Compare commits
18 Commits
spire-0.26
...
main
| Author | SHA1 | Date |
|---|---|---|
spire-helm-version-checker[bot]
|
86f0aecc57 | |
Eric Cavalcanti
|
3ef5fe6c49 | |
Faisal Memon
|
8443881250 | |
|
Faisal Memon
|
28c65d3458 | |
|
Faisal Memon
|
acfcc9d0a4 | |
|
spire-helm-version-checker[bot]
|
64b9c400cc | |
dependabot[bot]
|
0404934d37 | |
kfox1111
|
d516de01bd | |
|
spire-helm-version-checker[bot]
|
8904b96be8 | |
|
Eric Cavalcanti
|
6581b117a0 | |
|
Eric Cavalcanti
|
d2913ffca0 | |
|
spire-helm-version-checker[bot]
|
3218db7bbb | |
|
Eric Cavalcanti
|
57a61438be | |
|
Eric Cavalcanti
|
9a8e5a8398 | |
|
dependabot[bot]
|
b1f95b2c6b | |
Marco Franssen
|
093c593ff6 | |
|
Marco Franssen
|
a7d536c025 | |
|
spire-helm-version-checker[bot]
|
fc1791f2eb |
|
|
@ -2,16 +2,16 @@
|
|||
{
|
||||
"name": "kube-prometheus-stack",
|
||||
"repo": "https://prometheus-community.github.io/helm-charts",
|
||||
"version": "75.6.1"
|
||||
"version": "75.15.1"
|
||||
},
|
||||
{
|
||||
"name": "cert-manager",
|
||||
"repo": "https://charts.jetstack.io",
|
||||
"version": "v1.18.1"
|
||||
"version": "v1.18.2"
|
||||
},
|
||||
{
|
||||
"name": "ingress-nginx",
|
||||
"repo": "https://kubernetes.github.io/ingress-nginx",
|
||||
"version": "4.12.3"
|
||||
"version": "4.13.0"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@
|
|||
},
|
||||
{
|
||||
"query": "chown.image",
|
||||
"filter": "LATESTSHA",
|
||||
"sort-flags": []
|
||||
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
|
||||
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
|
||||
},
|
||||
{
|
||||
"query": "tools.busybox.image",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
{
|
||||
"name": "mysql",
|
||||
"registry": "docker.io/bitnamicharts/mysql",
|
||||
"version": "13.0.2"
|
||||
"version": "14.0.0"
|
||||
},
|
||||
{
|
||||
"name": "postgresql",
|
||||
|
|
@ -12,6 +12,6 @@
|
|||
{
|
||||
"name": "envoy-gateway",
|
||||
"registry": "docker.io/envoyproxy/gateway-helm",
|
||||
"version": "v1.4.1"
|
||||
"version": "v1.4.2"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ type: application
|
|||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
version: 0.1.1
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
|
|
|
|||
|
|
@ -123,8 +123,8 @@ kubectl:
|
|||
## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spire-nested
|
|||
description: >
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
type: application
|
||||
version: 0.26.0
|
||||
version: 0.26.1
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# spire
|
||||
|
||||
  
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spire
|
|||
description: >
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
type: application
|
||||
version: 0.26.0
|
||||
version: 0.26.1
|
||||
appVersion: "1.12.4"
|
||||
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# spire
|
||||
|
||||
  
|
||||
  
|
||||
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
|
||||
|
||||
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
|
||||
|
|
@ -24,11 +24,6 @@ Preparing a production deployment requires a few steps.
|
|||
|
||||
1. Save the following to your-values.yaml, ideally in your git repo.
|
||||
|
||||
> [!NOTE]
|
||||
> Please note that `rancher/kubectl` image does not always correspond to the most
|
||||
> recent version of Kubernetes. In order to find the most up-to-date version,
|
||||
> please visit their [releases](https://github.com/rancher/kubectl/releases) page.
