: true
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.type The type of rule this is.
|
||||
type: spike-keeper
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.spiffeIDTemplate The template to use for this rule.
|
||||
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/keeper
|
||||
spike-nexus:
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.enabled Enable this identity for controller manager
|
||||
enabled: true
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.type The type of rule this is.
|
||||
type: spike-nexus
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.spiffeIDTemplate The template to use for this rule.
|
||||
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/nexus
|
||||
spike-pilot:
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.enabled Enable this identity for controller manager
|
||||
enabled: true
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.type The type of rule this is.
|
||||
type: spike-pilot
|
||||
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.spiffeIDTemplate The template to use for this rule.
|
||||
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/pilot/role/superuser
|
||||
|
||||
# You can specify additional ClusterSPIFFEIDs following this example:
|
||||
# foo:
|
||||
# labels:
|
||||
|
|
@ -803,8 +825,8 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
busybox:
|
||||
|
|
@ -830,6 +852,13 @@ telemetry:
|
|||
namespace: ""
|
||||
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
|
||||
labels: {}
|
||||
datadog:
|
||||
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
|
||||
enabled: false
|
||||
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
|
||||
address: "datadog.kube-system.svc"
|
||||
## @param telemetry.datadog.port The port of the datadog service to send metrics to
|
||||
port: 8125
|
||||
|
||||
ingress:
|
||||
## @param ingress.enabled Flag to enable ingress
|
||||
|
|
@ -883,6 +912,8 @@ initContainers: []
|
|||
caKeyType: rsa-2048
|
||||
## @param caTTL TTL for CA
|
||||
caTTL: 24h
|
||||
## @param agentTTL The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used.
|
||||
agentTTL: ""
|
||||
## @param defaultX509SvidTTL TTL for X509 Svids
|
||||
defaultX509SvidTTL: 4h
|
||||
## @param defaultJwtSvidTTL TTL for JWT Svids
|
||||
|
|
@ -953,9 +984,38 @@ nodeAttestor:
|
|||
cas: {}
|
||||
## @param nodeAttestor.tpmDirect.hashes A list of TPM hashes that are allowed to connect.
|
||||
hashes: []
|
||||
awsIID:
|
||||
## @param nodeAttestor.awsIID.enabled Enable the aws_iid node attestor
|
||||
enabled: false
|
||||
## @param nodeAttestor.awsIID.assumeRole AWS IAM Role NAME to use for the attestation
|
||||
assumeRole: ""
|
||||
|
||||
# The secrets needed for this plugin are configured in the secrets: section
|
||||
bundlePublisher:
|
||||
k8sConfigMap:
|
||||
## @param bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
|
||||
enabled: true
|
||||
## @param bundlePublisher.k8sConfigMap.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace
|
||||
namespace: ""
|
||||
## @param bundlePublisher.k8sConfigMap.format Format of the trust bundle. Can be pem or spiffe
|
||||
format: spiffe
|
||||
externalK8sConfigMap:
|
||||
## @param bundlePublisher.externalK8sConfigMap.enabled Enable external k8s bundle uploader
|
||||
enabled: true
|
||||
defaults:
|
||||
## @param bundlePublisher.externalK8sConfigMap.defaults.namespace Namespace to push the bundle into on clusters
|
||||
namespace: "spire-system"
|
||||
## @param bundlePublisher.externalK8sConfigMap.defaults.configMapName ConfigMap name to push the bundle into on external clusters
|
||||
configMapName: "spire-bundle-upstream"
|
||||
## @param bundlePublisher.externalK8sConfigMap.defaults.configMapKey ConfigMap key to push the bundle into on external clusters
|
||||
configMapKey: ""