|
||||
|
||||
```yaml
|
||||
global:
|
||||
openshift: false # If running on openshift, set to true
|
||||
|
|
@ -45,10 +40,6 @@ global:
|
|||
country: ARPA
|
||||
organization: Example
|
||||
commonName: example.org
|
||||
# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update:
|
||||
# tools:
|
||||
# kubectl:
|
||||
# tag: "v1.23.3"
|
||||
```
|
||||
|
||||
2. If you need a non default storageClass, append the following to the global.spire section and update:
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
|
||||
| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` |
|
||||
| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.0` |
|
||||
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.1` |
|
||||
| `spiffeHelper.resources` | Resource requests and limits | `{}` |
|
||||
| `resources` | Resource requests and limits | `{}` |
|
||||
| `service.type` | Service type | `ClusterIP` |
|
||||
|
|
@ -122,15 +122,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
|
||||
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dd03ca4056a6c8024ed1e5dc0999aa836c0c28777dcc3b85bd1d9d853e1ed38` |
|
||||
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
|
||||
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
|
||||
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.6` |
|
||||
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.7` |
|
||||
| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `tests.busybox.image.repository` | The repository within the registry | `busybox` |
|
||||
| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
|
|
@ -139,7 +139,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
|
|||
| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` |
|
||||
| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ spiffeHelper:
|
|||
registry: ghcr.io
|
||||
repository: spiffe/spiffe-helper
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 0.10.0
|
||||
tag: 0.10.1
|
||||
## @param spiffeHelper.resources [object] Resource requests and limits
|
||||
resources: {}
|
||||
|
||||
|
|
@ -346,7 +346,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
toolkit:
|
||||
## @param tests.toolkit.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -358,7 +358,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/min-toolkit-debug
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:3dd03ca4056a6c8024ed1e5dc0999aa836c0c28777dcc3b85bd1d9d853e1ed38
|
||||
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
|
||||
|
||||
step:
|
||||
## @param tests.step.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -370,7 +370,7 @@ tests:
|
|||
registry: "docker.io"
|
||||
repository: smallstep/step-cli
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 0.28.6
|
||||
tag: 0.28.7
|
||||
|
||||
busybox:
|
||||
## @param tests.busybox.image.registry The OCI registry to pull the image from
|
||||
|
|
@ -404,7 +404,7 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spike-keeper
|
|||
description: A Helm chart to deploy SPIKE Keeper
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.1"
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spike-nexus
|
|||
description: A Helm chart to deploy SPIKE Nexus
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.1"
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ A Helm chart to deploy spike nexus
|
|||
| `image.repository` | The repository within the registry | `spiffe/spike-nexus` |
|
||||
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `backendStore` | The backend store to use. Must be one of [sqlite, memory, lite] | `sqlite` |
|
||||
| `replicas` | The number of keepers to launch | `1` |
|
||||
| `shamir.shares` | How many shares to configure for shamir secrets | `3` |
|
||||
| `shamir.threshold` | How many shares needed to recover | `2` |
|
||||
|
|
|
|||
|
|
@ -36,6 +36,8 @@ spec:
|
|||
containerPort: 8443
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: SPIKE_NEXUS_BACKEND_STORE
|
||||
value: {{ .Values.backendStore | quote }}
|
||||
- name: SPIKE_NEXUS_SHAMIR_SHARES
|
||||
value: {{ .Values.shamir.shares | quote }}
|
||||
- name: SPIKE_NEXUS_SHAMIR_THRESHOLD
|
||||
|
|
|
|||
|
|
@ -17,6 +17,9 @@ image:
|
|||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
|
||||
backendStore: sqlite
|
||||
|
||||
## @param replicas The number of keepers to launch
|
||||
replicas: 1
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: spike-pilot
|
|||
description: A Helm chart to deploy SPIKE Pilot
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: "0.4.1"
|
||||
appVersion: "0.4.2"
|
||||
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
|
||||
sources:
|
||||
- https://github.com/spiffe/spike
|
||||
|
|
|
|||
|
|
@ -70,9 +70,10 @@ A Helm chart to install the SPIRE agent.
|
|||
| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` |
|
||||
| `keyManager.disk.enabled` | Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled) | `false` |
|
||||
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` |
|
||||
| `nodeAttestor.httpChallenge.enabled` | Enable the http challenge Node Attestor | `false` |
|
||||
| `nodeAttestor.httpChallenge.agentname` | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port. | `default` |
|
||||
|
|
@ -90,6 +91,7 @@ A Helm chart to install the SPIRE agent.
|
|||
| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `spiffe/spire-tpm-plugin-get-tpm-pubhash` |
|
||||
| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.9.0` |
|
||||
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid Node Attestor | `false` |
|
||||
| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` |
|
||||
| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` |
|
||||
| `workloadAttestors.k8s.verification.type` | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip] | `skip` |
|
||||
|
|
@ -108,18 +110,21 @@ A Helm chart to install the SPIRE agent.
|
|||
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
|
||||
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
|
||||
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
|
||||
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
|
||||
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
|
||||
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
|
||||
| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` |
|
||||
| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
|
||||
| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` |
|
||||
| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
|
||||
| `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dd03ca4056a6c8024ed1e5dc0999aa836c0c28777dcc3b85bd1d9d853e1ed38` |
|
||||
| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
|
||||
| `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` |
|
||||
| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` |
|
||||
|
|
@ -136,8 +141,8 @@ A Helm chart to install the SPIRE agent.
|
|||
| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` |
|
||||
| `experimental.featureFlags` | List of developer feature flags | `[]` |
|
||||
| `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` |
|
||||
|
|
|
|||
|
|
@ -19,8 +19,11 @@
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
|
||||
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
|
||||
{{- end }}
|
||||
{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
|
||||
{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
|
||||
{{- fail "The sockets.hostBasePath can not be located under the socketPath directory" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- define "spire-agent.yaml-config" -}}
|
||||
|
|
@ -104,6 +107,13 @@ plugins:
|
|||
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeAttestor.awsIID }}
|
||||
{{- if eq (.enabled | toString) "true" }}
|
||||
aws_iid:
|
||||
plugin_data: {}
|
||||
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if ne $nodeAttestorUsed 1 }}
|
||||
{{- fail (printf "You have to enable exactly one Node Attestor. There are %d enabled." $nodeAttestorUsed) }}
|
||||
{{- end }}
|
||||
|
|
@ -114,6 +124,12 @@ plugins:
|
|||
plugin_data:
|
||||
{{- $keyManagerUsed = add1 $keyManagerUsed }}
|
||||
{{- end }}
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
disk:
|
||||
plugin_data:
|
||||
directory: {{ .Values.persistence.hostPath }}
|
||||
{{- $keyManagerUsed = add1 $keyManagerUsed }}
|
||||
{{- end }}
|
||||
{{- if ne $keyManagerUsed 1 }}
|
||||
{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
|
||||
{{- end }}
|
||||
|
|
@ -154,6 +170,13 @@ telemetry:
|
|||
- host: "0.0.0.0"
|
||||
port: {{ .Values.telemetry.prometheus.port }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.telemetry.datadog.enabled }}
|
||||
telemetry:
|
||||
- DogStatsd:
|
||||
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- $root := . }}
|
||||
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@
|
|||
{{- if hasKey .Values.sds "disableSpiffeCertValidation" }}
|
||||
{{- fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }}
|
||||
{{- end }}
|
||||
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
|
||||
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
|
||||
{{- end }}
|
||||
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
|
||||
{{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
|
||||
{{- $nameSuffix := "" }}
|
||||
|
|
@ -256,6 +259,11 @@ spec:
|
|||
- name: spire-config
|
||||
mountPath: /opt/spire/conf/agent
|
||||
readOnly: true
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
- name: spire-key-manager
|
||||
mountPath: {{ .Values.persistence.hostPath }}
|
||||
readOnly: false
|
||||
{{- end }}
|
||||
- name: spire-agent-persistence
|
||||
mountPath: /var/lib/spire
|
||||
{{- if .Values.sockets.admin.enabled }}
|
||||
|
|
@ -324,6 +332,12 @@ spec:
|
|||
- name: spire-config
|
||||
configMap:
|
||||
name: {{ include "spire-agent.fullname" . }}
|
||||
{{- if .Values.keyManager.disk.enabled }}
|
||||
- name: spire-key-manager
|
||||
hostPath:
|
||||
path: {{ .Values.persistence.hostPath }}
|
||||
type: DirectoryOrCreate
|
||||
{{- end }}
|
||||
{{- if .Values.sockets.admin.mountOnHost }}
|
||||
- name: spire-agent-admin-socket-dir
|
||||
hostPath:
|
||||
|
|
|
|||
|
|
@ -153,7 +153,7 @@ fsGroupFix:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -162,6 +162,9 @@ keyManager:
|
|||
memory:
|
||||
## @param keyManager.memory.enabled Enable the memory based Key Manager
|
||||
enabled: true
|
||||
disk:
|
||||
## @param keyManager.disk.enabled Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)
|
||||
enabled: false
|
||||
|
||||
nodeAttestor:
|
||||
k8sPSAT:
|
||||
|
|
@ -207,6 +210,9 @@ nodeAttestor:
|
|||
repository: spiffe/spire-tpm-plugin-get-tpm-pubhash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: "v1.9.0"
|
||||
awsIID:
|
||||
## @param nodeAttestor.awsIID.enabled Enable the aws_iid Node Attestor
|
||||
enabled: false
|
||||
|
||||
# workloadAttestors determine a workload's properties and then generate a set of selectors associated with it.
|
||||
workloadAttestors:
|
||||
|
|
@ -257,6 +263,13 @@ telemetry:
|
|||
namespace: ""
|
||||
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
|
||||
labels: {}
|
||||
datadog:
|
||||
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
|
||||
enabled: false
|
||||
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
|
||||
address: "datadog.kube-system.svc"
|
||||
## @param telemetry.datadog.port The port of the datadog service to send metrics to
|
||||
port: 8125
|
||||
|
||||
## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.
|
||||
kubeletConnectByHostname: ""
|
||||
|
|
@ -280,7 +293,7 @@ socketAlternate:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -295,7 +308,7 @@ hostCert:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/min-toolkit-debug
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:3dd03ca4056a6c8024ed1e5dc0999aa836c0c28777dcc3b85bd1d9d853e1ed38
|
||||
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
|
||||
|
||||
## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -370,8 +383,8 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
|
||||
|
|
|
|||
|
|
@ -341,8 +341,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` |
|
||||
| `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` |
|
||||
| `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
|
||||
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
|
||||
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` |
|
||||
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
|
||||
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
|
|
@ -353,6 +353,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
|
||||
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
|
||||
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
|
||||
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
|
||||
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
|
||||
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
|
||||
| `ingress.enabled` | Flag to enable ingress | `false` |
|
||||
| `ingress.className` | Ingress class name | `""` |
|
||||
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
|
||||
|
|
@ -368,6 +371,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `initContainers` | Additional init containers to create | `[]` |
|
||||
| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` |
|
||||
| `caTTL` | TTL for CA | `24h` |
|
||||
| `agentTTL` | The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used. | `""` |
|
||||
| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` |
|
||||
| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` |
|
||||
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `true` |
|
||||
|
|
@ -396,6 +400,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `nodeAttestor.tpmDirect.pluginPath` | The filename in the container of the plugin | `/app/tpm_attestor_server` |
|
||||
| `nodeAttestor.tpmDirect.cas` | A dictionary of TPM CA PEM or DER files that are allowed to connect. | `{}` |
|
||||
| `nodeAttestor.tpmDirect.hashes` | A list of TPM hashes that are allowed to connect. | `[]` |
|
||||
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid node attestor | `false` |
|
||||
| `nodeAttestor.awsIID.assumeRole` | AWS IAM Role NAME to use for the attestation | `""` |
|
||||
| `bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `true` |
|
||||
| `bundlePublisher.k8sConfigMap.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
|
||||
| `bundlePublisher.k8sConfigMap.format` | Format of the trust bundle. Can be pem or spiffe | `spiffe` |
|
||||
|
|
@ -466,10 +472,10 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` |
|
||||
| `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` |
|
||||
| `customPlugins.notifier` | Custom plugins of type notifier are configured here | `{}` |
|
||||
| `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `chown.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `chown.image.registry` | The OCI registry to pull the image from | `""` |
|
||||
| `chown.image.repository` | The repository within the registry | `busybox` |
|
||||
| `chown.image.pullPolicy` | The image pull policy | `Always` |
|
||||
| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
|
||||
| `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
|
||||
| `experimental.enabled` | Allow configuration of experimental features | `false` |
|
||||
| `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` |
|
||||
|
|
@ -482,5 +488,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
| `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` |
|
||||
|
|
|
|||
|
|
@ -58,6 +58,9 @@ server:
|
|||
ca_key_type: {{ .Values.caKeyType | quote }}
|
||||
ca_ttl: {{ .Values.caTTL | quote }}
|
||||
|
||||
{{- if .Values.agentTTL }}
|
||||
agent_ttl: {{ .Values.agentTTL | quote }}
|
||||
{{- end }}
|
||||
default_x509_svid_ttl: {{ .Values.defaultX509SvidTTL | quote }}
|
||||
default_jwt_svid_ttl: {{ .Values.defaultJwtSvidTTL | quote }}
|
||||
|
||||
|
|
@ -139,7 +142,7 @@ plugins:
|
|||
{{- end }}
|
||||
disable_migration: {{ .Values.dataStore.sql.disableMigration }}
|
||||
|
||||
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
|
||||
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled .Values.nodeAttestor.awsIID.enabled }}
|
||||
NodeAttestor:
|
||||
{{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }}
|
||||
{{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }}
|
||||
|
|
@ -219,6 +222,15 @@ plugins:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeAttestor.awsIID }}
|
||||
{{- if eq (.enabled | toString) "true" }}
|
||||
aws_iid:
|
||||
plugin_data:
|
||||
{{- if ne .assumeRole "" }}
|
||||
assume_role: {{ .assumeRole | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.keyManager.disk }}
|
||||
|
|
@ -487,6 +499,13 @@ telemetry:
|
|||
- host: "0.0.0.0"
|
||||
port: 9988
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.telemetry.datadog.enabled }}
|
||||
telemetry:
|
||||
- DogStatsd:
|
||||
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- if not .Values.externalServer }}
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -180,7 +180,7 @@ spec:
|
|||
- name: chown
|
||||
image: {{ template "spire-lib.image" (dict "image" .Values.chown.image "global" .Values.global) }}
|
||||
imagePullPolicy: {{ .Values.chown.image.pullPolicy }}
|
||||
command: ["bash", "-c"]
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.runAsGroup }} /var/lib/spire
|
||||
|
|
|
|||
|
|
@ -825,8 +825,8 @@ tools:
|
|||
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: rancher/kubectl
|
||||
registry: registry.k8s.io
|
||||
repository: kubectl
|
||||
pullPolicy: IfNotPresent
|
||||
tag: ""
|
||||
busybox:
|
||||
|
|
@ -852,6 +852,13 @@ telemetry:
|
|||
namespace: ""
|
||||
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
|
||||
labels: {}
|
||||
datadog:
|
||||
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
|
||||
enabled: false
|
||||
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
|
||||
address: "datadog.kube-system.svc"
|
||||
## @param telemetry.datadog.port The port of the datadog service to send metrics to
|
||||
port: 8125
|
||||
|
||||
ingress:
|
||||
## @param ingress.enabled Flag to enable ingress
|
||||
|
|
@ -905,6 +912,8 @@ initContainers: []
|
|||
caKeyType: rsa-2048
|
||||
## @param caTTL TTL for CA
|
||||
caTTL: 24h
|
||||
## @param agentTTL The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used.
|
||||
agentTTL: ""
|
||||
## @param defaultX509SvidTTL TTL for X509 Svids
|
||||
defaultX509SvidTTL: 4h
|
||||
## @param defaultJwtSvidTTL TTL for JWT Svids
|
||||
|
|
@ -975,6 +984,11 @@ nodeAttestor:
|
|||
cas: {}
|
||||
## @param nodeAttestor.tpmDirect.hashes A list of TPM hashes that are allowed to connect.
|
||||
hashes: []
|
||||
awsIID:
|
||||
## @param nodeAttestor.awsIID.enabled Enable the aws_iid node attestor
|
||||
enabled: false
|
||||
## @param nodeAttestor.awsIID.assumeRole AWS IAM Role NAME to use for the attestation
|
||||
assumeRole: ""
|
||||
|
||||
# The secrets needed for this plugin are configured in the secrets: section
|
||||
bundlePublisher:
|
||||
|
|
@ -1191,10 +1205,10 @@ chown:
|
|||
## @param chown.image.tag Overrides the image tag whose default is the chart appVersion
|
||||
##
|
||||
image:
|
||||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
registry: ""
|
||||
repository: busybox
|
||||
pullPolicy: Always
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: 1.37.0-uclibc
|
||||
|
||||
## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
resources: {}
|
||||
|
|
@ -1229,7 +1243,7 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
||||
## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters
|
||||
kubeConfigs: {}
|
||||
|
|
|
|||
|
|
@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details.
|
|||
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
|
||||
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
|
||||
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea` |
|
||||
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
|
||||
|
|
|
|||
|
|
@ -162,4 +162,4 @@ tests:
|
|||
registry: cgr.dev
|
||||
repository: chainguard/bash
|
||||
pullPolicy: IfNotPresent
|
||||
tag: latest@sha256:eefb26b2a87b897e4dad65909dad8a7896fe3ed97aa76ac874fa3594011256ea
|
||||
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
|
||||
|
|
|
|||
|
|
@ -0,0 +1,74 @@
|
|||
# AWS IID Node Attestor
|
||||
|
||||
This document provides a concise guide to the AWS IID node attestor plugin support in your system. The AWS IID attestor plugin automatically verifies instances using AWS's Instance Metadata API and Instance Identity Document.
|
||||
|
||||
## Configuration
|
||||
|
||||
The AWS IID node attestor can be configured with the following properties:
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|-------------------------------|-----------------------------------------------------|---------|
|
||||
| **nodeAttestor.awsIID.enabled** | Enable the AWS IID node attestor | false |
|
||||
| **nodeAttestor.awsIID.assumeRole** | AWS IAM Role NAME to use for the attestation | "" |
|
||||
|
||||
### Sample Configuration
|
||||
|
||||
Here's a minimal configuration example for the server:
|
||||
|
||||
```yaml
|
||||
awsIID:
|
||||
enabled: true
|
||||
region: "us-west-2" # Specify your desired AWS region
|
||||
assumeRole: "example-role" # Specify the IAM Role NAME
|
||||
```
|
||||
|
||||
For the agent, ensure that the `awsIID` is also enabled:
|
||||
|
||||
```yaml
|
||||
awsIID:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
**Note:** When the `awsIID` node attestor is enabled on the server, it must also be enabled on the agent to ensure proper attestation.
|
||||
|
||||
### IAM Role
|
||||
|
||||
The `assumeRole` parameter requires the name of the IAM Role you wish to use for the attestation process. Ensure this role has the appropriate permissions.
|
||||
|
||||
### Required IAM Policy
|
||||
|
||||
To facilitate the node attestation, the following IAM policy example should be attached to the IAM Role mentioned in the `assumeRole`. This policy example is needed to get the instance's info from AWS:
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:DescribeInstances",
|
||||
"iam:GetInstanceProfile"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
## Security Considerations
|
||||
|
||||
It’s important to note that while the AWS Instance Identity Document is used to prove node identity, it is accessible to any process running on the instance. Therefore, precautions should be made to ensure only the desired agent uses it for attestation.
|
||||
|
||||
Always monitor your systems for unauthorized access attempts and ensure your IAM roles follow the principle of least privilege.
|
||||
|
||||
For more information on AWS IAM roles and security best practices, refer to the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
|
||||
|
||||
## Additional Information
|
||||
|
||||
For more information on the server plugin, see the [Server Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md).
|
||||
|
||||
And for the agent, see the [Agent Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_aws_iid.md).
|
||||
|
||||
---
|
||||
|
||||
By following the above guidelines, you can ensure a simple yet secure implementation of the AWS IID node attestor within your system.
|
||||
16
tests/go.mod
16
tests/go.mod
|
|
@ -4,8 +4,8 @@ go 1.24.3
|
|||
|
||||
require (
|
||||
github.com/onsi/ginkgo/v2 v2.23.4
|
||||
github.com/onsi/gomega v1.37.0
|
||||
helm.sh/helm/v3 v3.18.3
|
||||
github.com/onsi/gomega v1.38.0
|
||||
helm.sh/helm/v3 v3.18.4
|
||||
)
|
||||
|
||||
require (
|
||||
|
|
@ -47,20 +47,20 @@ require (
|
|||
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
|
||||
go.uber.org/automaxprocs v1.6.0 // indirect
|
||||
golang.org/x/crypto v0.39.0 // indirect
|
||||
golang.org/x/net v0.40.0 // indirect
|
||||
golang.org/x/net v0.41.0 // indirect
|
||||
golang.org/x/oauth2 v0.28.0 // indirect
|
||||
golang.org/x/sys v0.33.0 // indirect
|
||||
golang.org/x/term v0.32.0 // indirect
|
||||
golang.org/x/text v0.26.0 // indirect
|
||||
golang.org/x/time v0.9.0 // indirect
|
||||
golang.org/x/tools v0.33.0 // indirect
|
||||
google.golang.org/protobuf v1.36.5 // indirect
|
||||
google.golang.org/protobuf v1.36.6 // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
k8s.io/api v0.33.1 // indirect
|
||||
k8s.io/apiextensions-apiserver v0.33.1 // indirect
|
||||
k8s.io/apimachinery v0.33.1 // indirect
|
||||
k8s.io/client-go v0.33.1 // indirect
|
||||
k8s.io/api v0.33.2 // indirect
|
||||
k8s.io/apiextensions-apiserver v0.33.2 // indirect
|
||||
k8s.io/apimachinery v0.33.2 // indirect
|
||||
k8s.io/client-go v0.33.2 // indirect
|
||||
k8s.io/klog/v2 v2.130.1 // indirect
|
||||
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
|
||||
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
|
||||
|
|
|
|||
32
tests/go.sum
32
tests/go.sum
|
|
@ -79,8 +79,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
|
|||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
|
||||
github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
|
||||
github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
|
||||
github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
|
||||
github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
|
||||
github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
|
||||
github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
|
|
@ -131,8 +131,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
|
|||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
|
||||
golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
|
||||
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
|
||||
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
|
||||
golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
|
||||
golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
|
|
@ -161,8 +161,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
|
|||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
|
||||
google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
|
||||
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
|
||||
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
|
|
@ -173,16 +173,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
|||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
helm.sh/helm/v3 v3.18.3 h1:+cvyGKgs7Jt7BN3Klmb4SsG4IkVpA7GAZVGvMz6VO4I=
|
||||
helm.sh/helm/v3 v3.18.3/go.mod h1:wUc4n3txYBocM7S9RjTeZBN9T/b5MjffpcSsWEjSIpw=
|
||||
k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw=
|
||||
k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw=
|
||||
k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI=
|
||||
k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA=
|
||||
k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4=
|
||||
k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
|
||||
k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4=
|
||||
k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA=
|
||||
helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ=
|
||||
helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI=
|
||||
k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
|
||||
k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
|
||||
k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
|
||||
k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
|
||||
k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
|
||||
k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
|
||||
k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E=
|
||||
k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo=
|
||||
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
|
||||
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
|
||||
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
|
||||
|
|
|
|||
Loading…
Reference in New Issue