|
||||
## @param bundlePublisher.externalK8sConfigMap.defaults.format Format of the trust bundle. Can be pem or spiffe
|
||||
format: spiffe
|
||||
## @param bundlePublisher.externalK8sConfigMap.clusters [object] A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.
|
||||
clusters: {}
|
||||
# clustera:
|
||||
# namespace: foo
|
||||
# clusterb: {}
|
||||
awsRolesAnywhereTrustAnchor:
|
||||
## @param bundlePublisher.awsRolesAnywhereTrustAnchor.enabled Enable the AWS S3 bundle publisher
|
||||
enabled: false
|
||||
|
|
@ -1001,7 +1061,7 @@ tornjak:
|
|||
repository: spiffe/tornjak-backend
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
defaultTag: "v1.6.0"
|
||||
defaultTag: "v2.1.0"
|
||||
|
||||
service:
|
||||
## @param tornjak.service.type Type of service resource
|
||||
|
|
@ -1145,10 +1205,10 @@ chown:
|
|||
## @param chown.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
registry: ""
|
||||
repository: busybox
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: 1.37.0-uclibc
|
||||
|
||||
## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -1183,7 +1243,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters
|
||||
kubeConfigs: {}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: tornjak-frontend
|
|||
description: A Helm chart to deploy Tornjak frontend
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "v1.6.0"
|
||||
appVersion: "v2.1.0"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/tornjak
|
||||
|
|
|
|||
|
|
@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details.
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
|
|
|
|||
|
|
@ -162,4 +162,4 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:57ed0cb7b67f52ea7678128da5c4cf99c1a71d269db92a6a40c179fa57f00ce4
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
|
|
|||
|
|
@ -219,3 +219,24 @@ spiffe-oidc-discovery-provider:
|
|||
tornjak-frontend:
|
||||
## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production)
|
||||
enabled: false
|
||||
|
||||
## @section SPIKE Keeper parameters
|
||||
## Parameter values for SPIKE Keeper
|
||||
##
|
||||
spike-keeper:
|
||||
## @param spike-keeper.enabled Enables deployment of SPIKE Keeper (Not for production)
|
||||
enabled: false
|
||||
|
||||
## @section SPIKE Nexus parameters
|
||||
## Parameter values for SPIKE Nexus
|
||||
##
|
||||
spike-nexus:
|
||||
## @param spike-nexus.enabled Enables deployment of SPIKE Nexus (Not for production)
|
||||
enabled: false
|
||||
|
||||
## @section SPIKE Pilot parameters
|
||||
## Parameter values for SPIKE Pilot
|
||||
##
|
||||
spike-pilot:
|
||||
## @param spike-pilot.enabled Enables deployment of SPIKE Pilot (Not for production)
|
||||
enabled: false
|
||||
|
|
|
|||
|
|
@ -0,0 +1,74 @@
|
|||
# AWS IID Node Attestor
|
||||
|
||||
This document provides a concise guide to the AWS IID node attestor plugin support in your system. The AWS IID attestor plugin automatically verifies instances using AWS's Instance Metadata API and Instance Identity Document.
|
||||
|
||||
## Configuration
|
||||
|
||||
The AWS IID node attestor can be configured with the following properties:
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|-------------------------------|-----------------------------------------------------|---------|
|
||||
| **nodeAttestor.awsIID.enabled** | Enable the AWS IID node attestor | false |
|
||||
| **nodeAttestor.awsIID.assumeRole** | AWS IAM Role NAME to use for the attestation | "" |
|
||||
|
||||
### Sample Configuration
|
||||
|
||||
Here's a minimal configuration example for the server:
|
||||
|
||||
```yaml
|
||||
awsIID:
|
||||
enabled: true
|
||||
region: "us-west-2" # Specify your desired AWS region
|
||||
assumeRole: "example-role" # Specify the IAM Role NAME
|
||||
```
|
||||
|
||||
For the agent, ensure that the `awsIID` is also enabled:
|
||||
|
||||
```yaml
|
||||
awsIID:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
**Note:** When the `awsIID` node attestor is enabled on the server, it must also be enabled on the agent to ensure proper attestation.
|
||||
|
||||
### IAM Role
|
||||
|
||||
The `assumeRole` parameter requires the name of the IAM Role you wish to use for the attestation process. Ensure this role has the appropriate permissions.
|
||||
|
||||
### Required IAM Policy
|
||||
|
||||
To facilitate the node attestation, the following IAM policy example should be attached to the IAM Role mentioned in the `assumeRole`. This policy example is needed to get the instance's info from AWS:
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:DescribeInstances",
|
||||
"iam:GetInstanceProfile"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
## Security Considerations
|
||||
|
||||
It’s important to note that while the AWS Instance Identity Document is used to prove node identity, it is accessible to any process running on the instance. Therefore, precautions should be made to ensure only the desired agent uses it for attestation.
|
||||
|
||||
Always monitor your systems for unauthorized access attempts and ensure your IAM roles follow the principle of least privilege.
|
||||
|
||||
For more information on AWS IAM roles and security best practices, refer to the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
|
||||
|
||||
## Additional Information
|
||||
|
||||
For more information on the server plugin, see the [Server Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md).
|
||||
|
||||
And for the agent, see the [Agent Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_aws_iid.md).
|
||||
|
||||
---
|
||||
|
||||
By following the above guidelines, you can ensure a simple yet secure implementation of the AWS IID node attestor within your system.
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
global:
|
||||
spire:
|
||||
ingressControllerType: ingress-nginx
|
||||
spike-keeper:
|
||||
enabled: true
|
||||
#ingress:
|
||||
# enabled: true
|
||||
# className: nginx
|
||||
spike-nexus:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
spike-pilot:
|
||||
enabled: true
|
||||
|
|
@ -17,7 +17,7 @@ spire-server:
|
|||
selectors:
|
||||
- tpm:pub_hash:12345
|
||||
foo-kubelet:
|
||||
parentID: spiffe://example.org/foo
|
||||
parentID: spiffe://example.org/hosts/foo
|
||||
spiffeID: spiffe://example.org/k8s/one/node/foo
|
||||
selectors:
|
||||
- systemd:id:kubelet.service
|
||||
|
|
@ -28,4 +28,8 @@ spire-agent:
|
|||
spiffe-csi-driver:
|
||||
enabled: false
|
||||
spiffe-oidc-discovery-provider:
|
||||
enabled: false
|
||||
enabled: true
|
||||
bundleSource: ConfigMap
|
||||
tls:
|
||||
spire:
|
||||
enabled: false
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ helm upgrade --install -n spire-mgmt spire spire \
|
|||
--render-subchart-notes
|
||||
|
||||
# test the Tornjak deployment
|
||||
helm test spire -n spire-server
|
||||
helm test spire -n spire-mgmt
|
||||
```
|
||||
|
||||
Port forward the Tornjak backend (APIs) and Tornjak frontend (UI) services. Execute these commands in separate consoles.
|
||||
|
|
|
|||
28
tests/go.mod
28
tests/go.mod
|
|
@ -1,13 +1,11 @@
|
|||
module github.com/spiffe/helm-charts/tests
|
||||
|
||||
go 1.24.0
|
||||
|
||||
toolchain go1.24.1
|
||||
go 1.24.3
|
||||
|
||||
require (
|
||||
github.com/onsi/ginkgo/v2 v2.23.4
|
||||
github.com/onsi/gomega v1.37.0
|
||||
helm.sh/helm/v3 v3.18.0
|
||||
github.com/onsi/gomega v1.38.0
|
||||
helm.sh/helm/v3 v3.18.4
|
||||
)
|
||||
|
||||
require (
|
||||
|
|
@ -48,21 +46,21 @@ require (
|
|||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
|
||||
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
|
||||
go.uber.org/automaxprocs v1.6.0 // indirect
|
||||
golang.org/x/crypto v0.37.0 // indirect
|
||||
golang.org/x/net v0.38.0 // indirect
|
||||
golang.org/x/crypto v0.39.0 // indirect
|
||||
golang.org/x/net v0.41.0 // indirect
|
||||
golang.org/x/oauth2 v0.28.0 // indirect
|
||||
golang.org/x/sys v0.33.0 // indirect
|
||||
golang.org/x/term v0.31.0 // indirect
|
||||
golang.org/x/text v0.24.0 // indirect
|
||||
golang.org/x/term v0.32.0 // indirect
|
||||
golang.org/x/text v0.26.0 // indirect
|
||||
golang.org/x/time v0.9.0 // indirect
|
||||
golang.org/x/tools v0.31.0 // indirect
|
||||
google.golang.org/protobuf v1.36.5 // indirect
|
||||
golang.org/x/tools v0.33.0 // indirect
|
||||
google.golang.org/protobuf v1.36.6 // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
k8s.io/api v0.33.0 // indirect
|
||||
k8s.io/apiextensions-apiserver v0.33.0 // indirect
|
||||
k8s.io/apimachinery v0.33.0 // indirect
|
||||
k8s.io/client-go v0.33.0 // indirect
|
||||
k8s.io/api v0.33.2 // indirect
|
||||
k8s.io/apiextensions-apiserver v0.33.2 // indirect
|
||||
k8s.io/apimachinery v0.33.2 // indirect
|
||||
k8s.io/client-go v0.33.2 // indirect
|
||||
k8s.io/klog/v2 v2.130.1 // indirect
|
||||
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
|
||||
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
|
||||
|
|
|
|||
48
tests/go.sum
48
tests/go.sum
|
|
@ -79,8 +79,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
|
|||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
|
||||
github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
|
||||
github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
|
||||
github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
|
||||
github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
|
||||
github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
|
||||
github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
|
|
@ -123,16 +123,16 @@ go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwE
|
|||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
|
||||
golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
|
||||
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
|
||||
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
|
||||
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
|
||||
golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
|
||||
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
|
||||
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
|
||||
golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
|
||||
golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
|
|
@ -143,26 +143,26 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
|
|||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
|
||||
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
|
||||
golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
|
||||
golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
|
||||
golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
|
||||
golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
|
||||
golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
|
||||
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
|
||||
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
|
||||
golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
|
||||
golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
|
||||
golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
|
||||
golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
|
||||
golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
|
||||
google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
|
||||
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
|
||||
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
|
|
@ -173,16 +173,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
|||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
helm.sh/helm/v3 v3.18.0 h1:ItOAm3Quo0dus3NUHjs+lluqWWEIO7xrSW+zKWCrvlw=
|
||||
helm.sh/helm/v3 v3.18.0/go.mod h1:43QHS1W97RcoFJRk36ZBhHdTfykqBlJdsWp3yhzdq8w=
|
||||
k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
|
||||
k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
|
||||
k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs=
|
||||
k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc=
|
||||
k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
|
||||
k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
|
||||
k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98=
|
||||
k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg=
|
||||
helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ=
|
||||
helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI=
|
||||
k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
|
||||
k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
|
||||
k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
|
||||
k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
|
||||
k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
|
||||
k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
|
||||
k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E=
|
||||
k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo=
|
||||
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
|
||||
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
|
||||
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
|
||||
|
|
|
|||
|
|
@ -152,7 +152,7 @@ popd
|
|||
helm upgrade --install spiffe-step-ssh charts/spiffe-step-ssh --set caPassword="$(cat spiffe-step-ssh-password.txt)" -f spiffe-step-ssh-values.yaml -f "${SCRIPTPATH}/ingress-values.yaml" --set trustDomain=production.other --wait --timeout 10m
|
||||
|
||||
# Is fetchca responding.
|
||||
kubectl get configmap -n spire-system spire-bundle-downstream -o go-template='{{ index .data "bundle.crt" }}' > /tmp/ca.pem
|
||||
kubectl exec -it -n spire-server spire-internal-server-0 -- spire-server bundle show > /tmp/ca.pem
|
||||
cat /tmp/ca.pem
|
||||
curl https://spiffe-step-ssh-fetchca.production.other -s --cacert /tmp/ca.pem
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue