diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 5e3036960..da053ad9c 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,26 +2,26 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "57.2.0" + "version": "58.7.2" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.14.4" + "version": "v1.14.5" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.10.0" + "version": "4.10.1" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "10.1.0" + "version": "11.0.0" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.1.4" + "version": "15.4.0" } ] diff --git a/.github/tests/common.sh b/.github/tests/common.sh index 7d5323b2e..0566665d9 100755 --- a/.github/tests/common.sh +++ b/.github/tests/common.sh @@ -21,7 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1") #### Logs \`\`\`shell -$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done) +$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done) $( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done) \`\`\` diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml deleted file mode 100644 index e7bda6298..000000000 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -global: - spire: - clusterName: production - trustDomain: production.other - -spire-server: - controllerManager: - identities: - clusterSPIFFEIDs: - default: - type: raw - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} - namespaceSelector: - matchExpressions: - - key: "kubernetes.io/metadata.name" - operator: In - values: [spire-server] - podSelector: - matchLabels: - release: spire - release-namespace: spire-server - component: server - downstream: true - oidc-discovery-provider: - enabled: false - test-keys: - enabled: false - nodeAttestor: - k8sPsat: - serviceAccountAllowList: - - spire-system:spire-agent-upstream - bundleConfigMap: spire-bundle-upstream - notifier: - k8sbundle: - namespace: spire-system - -spiffe-oidc-discovery-provider: - enabled: false - -spire-agent: - enabled: false - -spiffe-csi-driver: - enabled: false - diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 08758b471..d93646507 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -249,7 +249,7 @@ jobs: - name: Install and test example run: | - if [ "${{ matrix.example }}" = "examples/federation" ]; then + if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then kubectl create namespace spire-mgmt helm install -n spire-mgmt spire-crds charts/spire-crds else @@ -300,8 +300,7 @@ jobs: - name: Install and test integration run: | - kubectl create namespace spire-server - helm install -n spire-server spire-crds charts/spire-crds + helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds ${{ matrix.integrationtest }}/run-tests.sh upgrade-test: diff --git a/charts/spire-nested/.helmignore b/charts/spire-nested/.helmignore new file mode 100644 index 000000000..5bdaa3eb0 --- /dev/null +++ b/charts/spire-nested/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +ci/ diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml new file mode 100644 index 000000000..c5fb70f16 --- /dev/null +++ b/charts/spire-nested/Chart.yaml @@ -0,0 +1,116 @@ +apiVersion: v2 +name: spire-nested +description: > + A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. +type: application +version: 0.20.0 +appVersion: "1.9.6" +keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com +kubeVersion: ">=1.21.0-0" +dependencies: + - name: spire-lib + repository: file://../spire/charts/spire-lib + version: 0.1.0 + - name: spire-server + alias: root-spire-server + condition: root-spire-server.enabled + tags: + - nestedRoot + repository: file://../spire/charts/spire-server + version: 0.1.0 + - name: spire-server + alias: external-root-spire-server-full + condition: external-root-spire-server-full.enabled + tags: + - nestedChildFull + repository: file://../spire/charts/spire-server + version: 0.1.0 + - name: spire-server + alias: external-root-spire-server-security + condition: external-root-spire-server-security.enabled + tags: + - nestedChildSecurity + repository: file://../spire/charts/spire-server + version: 0.1.0 + - name: spire-server + alias: internal-spire-server + condition: internal-spire-server.enabled + tags: + - nestedRoot + - nestedChildFull + repository: file://../spire/charts/spire-server + version: 0.1.0 + - name: spire-server + alias: external-spire-server + condition: external-spire-server.enabled + tags: + - nestedRoot + repository: file://../spire/charts/spire-server + version: 0.1.0 + - name: spire-agent + alias: downstream-spire-agent-full + condition: downstream-spire-agent-full.enabled + tags: + - nestedRoot + - nestedChildFull + repository: file://../spire/charts/spire-agent + version: 0.1.0 + - name: spire-agent + alias: downstream-spire-agent-security + condition: downstream-spire-agent-security.enabled + tags: + - nestedChildSecurity + repository: file://../spire/charts/spire-agent + version: 0.1.0 + - name: spire-agent + alias: upstream-spire-agent + condition: upstream-spire-agent.enabled + tags: + - nestedRoot + - nestedChildFull + repository: file://../spire/charts/spire-agent + version: 0.1.0 + - name: spiffe-csi-driver + alias: downstream-spiffe-csi-driver + condition: downstream-spiffe-csi-driver.enabled + tags: + - nestedRoot + - nestedChildFull + - nestedChildSecurity + repository: file://../spire/charts/spiffe-csi-driver + version: 0.1.0 + - name: spiffe-csi-driver + alias: upstream-spiffe-csi-driver + condition: upstream-spiffe-csi-driver.enabled + tags: + - nestedRoot + - nestedChildFull + repository: file://../spire/charts/spiffe-csi-driver + version: 0.1.0 + - name: spiffe-oidc-discovery-provider + condition: spiffe-oidc-discovery-provider.enabled + tags: + - nestedRoot + - nestedChildFull + - nestedChildSecurity + repository: file://../spire/charts/spiffe-oidc-discovery-provider + version: 0.1.0 + - name: tornjak-frontend + condition: tornjak-frontend.enabled + repository: file://../spire/charts/tornjak-frontend + version: 0.1.0 +annotations: + artifacthub.io/category: security + artifacthub.io/license: Apache-2.0 diff --git a/charts/spire-nested/LICENSE b/charts/spire-nested/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/spire-nested/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md new file mode 100644 index 000000000..03ca67f4d --- /dev/null +++ b/charts/spire-nested/README.md @@ -0,0 +1,352 @@ +# spire + +![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) +[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) + +A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. + +**Homepage:** + +## Install Instructions + +### Non Production +To do a quick install suitable for testing in something like minikube: + +```shell +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-server spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/ +``` + +### Production + +Preparing a production deployment requires a few steps. + +1. Save the following to your-values.yaml, ideally in your git repo. +```yaml +global: + openshift: false # If running on openshift, set to true + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx] + # Update these + clusterName: example-cluster + trustDomain: example.org + caSubject: + country: ARPA + organization: Example + commonName: example.org +``` + +2. If you need a non default storageClass, append the following to the spire-server section and update: +``` + persistence: + storageClass: your-storage-class +``` + +3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: +```shell +oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' +``` + +4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples) + +In particular, consider using an external database. + +5. Deploy + +```shell +helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-mgmt spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml +``` + +## Clean up + +```shell +helm -n spire-mgmt uninstall spire-crds +helm -n spire-mgmt uninstall spire +kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire +kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io +``` + +## Upgrade notes + +We only support upgrading one major version at a time. Version skipping isn't supported. + +### 0.17.X + +- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value. +- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate. +- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`) + +- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`. + +### 0.16.X + +The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. + +### 0.15.X + +The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart. + +The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field. By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`. + +If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified. + +### 0.14.X + +If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart +run the following: + +Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in. + +```shell +kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +helm install -n spire-server spire-crds charts/spire-crds +``` + +## Version support + +> [!Warning] +> This Chart is still in development and still subject to change the API (`values.yaml`). +> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although +> we do aim for as much stability as possible. + +| Dependency | Supported Versions | +|:-----------|:-------------------| +| Helm | `3.x` | +| Kubernetes | `1.22+` | + +> [!Note] +> For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. + +## FAQ + +For any issues see our [FAQ](../../FAQ.md)… + +## Usage + +To utilize Spire in your own workloads you should add the following to your workload: + +```diff + apiVersion: v1 + kind: Pod + metadata: + name: my-app + spec: + containers: + - name: my-app + image: "my-app:latest" + imagePullPolicy: Always ++ volumeMounts: ++ - name: spiffe-workload-api ++ mountPath: /spiffe-workload-api ++ readOnly: true + resources: + requests: + cpu: 200m + memory: 32Mi + limits: + cpu: 500m + memory: 64Mi ++ volumes: ++ - name: spiffe-workload-api ++ csi: ++ driver: "csi.spiffe.io" ++ readOnly: true +``` + +Now you can interact with the Spire agent socket from your own application. The socket is mounted on `/spiffe-workload-api/spire-agent.sock`. + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 | +| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 | +| file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 | +| file://./charts/spire-agent | spire-agent | 0.1.0 | +| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 | +| file://./charts/spire-server | spire-server | 0.1.0 | +| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 | + + + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | +| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | +| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | +| `global.spire.caSubject.country` | Country for Spire server CA | `""` | +| `global.spire.caSubject.organization` | Organization for Spire server CA | `""` | +| `global.spire.caSubject.commonName` | Common Name for Spire server CA | `""` | +| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | +| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` | +| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` | +| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | +| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | +| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | +| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` | +| `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` | +| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | +| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | +| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` | +| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` | +| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` | +| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` | +| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | +| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` | +| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `tags.nestedRoot` | Set the chart architecture to root nested | `false` | +| `tags.nestedChildFull` | Set the chart mode to a child cluster with its own nested server | `false` | +| `tags.nestedChildSecurity` | Set the chart mode to a child cluster for use with a security cluster | `false` | + +### Spire agent parameters + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------- | ------------------------- | +| `downstream-spire-agent-full.nameOverride` | Overrides the name of Spire agent pods | `agent-downstream` | +| `downstream-spire-agent-full.server.nameOverride` | The name override setting of the internal SPIRE server | `internal-server` | +| `downstream-spire-agent-full.bundleConfigMap` | The name of the configmap that contains the downstream bundle | `spire-bundle-downstream` | + +### Spire agent parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------- | ----------------------- | +| `downstream-spire-agent-security.nameOverride` | Overrides the name of Spire agent pods | `agent-downstream` | +| `downstream-spire-agent-security.bundleConfigMap` | The name of the configmap that contains the downstream bundle | `spire-bundle-upstream` | +| `downstream-spire-agent-security.serviceAccount.name` | The name of the service account to use | `spire-agent-upstream` | + +### Upstream Spire agent parameters + +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | +| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | +| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | +| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | +| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | +| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | +| `upstream-spire-agent.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` | + +### SPIFFE CSI Driver parameters + +| Name | Description | Value | +| ----------------------------------------------- | ----------------- | ------------------------------ | +| `downstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-downstream` | + +### Upstream SPIFFE CSI Driver parameters + +| Name | Description | Value | +| ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-upstream` | +| `upstream-spiffe-csi-driver.pluginName` | The plugin name for configuring upstream Spiffe CSI driver | `upstream.csi.spiffe.io` | +| `upstream-spiffe-csi-driver.agentSocketPath` | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed | `9810` | + +### SPIFFE oidc discovery provider parameters + +| Name | Description | Value | +| ------------------------------------------------- | ----------------- | -------------------------------- | +| `spiffe-oidc-discovery-provider.fullnameOverride` | Fullname override | `spiffe-oidc-discovery-provider` | + +### Tornjak frontend parameters + +| Name | Description | Value | +| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | +| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` | +| `root-spire-server.nameOverride` | Name override | `root-server` | +| `root-spire-server.crNameOverride` | Custom Resource name override | `root` | +| `root-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `root-spire-server.controllerManager.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` | +| `root-spire-server.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` | +| `root-spire-server.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-root-server` | +| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable child servers | `true` | +| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` | +| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` | +| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` | +| `root-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` | +| `root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `root-spire-server.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | +| `external-root-spire-server-full.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` | +| `external-root-spire-server-full.nameOverride` | Name override | `root-server` | +| `external-root-spire-server-full.crNameOverride` | Custom Resource name override | `root` | +| `external-root-spire-server-full.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` | +| `external-root-spire-server-full.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` | +| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable child servers | `true` | +| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` | +| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` | +| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` | +| `external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `external-root-spire-server-full.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | +| `external-root-spire-server-security.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` | +| `external-root-spire-server-security.nameOverride` | Name override | `root-server` | +| `external-root-spire-server-security.crNameOverride` | Custom Resource name override | `root` | +| `external-root-spire-server-security.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` | +| `external-root-spire-server-security.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` | +| `external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `external-root-spire-server-security.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | + +### Spire server parameters + +| Name | Description | Value | +| ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | ---------------------------- | +| `internal-spire-server.nameOverride` | Overrides the name of Spire server pods | `internal-server` | +| `internal-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate dns entries | `false` | +| `internal-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` | +| `internal-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` | +| `internal-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` | +| `internal-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` | +| `internal-spire-server.bundleConfigMap` | The name of the configmap to store the downstream bundle | `spire-bundle-downstream` | +| `external-spire-server.nameOverride` | Overrides the name of Spire server pods | `external-server` | +| `external-spire-server.crNameOverride` | Custom Resource name override | `external` | +| `external-spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `external-spire-server.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` | +| `external-spire-server.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` | +| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default identity | `false` | +| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the oidc-discovery-provider identity | `false` | +| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` | +| `external-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` | +| `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` | +| `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` | +| `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` | +| `external-spire-server.notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `false` | +| `external-spire-server.nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `false` | +| `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` | diff --git a/charts/spire-nested/templates/namespaces.yaml b/charts/spire-nested/templates/namespaces.yaml new file mode 100644 index 000000000..01af6cdeb --- /dev/null +++ b/charts/spire-nested/templates/namespaces.yaml @@ -0,0 +1,3 @@ +{{- include "spire-lib.namespace.system" . }} +--- +{{- include "spire-lib.namespace.server" . }} diff --git a/charts/spire-nested/values.yaml b/charts/spire-nested/values.yaml new file mode 100644 index 000000000..00bc8059b --- /dev/null +++ b/charts/spire-nested/values.yaml @@ -0,0 +1,388 @@ +# Default configuration for Spire chart +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Note: the parameter values specified here will override the chart level values for these parameters. +## +global: + k8s: + ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install + clusterDomain: cluster.local + + spire: + ## @param global.spire.clusterName The name of the k8s cluster for Spire install + clusterName: example-cluster + ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset + jwtIssuer: "" + ## @param global.spire.trustDomain The trust domain for Spire install + trustDomain: example.org + + ## @param global.spire.caSubject.country Country for Spire server CA + ## @param global.spire.caSubject.organization Organization for Spire server CA + ## @param global.spire.caSubject.commonName Common Name for Spire server CA + caSubject: + country: "" + organization: "" + commonName: "" + + ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. + ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces + ## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels + ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names + ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. + ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts + ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring + recommendations: + enabled: false + namespaceLayout: true + namespacePSS: true + priorityClassName: true + strictMode: true + securityContexts: true + prometheus: true + + image: + ## @param global.spire.image.registry Override all Spire image registries at once + registry: "" + + namespaces: + ## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. + create: false + system: + ## @param global.spire.namespaces.system.name Name of the Spire system Namespace. + name: "spire-system" + ## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources. + create: false + ## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace. + annotations: {} + ## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace. + labels: {} + server: + ## @param global.spire.namespaces.server.name Name of the Spire server Namespace. + name: "spire-server" + ## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources. + create: false + ## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace. + annotations: {} + ## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace. + labels: {} + + ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. + strictMode: false + + ## @param global.spire.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. + ingressControllerType: "" + + tools: + kubectl: + ## @param global.spire.tools.kubectl.tag Set to force the tag to use for all kubectl instances + tag: "" + + installAndUpgradeHooks: + ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) + enabled: true + deleteHooks: + ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) + enabled: true + +# telemetry: +# prometheus: +# enabled: true +# podMonitor: +# enabled: true +# # -- Allows to install the PodMonitor in another namespace then the spire components are installed into. +# namespace: "kube-prometheus-system" +# labels: {} + +tags: + ## @param tags.nestedRoot Set the chart architecture to root nested + nestedRoot: false + ## @param tags.nestedChildFull Set the chart mode to a child cluster with its own nested server + nestedChildFull: false + ## @param tags.nestedChildSecurity Set the chart mode to a child cluster for use with a security cluster + nestedChildSecurity: false + +## subcharts + +## @section Spire agent parameters +## Parameter values for Spire agent +## +# Used with tags [nestedRoot, nestedChildFull] +downstream-spire-agent-full: + # enabled: true + ## @param downstream-spire-agent-full.nameOverride Overrides the name of Spire agent pods + nameOverride: agent-downstream + server: + ## @param downstream-spire-agent-full.server.nameOverride The name override setting of the internal SPIRE server + nameOverride: internal-server + ## @param downstream-spire-agent-full.bundleConfigMap The name of the configmap that contains the downstream bundle + bundleConfigMap: spire-bundle-downstream + +## @section Spire agent parameters +## Parameter values for Spire agent +## +# Used with tags [nestedChildSecurity] +downstream-spire-agent-security: + # enabled: true + ## @param downstream-spire-agent-security.nameOverride Overrides the name of Spire agent pods + nameOverride: agent-downstream + ## @param downstream-spire-agent-security.bundleConfigMap The name of the configmap that contains the downstream bundle + bundleConfigMap: spire-bundle-upstream + serviceAccount: + ## @param downstream-spire-agent-security.serviceAccount.name The name of the service account to use + name: spire-agent-upstream + +## @section Upstream Spire agent parameters +## Parameter values for upstream Spire agent +## +# Used with tags [nestedRoot, nestedChildFull] +upstream-spire-agent: + # enabled: true + ## @param upstream-spire-agent.upstream Flag for enabling upstream Spire agent + upstream: true + ## @param upstream-spire-agent.nameOverride Name override for upstream Spire agent + nameOverride: agent-upstream + ## @param upstream-spire-agent.bundleConfigMap The configmap name for upstream Spire agent bundle + bundleConfigMap: spire-bundle-upstream + ## @param upstream-spire-agent.socketPath Socket path where Spire agent socket is mounted + socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock + serviceAccount: + ## @param upstream-spire-agent.serviceAccount.name Service account name for upstream Spire agent + name: spire-agent-upstream + healthChecks: + ## @param upstream-spire-agent.healthChecks.port Health check port number for upstream Spire agent + port: 9981 + telemetry: + prometheus: + ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available + port: 9989 + server: + ## @param upstream-spire-agent.server.nameOverride The name override setting of the root SPIRE server + nameOverride: root-server + +## @section SPIFFE CSI Driver parameters +## Parameter values for spiffe-csi-driver +## +# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity] +downstream-spiffe-csi-driver: + # enabled: true + ## @param downstream-spiffe-csi-driver.fullnameOverride Fullname override + fullnameOverride: spiffe-csi-driver-downstream + +## @section Upstream SPIFFE CSI Driver parameters +## Parameter values for upstream spiffe-csi-driver +## +# Used with tags [nestedRoot, nestedChildFull] +upstream-spiffe-csi-driver: + # enabled: true + ## @param upstream-spiffe-csi-driver.fullnameOverride Fullname override + fullnameOverride: spiffe-csi-driver-upstream + ## @param upstream-spiffe-csi-driver.pluginName The plugin name for configuring upstream Spiffe CSI driver + pluginName: upstream.csi.spiffe.io + ## @param upstream-spiffe-csi-driver.agentSocketPath The socket path where Spiffe CSI driver mounts agent socket + agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock + healthChecks: + ## @param upstream-spiffe-csi-driver.healthChecks.port The port where Spiffe CSI driver health checks are exposed + port: 9810 + +## @section SPIFFE oidc discovery provider parameters +## Parameter values for spiffe-oidc-discovery-provider +## +# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity] +spiffe-oidc-discovery-provider: + # enabled: true + ## @param spiffe-oidc-discovery-provider.fullnameOverride Fullname override + fullnameOverride: spiffe-oidc-discovery-provider + +## @section Tornjak frontend parameters +## Parameter values for Tornjak frontend +## +tornjak-frontend: + ## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production) + enabled: false + +# Used with tags [nestedRoot] +root-spire-server: + # enabled: true + ## @param root-spire-server.nameOverride Name override + nameOverride: root-server + ## @param root-spire-server.crNameOverride Custom Resource name override + crNameOverride: root + controllerManager: + ## @param root-spire-server.controllerManager.enabled Enable controller manager and provision CRD's + enabled: true + externalControllerManagers: + ## @param root-spire-server.controllerManager.externalControllerManagers.enabled Flag to enable external controller managers + enabled: true + validatingWebhookConfiguration: + ## @param root-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled. + enabled: false + ## @param root-spire-server.controllerManager.className specify to use an explicit class name. + className: spire-mgmt-root-server + identities: + clusterSPIFFEIDs: + child-servers: + ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers + enabled: true + default: + ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id + enabled: false + oidc-discovery-provider: + ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity + enabled: false + test-keys: + ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity + enabled: false + externalControllerManagers: + ## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers + enabled: true + nodeAttestor: + k8sPsat: + ## @param root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + serviceAccountAllowList: + - spire-agent-upstream + ## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle + bundleConfigMap: spire-bundle-upstream + +# Used with tags [nestedChildFull] +external-root-spire-server-full: + ## @param external-root-spire-server-full.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. + externalServer: true + ## @param external-root-spire-server-full.nameOverride Name override + nameOverride: root-server + ## @param external-root-spire-server-full.crNameOverride Custom Resource name override + crNameOverride: root + controllerManager: + ## @param external-root-spire-server-full.controllerManager.enabled Enable controller manager and provision CRD's + enabled: true + validatingWebhookConfiguration: + ## @param external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled. + enabled: false + ## @param external-root-spire-server-full.controllerManager.className specify to use an explicit class name. + className: spire-mgmt-external-server + identities: + clusterSPIFFEIDs: + child-servers: + ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers + enabled: true + default: + ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id + enabled: false + oidc-discovery-provider: + ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity + enabled: false + test-keys: + ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity + enabled: false + nodeAttestor: + k8sPsat: + ## @param external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + serviceAccountAllowList: + - spire-agent-upstream + ## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle + bundleConfigMap: spire-bundle-upstream + +# Used with tags [nestedChildSecurity] +external-root-spire-server-security: + ## @param external-root-spire-server-security.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. + externalServer: true + ## @param external-root-spire-server-security.nameOverride Name override + nameOverride: root-server + ## @param external-root-spire-server-security.crNameOverride Custom Resource name override + crNameOverride: root + controllerManager: + ## @param external-root-spire-server-security.controllerManager.enabled Enable controller manager and provision CRD's + enabled: true + validatingWebhookConfiguration: + ## @param external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled. + enabled: false + ## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name. + className: spire-mgmt-external-server + nodeAttestor: + k8sPsat: + ## @param external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + serviceAccountAllowList: + - spire-agent-upstream + ## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle + bundleConfigMap: spire-bundle-upstream + +## @section Spire server parameters +## Parameter values for Spire server +## +# Used with tags [nestedRoot, nestedChildFull] +internal-spire-server: + # enabled: true + ## @param internal-spire-server.nameOverride Overrides the name of Spire server pods + nameOverride: internal-server + controllerManager: + ## @param internal-spire-server.controllerManager.enabled Enable controller manager and provision CRD's + enabled: true + identities: + clusterSPIFFEIDs: + oidc-discovery-provider: + ## @param internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate dns entries + autoPopulateDNSNames: false + externalControllerManagers: + ## @param internal-spire-server.externalControllerManagers.enabled Flag to enable external controller managers + enabled: true + upstreamAuthority: + spire: + ## @param internal-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server + enabled: true + ## @param internal-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication + upstreamDriver: upstream.csi.spiffe.io + server: + ## @param internal-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server + nameOverride: root-server + ## @param internal-spire-server.bundleConfigMap The name of the configmap to store the downstream bundle + bundleConfigMap: spire-bundle-downstream + +# Used with tags [nestedRoot] +external-spire-server: + # enabled: true + ## @param external-spire-server.nameOverride Overrides the name of Spire server pods + nameOverride: external-server + ## @param external-spire-server.crNameOverride Custom Resource name override + crNameOverride: external + controllerManager: + ## @param external-spire-server.controllerManager.enabled Enable controller manager and provision CRD's + enabled: true + validatingWebhookConfiguration: + ## @param external-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled. + enabled: false + ## @param external-spire-server.controllerManager.className specify to use an explicit class name. + className: spire-mgmt-external-server + identities: + clusterSPIFFEIDs: + default: + ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default identity + enabled: false + oidc-discovery-provider: + ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the oidc-discovery-provider identity + enabled: false + test-keys: + ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity + enabled: false + externalControllerManagers: + ## @param external-spire-server.externalControllerManagers.enabled Flag to enable external controller managers + enabled: true + upstreamAuthority: + spire: + ## @param external-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server + enabled: true + ## @param external-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication + upstreamDriver: upstream.csi.spiffe.io + server: + ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server + nameOverride: root-server + notifier: + k8sbundle: + ## @param external-spire-server.notifier.k8sbundle.enabled Enable local k8s bundle uploader + enabled: false + nodeAttestor: + k8sPsat: + ## @param external-spire-server.nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor + enabled: false + joinToken: + ## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor + enabled: true diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 3be046f13..54c80a890 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,8 +3,8 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.20.0 -appVersion: "1.9.4" +version: 0.21.0 +appVersion: "1.9.6" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: @@ -22,6 +22,9 @@ maintainers: email: edwbuck@gmail.com kubeVersion: ">=1.21.0-0" dependencies: + - name: spire-lib + repository: file://./charts/spire-lib + version: 0.1.0 - name: spire-server condition: spire-server.enabled repository: file://./charts/spire-server diff --git a/charts/spire/README.md b/charts/spire/README.md index d3267de4a..d16af86b0 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square) +![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -73,7 +73,14 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid ## Upgrade notes -We only support upgrading one major version at a time. Version skipping isn't supported. +We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/ for details. + +### 0.21.X + +- In previous versions, spire-server.upstreamAuthority.certManager.issuer_name would incorrectly have '-ca' appended. Starting with this version, that is no longer the case. If you previously set this +value, you likely want to update your value to include the '-ca' suffix in the value to have your deployment continue to function properly. + +- The default value of spire-server.controllerManager.entryIDPrefixCleanup changed from "" to false. Prior to this release upgrades cleaned up old entries in the database. After upgrading to 0.21.X, manual entries will not be overridden by the spire-controller-manager. Skipping over chart releases (unsupported), requires manual setting of this value to "" to trigger the cleanup. ### 0.20.X @@ -255,12 +262,13 @@ Now you can interact with the Spire agent socket from your own application. The ### Spire server parameters -| Name | Description | Value | -| ---------------------------------------- | ------------------------------------------------------------------------- | ------------- | -| `spire-server.enabled` | Flag to enable Spire server | `true` | -| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` | -| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` | -| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- | +| `spire-server.enabled` | Flag to enable Spire server | `true` | +| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` | +| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` | +| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | +| `spire-server.externalControllerManagers.enabled` | Enable external controller manager support | `true` | ### Spire agent parameters diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 4c99b7707..0416195e1 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.9.4" +appVersion: "1.9.6" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 372409d1c..ed121b9c6 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -69,7 +69,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | | `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.25.4-alpine` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.26.0-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -115,15 +115,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f0369215d5a2c15e469a2a8d993e4db7e83fcda5142c8682f37c197d76f82faa` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.0` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.1` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 1e46d498b..b43b3df35 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -164,7 +164,7 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - tag: 1.25.4-alpine + tag: 1.26.0-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76 + tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:f0369215d5a2c15e469a2a8d993e4db7e83fcda5142c8682f37c197d76f82faa + tag: latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.26.0 + tag: 0.26.1 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 888df65ec..d087332d8 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.9.4" +appVersion: "1.9.6" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 85d87a264..b609866e1 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,108 +25,110 @@ A Helm chart to install the SPIRE agent. ### Chart parameters -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. | `""` | -| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podLabels` | Labels to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `affinity` | Node affinity | `{}` | -| `authorizedDelegates` | A list of the authorized delegates SPIFFE IDs. See Delegated Identity API for more information. | `[]` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | -| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | -| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | -| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | -| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | -| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` | -| `server.address` | Address for Spire server | `""` | -| `server.port` | Port number for Spire server | `443` | -| `server.namespaceOverride` | Override the namespace for Spire server | `""` | -| `server.nameOverride` | Override the name for Spire server. Should only be changed when building your own nested chart to ensure names align. | `""` | -| `healthChecks.port` | override the host port used for health checking | `9982` | -| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `10` | -| `readinessProbe.periodSeconds` | Period seconds for probe | `30` | -| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | -| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76` | -| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | -| `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` | -| `nodeAttestor.tpmDirect.plugin.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `nodeAttestor.tpmDirect.plugin.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-tpm-attestor-agent` | -| `nodeAttestor.tpmDirect.plugin.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeAttestor.tpmDirect.plugin.image.tag` | Overrides the image tag | `v1.8.7` | -| `nodeAttestor.tpmDirect.plugin.checksum` | The sha256 checksum of the plugin binary | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244` | -| `nodeAttestor.tpmDirect.plugin.path` | The filename in the container of the plugin | `/app/tpm_attestor_agent` | -| `nodeAttestor.tpmDirect.pubHash.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.tpmDirect.pubHash.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-get-tpm-pubhash` | -| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.8.7` | -| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | -| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | -| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | -| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | -| `sds.enabled` | Enables Envoy SDS configuration | `false` | -| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | -| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | -| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | -| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | -| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` | -| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | -| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76` | -| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | -| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | -| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | -| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | -| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | -| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | -| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | -| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | -| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | -| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | -| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | -| `experimental.enabled` | Allow configuration of experimental features | `false` | -| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | -| `experimental.featureFlags` | List of developer feature flags | `[]` | -| `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` | -| `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | -| `sockets.admin.mountOnHost` | Enable the admin socket to be visible on the host. | `false` | +| Name | Description | Value | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podLabels` | Labels to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `authorizedDelegates` | A list of the authorized delegates SPIFFE IDs. See Delegated Identity API for more information. | `[]` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | +| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | +| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | +| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | +| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` | +| `server.address` | Address for Spire server | `""` | +| `server.port` | Port number for Spire server | `443` | +| `server.namespaceOverride` | Override the namespace for Spire server | `""` | +| `server.nameOverride` | Override the name for Spire server. Should only be changed when building your own nested chart to ensure names align. | `""` | +| `healthChecks.port` | override the host port used for health checking | `9982` | +| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `10` | +| `readinessProbe.periodSeconds` | Period seconds for probe | `30` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | +| `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` | +| `nodeAttestor.tpmDirect.plugin.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `nodeAttestor.tpmDirect.plugin.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-tpm-attestor-agent` | +| `nodeAttestor.tpmDirect.plugin.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeAttestor.tpmDirect.plugin.image.tag` | Overrides the image tag | `v1.8.7` | +| `nodeAttestor.tpmDirect.plugin.checksum` | The sha256 checksum of the plugin binary | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244` | +| `nodeAttestor.tpmDirect.plugin.path` | The filename in the container of the plugin | `/app/tpm_attestor_agent` | +| `nodeAttestor.tpmDirect.pubHash.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.tpmDirect.pubHash.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-get-tpm-pubhash` | +| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.8.7` | +| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | +| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | +| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | +| `workloadAttestors.k8s.useNewContainerLocator` | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false | `false` | +| `workloadAttestors.k8s.verboseContainerLocatorLogs` | If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false | `false` | +| `sds.enabled` | Enables Envoy SDS configuration | `false` | +| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | +| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | +| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | +| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` | +| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | +| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | +| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | +| `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` | +| `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | +| `sockets.admin.mountOnHost` | Enable the admin socket to be visible on the host. | `false` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 215bee637..6da906918 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -114,6 +114,8 @@ plugins: # can authenticate the kubelet cert, so skip validation. skip_kubelet_verification: {{ .Values.workloadAttestors.k8s.skipKubeletVerification }} disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} + use_new_container_locator: {{ .Values.workloadAttestors.k8s.useNewContainerLocator }} + verbose_container_locator_logs: {{ .Values.workloadAttestors.k8s.verboseContainerLocatorLogs }} {{- end }} {{- if .Values.workloadAttestors.unix.enabled }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index be1b1d975..d7f962e5d 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76 + tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -213,6 +213,10 @@ workloadAttestors: skipKubeletVerification: true ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio disableContainerSelectors: false + ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false + useNewContainerLocator: false + ## @param workloadAttestors.k8s.verboseContainerLocatorLogs If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false + verboseContainerLocatorLogs: false sds: ## @param sds.enabled Enables Envoy SDS configuration @@ -262,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76 + tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-lib/.helmignore b/charts/spire/charts/spire-lib/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/spire/charts/spire-lib/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/spire/charts/spire-lib/Chart.yaml b/charts/spire/charts/spire-lib/Chart.yaml new file mode 100644 index 000000000..4f7bda246 --- /dev/null +++ b/charts/spire/charts/spire-lib/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: spire-lib +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: library + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "" diff --git a/charts/spire/charts/spire-lib/README.md b/charts/spire/charts/spire-lib/README.md new file mode 100644 index 000000000..0fd47f0a1 --- /dev/null +++ b/charts/spire/charts/spire-lib/README.md @@ -0,0 +1,14 @@ +# SPIRE Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between SPIRE charts. + +## TL;DR + +```yaml +dependencies: + - name: spire-lib + version: 0.1.0 + repository: https://spiffe.github.io/helm-charts-hardened/ +``` + +## Parameters diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/charts/spire-lib/templates/_helpers.tpl similarity index 100% rename from charts/spire/templates/_spire-lib.tpl rename to charts/spire/charts/spire-lib/templates/_helpers.tpl diff --git a/charts/spire/charts/spire-lib/templates/_namespaces.yaml b/charts/spire/charts/spire-lib/templates/_namespaces.yaml new file mode 100644 index 000000000..4071e2808 --- /dev/null +++ b/charts/spire/charts/spire-lib/templates/_namespaces.yaml @@ -0,0 +1,5 @@ +{{- define "spire-lib.namespaces" }} +{{- include "spire-lib.namespace.system" . }} +--- +{{- include "spire-lib.namespace.server" . }} +{{- end }} diff --git a/charts/spire/templates/spire-server-namespace.yaml b/charts/spire/charts/spire-lib/templates/_spire-server-namespace.yaml similarity index 83% rename from charts/spire/templates/spire-server-namespace.yaml rename to charts/spire/charts/spire-lib/templates/_spire-server-namespace.yaml index a0ac41b91..37a959b3f 100644 --- a/charts/spire/templates/spire-server-namespace.yaml +++ b/charts/spire/charts/spire-lib/templates/_spire-server-namespace.yaml @@ -1,12 +1,13 @@ -{{- define "spire.namespace.default_server_labels" }} +{{- define "spire-lib.namespace.default_server_labels" }} "pod-security.kubernetes.io/warn": restricted "pod-security.kubernetes.io/audit": restricted "pod-security.kubernetes.io/enforce": restricted {{- end }} +{{- define "spire-lib.namespace.server" }} {{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.server.create }} {{- $labels := dict }} {{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} -{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_server_labels" . | fromYaml) }} +{{- $labels = mergeOverwrite $labels (include "spire-lib.namespace.default_server_labels" . | fromYaml) }} {{- if (dig "openshift" false .Values.global) }} {{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} {{- if (index .Values "spiffe-oidc-discovery-provider").enabled }} @@ -28,3 +29,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/templates/spire-system-namespace.yaml b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml similarity index 81% rename from charts/spire/templates/spire-system-namespace.yaml rename to charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml index 3ddf3c150..2e0c5c2e4 100644 --- a/charts/spire/templates/spire-system-namespace.yaml +++ b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml @@ -1,12 +1,13 @@ -{{- define "spire.namespace.default_system_labels" }} +{{- define "spire-lib.namespace.default_system_labels" }} "pod-security.kubernetes.io/warn": privileged "pod-security.kubernetes.io/audit": privileged "pod-security.kubernetes.io/enforce": privileged {{- end }} +{{- define "spire-lib.namespace.system" }} {{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.system.create }} {{- $labels := dict }} {{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} -{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_system_labels" . | fromYaml) }} +{{- $labels = mergeOverwrite $labels (include "spire-lib.namespace.default_system_labels" . | fromYaml) }} {{- if (dig "openshift" false .Values.global) }} {{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} {{- end }} @@ -25,3 +26,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-lib/values.yaml b/charts/spire/charts/spire-lib/values.yaml new file mode 100644 index 000000000..ff0e175eb --- /dev/null +++ b/charts/spire/charts/spire-lib/values.yaml @@ -0,0 +1,8 @@ +# Default values for spire-lib. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: spire-lib diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index ec4dfc971..62c510fbe 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.9.4" +appVersion: "1.9.6" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 5e503cc20..4536103c1 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -87,6 +87,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `image.pullPolicy` | The image pull policy | `IfNotPresent` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `kind` | Define SPIRE server deployment type. Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental. | `statefulset` | +| `externalServer` | Deploy only the bundle ConfigMap, RBAC rules, and identity documents but not the server. Use in a nested setup where the server is external. | `false` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | | `crNameOverride` | Name override for any custom resources | `""` | @@ -146,6 +147,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | @@ -238,7 +240,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.enabled` | Flag to enable controller manager | `false` | | `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | | `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | -| `controllerManager.entryIDPrefixCleanup` | Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `""` | +| `controllerManager.entryIDPrefixCleanup` | Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `false` | | `controllerManager.parentIDTemplate` | The template that is used to register workloads. | `spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}` | | `controllerManager.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` | | `controllerManager.extraEnv` | Extra environment variables to add to the controller manager | `[]` | @@ -270,6 +272,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable this identity for controller manager | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.child-servers.type` | The type of rule this is. | `child-servers` | +| `controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `true` | | `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable this identity for controller manager | `true` | | `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.type` | The type of rule this is. | `oidc-discovery-provider` | | `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate DNS names to the discovery provider | `true` | @@ -281,6 +286,22 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another chart instance on the k8s cluster with webhooks enabled. | `true` | | `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | | `controllerManager.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` | +| `externalControllerManagers.enabled` | Flag to enable external controller managers | `false` | +| `externalControllerManagers.defaults.reconcile.clusterSPIFFEIDs` | Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server | `true` | +| `externalControllerManagers.defaults.reconcile.clusterStaticEntries` | Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server | `false` | +| `externalControllerManagers.defaults.reconcile.clusterFederatedTrustDomains` | Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server | `false` | +| `externalControllerManagers.defaults.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | +| `externalControllerManagers.defaults.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `externalControllerManagers.defaults.entryIDPrefixCleanup` | consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `false` | +| `externalControllerManagers.defaults.parentIDTemplate` | The template that is used to register workloads. | `spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}` | +| `externalControllerManagers.defaults.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` | +| `externalControllerManagers.defaults.extraEnv` | Extra environment variables to add to the controller manager | `[]` | +| `externalControllerManagers.defaults.resources` | Resource requests and limits for controller manager | `{}` | +| `externalControllerManagers.defaults.securityContext` | Security context | `{}` | +| `externalControllerManagers.defaults.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` | +| `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | @@ -337,7 +358,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | -| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.2` | +| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.6.0` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | @@ -358,6 +379,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.dataStore` | Persistent DB for storing Tornjak specific information | | | `tornjak.config.dataStore.driver` | Database driver name | `sqlite3` | | `tornjak.config.dataStore.file` | File path for sqlite3 file | `/run/spire/data/tornjak.sqlite3` | +| `tornjak.config.userManagement` | UserManagement config | | +| `tornjak.config.userManagement.issuer` | UserManagement issuer URL | `""` | +| `tornjak.config.userManagement.audience` | UserManagement audience check | `""` | | `tornjak.config.tlsSecret` | Name of the secret containing server side key and certificate for TLS verification (required for `tls` or `mtls` connectionType) | `tornjak-tls-secret` | | `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | @@ -380,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/templates/NOTES.txt b/charts/spire/charts/spire-server/templates/NOTES.txt index 1b3053b61..7c445a203 100644 --- a/charts/spire/charts/spire-server/templates/NOTES.txt +++ b/charts/spire/charts/spire-server/templates/NOTES.txt @@ -1,25 +1,36 @@ Installed {{ .Chart.Name }}… -1. Get the currently registered SPIFFE entries from the server: +Get the currently registered SPIFFE entries from the server: - kubectl exec -n {{ .Release.Namespace }} {{ include "spire-server.fullname" . }}-0 -c spire-server -- \ + kubectl exec -n {{ include "spire-server.namespace" . }} {{ include "spire-server.fullname" . }}-0 -c spire-server -- \ spire-server entry show {{- if eq (.Values.tornjak.enabled | toString) "true" }} Installed {{ include "spire-tornjak.fullname" . }}… -### WARNING ### +{{- if eq .Values.tornjak.config.userManagement.issuer "" }} -Tornjak runs without authentication and is therefore NOT suitable to run in production environments. -Only use in test environments! + ### WARNING ### -Access Tornjak: - kubectl -n {{ include "spire-server.namespace" . }} port-forward service/{{ include "spire-tornjak.servicename" . }} {{ .Values.tornjak.service.ports.http }}:10000 + Tornjak is configured to run without authentication and is therefore NOT suitable to run in production environments. + Only use in test environments! +{{- end }} + +Access Tornjak API (Backend): + +{{- if .Values.tornjak.ingress.enabled }} + + Connect to: {{ printf "https://tornjak-backend.%s" (include "spire-lib.trust-domain" .) }} + +{{- else }} + kubectl -n {{ include "spire-server.namespace" . }} port-forward service/{{ include "spire-tornjak.servicename" . }} {{ .Values.tornjak.service.ports.http }}:10000 {{- if eq (include "spire-tornjak.connectionType" .) "http" }} - Open browser to: http://localhost:{{ .Values.tornjak.service.ports.http }} + + Connect to: http://localhost:{{ .Values.tornjak.service.ports.http }} {{- else if eq (include "spire-tornjak.connectionType" .) "tls" }} - Open browser to: https://localhost:{{ .Values.tornjak.service.ports.https }} + + Connect to: https://localhost:{{ .Values.tornjak.service.ports.https }} *** NOTE: You might get a security warning if using self-signed certificate or use curl: @@ -35,3 +46,4 @@ Access Tornjak: ERROR! Incorrect value selected for "Values.tornjak.config.connectionType" {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl b/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl new file mode 100644 index 000000000..4c0b4e9c3 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl @@ -0,0 +1,125 @@ +{{- define "spire-controller-manager.containers" }} +{{- $root := . }} +{{- $settings := dict }} +{{- $defaults := .Values.controllerManager }} +{{- $webhooksEnabled := .Values.controllerManager.validatingWebhookConfiguration.enabled }} +{{- $startPort := 8082 }} +{{- $reconcileFederation := 0 }} +{{- $reconcileEntries := 0 }} +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +{{- if .Values.controllerManager.reconcile.clusterFederatedTrustDomains }} +{{- $reconcileFederation = add $reconcileFederation 1 }} +{{- end }} +{{- if or .Values.controllerManager.reconcile.clusterSPIFFEIDs .Values.controllerManager.reconcile.clusterStaticEntries }} +{{- $reconcileEntries = add $reconcileEntries 1 }} +{{- end }} +{{- include "spire-controller-manager.container" (dict "Values" .Values "Chart" .Chart "startPort" $startPort "suffix" "" "settings" $settings "defaults" $defaults "webhooksEnabled" $webhooksEnabled) }} +{{- end }} +{{- if .Values.externalControllerManagers.enabled }} +{{- $clusters := default .Values.kubeConfigs .Values.externalControllerManagers.clusters }} +{{- $clusterDefaults := .Values.externalControllerManagers.defaults }} +{{- range $name, $_ := $clusters }} +{{- $clusterSettings := dict }} +{{- if hasKey $root.Values.externalControllerManagers.clusters $name }} +{{- $clusterSettings = index $root.Values.externalControllerManagers.clusters $name }} +{{- end }} +{{- $suffix := printf "-%s" $name }} +{{- $startPort = add $startPort 2 }} +{{- $kubeConfig := $name }} +{{- if hasKey $clusterSettings "kubeConfigName" }} +{{- $kubeConfig = $clusterSettings.kubeConfigName }} +{{- end }} +{{- $reconcile := dict }} +{{- if hasKey $clusterSettings "reconcile" }} +{{- $reconcile = $clusterSettings.reconcile }} +{{- end }} +{{- if and (hasKey $reconcile "clusterFederatedTrustDomains") $reconcile.clusterFederatedTrustDomains }} +{{- $reconcileFederation = add $reconcileFederation 1 }} +{{- else if $clusterDefaults.reconcile.clusterFederatedTrustDomains }} +{{- $reconcileFederation = add $reconcileFederation 1 }} +{{- end }} +{{- if gt $reconcileFederation 1 }} +{{- fail "You can only have one controller-manager with reconcile.clusterFederatedTrustDomains set to true" }} +{{- end }} +{{- include "spire-controller-manager.container" (dict "Values" $root.Values "Chart" $root.Chart "startPort" $startPort "suffix" $suffix "settings" $clusterSettings "defaults" $clusterDefaults "webhooksEnabled" false "kubeConfig" $kubeConfig ) }} +{{- end }} +{{- end }} +{{- end }} +{{- define "spire-controller-manager.container" }} +{{- $promPort := .startPort }} +{{- $healthPort := add .startPort 1 }} +{{- $extraEnv := .defaults.extraEnv }} +{{- if hasKey .settings "extraEnv" }} +{{- $extraEnv = .settings.extraEnv }} +{{- end }} +{{- $expandEnv := .defaults.expandEnv }} +{{- if hasKey .settings "expandEnv" }} +{{- $extraEnv = .settings.expandEnv }} +{{- end }} +{{- $securityContext := .defaults.securityContext }} +{{- if hasKey .settings "securityContext" }} +{{- $securityContext = mergeOverwrite .defaults.securityContext .settings.securityContext }} +{{- end }} +- name: spire-controller-manager{{ .suffix }} + securityContext: + {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" $securityContext) | nindent 4 }} + image: {{ template "spire-lib.image" (dict "appVersion" .Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} + args: + {{- if hasKey . "kubeConfig" }} + - --kubeconfig=/kubeconfigs/{{ .kubeConfig }} + {{- end }} + - --config=controller-manager-config{{ .suffix }}.yaml + {{- if $expandEnv }} + - --expand-env + {{- end }} + env: + - name: ENABLE_WEBHOOKS + value: {{ .webhooksEnabled | toString | quote }} + {{- if gt (len $extraEnv) 0 }} + {{- $extraEnv | toYaml | nindent 4 }} + {{- end }} + ports: + {{- if .webhooksEnabled }} + - name: https + containerPort: 9443 + protocol: TCP + {{- end }} + - containerPort: {{ $healthPort }} + name: healthz + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} + - containerPort: {{ $promPort }} + name: prom-cm{{ .suffix }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {{- toYaml .Values.controllerManager.resources | nindent 4 }} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config{{ .suffix }}.yaml + subPath: controller-manager-config{{ .suffix }}.yaml + readOnly: true + {{- with .kubeConfig }} + - name: kubeconfigs + mountPath: /kubeconfigs/{{ . }} + subPath: {{ . }} + readOnly: true + {{- end }} + - name: spire-controller-manager-tmp + mountPath: /tmp + subPath: {{ printf "spire-controller-manager%s" .suffix }} + readOnly: false + {{- if gt (len .Values.extraVolumeMounts) 0 }} + {{- toYaml .Values.extraVolumeMounts | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 9f6e011be..0b3fb0fc6 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -280,8 +280,12 @@ The code below determines what connection type should be used. {{- end -}} {{- define "spire-server.controller-manager-class-name" -}} -{{- if .Values.controllerManager.className }} -{{- .Values.controllerManager.className }} +{{- if and (hasKey . "settings") (hasKey .settings "className") }} +{{- .settings.className }} +{{- else if and (hasKey . "defaults") .defaults.className }} +{{- .defaults.className }} +{{- else if .Values.controllerManager.className }} +{{- .Values.controllerManager.className }} {{- else }} {{- .Release.Namespace }}-{{ default .Release.Name .Values.crNameOverride }} {{- end -}} @@ -301,3 +305,16 @@ The code below determines what connection type should be used. {{- $g := dig "spire" "caSubject" "commonName" "" .Values.global }} {{- default .Values.ca_subject.common_name $g }} {{- end }} + +{{- define "spire-server.subject" }} +subjects: +{{- if .Values.externalServer }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: spire-root +{{- else }} +- kind: ServiceAccount + name: {{ include "spire-server.serviceAccountName" . }} + namespace: {{ include "spire-server.namespace" . }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 2c6e34cc0..bdd9d8fc0 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -38,6 +38,9 @@ {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }} {{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }} {{- end }} +{{- if hasKey .Values.federation.bundleEndpoint "profile" }} +{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }} +{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} @@ -266,7 +269,7 @@ plugins: UpstreamAuthority: cert-manager: plugin_data: - issuer_name: {{ default (include "spire-server.fullname" $root) .issuer_name }}-ca + issuer_name: {{ default (printf "%s-ca" (include "spire-server.fullname" $root)) .issuer_name }} issuer_kind: {{ .issuer_kind | quote }} issuer_group: {{ .issuer_group | quote }} namespace: {{ default $root.Release.Namespace .namespace | quote }} @@ -361,6 +364,7 @@ telemetry: port: 9988 {{- end }} {{- end }} +{{- if not .Values.externalServer }} apiVersion: v1 kind: ConfigMap metadata: @@ -373,3 +377,4 @@ metadata: data: server.conf: | {{- include "spire-lib.reformat-and-yaml2json" (dict "config" (include "spire-server.yaml-config" .) "root" .) | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index cbd5400c5..7642d7af3 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -9,7 +9,10 @@ values: {{ .namespaces | toYaml | nindent 2 }} {{- end }} {{- define "spire-controller-manager-identity-podselector" }} -{{- if eq .type "oidc-discovery-provider" }} +{{- if eq .type "child-servers" }} +matchLabels: + component: server +{{- else if eq .type "oidc-discovery-provider" }} matchLabels: release: {{ .Release.Name }} release-namespace: {{ .Release.Namespace }} @@ -34,8 +37,8 @@ matchLabels: {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} {{- $type := dig "type" "base" $value }} -{{- if not (has $type (list "base" "raw" "oidc-discovery-provider" "test-keys")) }} -{{- fail (printf "Type given: %s, must be one of [base, raw, oidc-discovery-provider, test-keys]" $type) }} +{{- if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "test-keys")) }} +{{- fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, test-keys]" $type) }} {{- end }} {{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }} {{- if ne $type "raw" }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index f019f56d4..f5bad18bf 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -1,4 +1,9 @@ -{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +{{- $root := . }} +{{- $startPort := 8082 }} +{{- $clusters := default .Values.kubeConfigs .Values.externalControllerManagers.clusters }} +{{- $clusterDefaults := .Values.externalControllerManagers.defaults }} +{{- if not .Values.externalServer }} +{{- if or (eq (.Values.controllerManager.enabled | toString) "true") (and .Values.externalControllerManagers.enabled (gt (len $clusters) 0)) }} apiVersion: v1 kind: ConfigMap metadata: @@ -9,45 +14,78 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} data: +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +{{- $clusterName := include "spire-lib.cluster-name" . }} controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metadata: - name: {{ include "spire-controller-manager.fullname" . }} - namespace: {{ include "spire-server.namespace" . }} - labels: - {{- include "spire-server.labels" . | nindent 8 }} - metrics: - bindAddress: 0.0.0.0:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: {{ printf "%s-%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) | sha256sum | trunc 8 }}.spiffe.io - resourceNamespace: {{ include "spire-server.namespace" . }} - {{- with .Values.controllerManager.cacheNamespaces }} - cacheNamespaces: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if .Values.controllerManager.validatingWebhookConfiguration.enabled }} - validatingWebhookConfigurationName: {{ .Release.Namespace }}-{{ include "spire-controller-manager.fullname" . }}-webhook - {{- end }} - {{- if typeIs "string" .Values.controllerManager.entryIDPrefixCleanup }} - entryIDPrefixCleanup: {{ .Values.controllerManager.entryIDPrefixCleanup | quote }} - {{- end }} - entryIDPrefix: {{ include "spire-lib.cluster-name" . }} - clusterName: {{ include "spire-lib.cluster-name" . }} - trustDomain: {{ include "spire-lib.trust-domain" . }} - ignoreNamespaces: - {{- with .Values.controllerManager.ignoreNamespaces }} - {{- toYaml . | nindent 6 }} - {{- end }} - spireServerSocketPath: "/tmp/spire-server/private/api.sock" - className: {{ include "spire-server.controller-manager-class-name" . | quote}} - watchClassless: {{ .Values.controllerManager.watchClassless | toYaml }} - parentIDTemplate: {{ .Values.controllerManager.parentIDTemplate | quote }} - {{- with .Values.reconcile }} - reconcile: - {{- toYaml . | nindent 6 }} - {{- end }} + {{- include "spire-controller-manager.config" (dict "Values" .Values "Chart" .Chart "Release" .Release "startPort" $startPort "suffix" "" "settings" (dict) "defaults" .Values.controllerManager "webhookEnabled" .Values.controllerManager.validatingWebhookConfiguration.enabled "clusterName" $clusterName) | nindent 4 }} +{{- end }} +{{- if .Values.externalControllerManagers.enabled }} +{{- range $name, $_ := $clusters }} +{{- $clusterSettings := dict }} +{{- if hasKey $root.Values.externalControllerManagers.clusters $name }} +{{- $clusterSettings = index $root.Values.externalControllerManagers.clusters $name }} +{{- end }} +{{- $suffix := printf "-%s" $name }} +{{- $startPort = add $startPort 2 }} + controller-manager-config{{ $suffix }}.yaml: | + {{- include "spire-controller-manager.config" (dict "Values" $root.Values "Chart" $root.Chart "Release" $root.Release "startPort" $startPort "suffix" $suffix "settings" $clusterSettings "defaults" $clusterDefaults "webhookEnabled" false "clusterName" $name) | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- define "spire-controller-manager.config" }} +{{- $promPort := .startPort }} +{{- $healthPort := add $promPort 1 }} +apiVersion: spire.spiffe.io/v1alpha1 +kind: ControllerManagerConfig +metadata: + name: {{ include "spire-controller-manager.fullname" . }}{{ .suffix }} + namespace: {{ include "spire-server.namespace" . }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} +metrics: + bindAddress: 0.0.0.0:{{ $promPort }} +health: + healthProbeBindAddress: 0.0.0.0:{{ $healthPort }} +leaderElection: + leaderElect: true + resourceName: {{ printf "%s-%s%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) .suffix | sha256sum | trunc 8 }}.spiffe.io + resourceNamespace: {{ include "spire-server.namespace" . }} +{{- with .settings.cacheNamespaces }} +cacheNamespaces: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .webhookEnabled }} +validatingWebhookConfigurationName: {{ .Release.Namespace }}-{{ include "spire-controller-manager.fullname" . }}-webhook +{{- end }} +{{- $entryIDPrefixCleanup := .defaults.entryIDPrefixCleanup }} +{{- if hasKey .settings "entryIDPrefixCleanup" }} +{{- $entryIDPrefixCleanup = .settings.entryIDPrefixCleanup }} +{{- end }} +{{- if typeIs "string" $entryIDPrefixCleanup }} +entryIDPrefixCleanup: {{ $entryIDPrefixCleanup | quote }} +{{- end }} +entryIDPrefix: {{ .clusterName }} +clusterName: {{ .clusterName }} +trustDomain: {{ include "spire-lib.trust-domain" . }} +{{- $ignoreNamespaces := .defaults.ignoreNamespaces }} +{{- if hasKey .settings "ignoreNamespaces" }} +{{- $ignoreNamespaces = .settings.ignoreNamespaces }} +{{- end }} +{{- with $ignoreNamespaces }} +ignoreNamespaces: + {{- toYaml . | nindent 2 }} +{{- end }} +spireServerSocketPath: "/tmp/spire-server/private/api.sock" +className: {{ include "spire-server.controller-manager-class-name" . | quote}} +watchClassless: {{ if hasKey .settings "watchClassless" }}{{ .settings.watchClassless | toYaml }}{{ else }}{{ .defaults.watchClassless | toYaml }}{{ end }} +parentIDTemplate: {{ if hasKey .settings "parentIDTemplate" }}{{ .settings.parentIDTemplate | quote }}{{ else }}{{ .defaults.parentIDTemplate | quote }}{{ end }} +{{- $reconcile := dict }} +{{- if hasKey .settings "reconcile" }} +{{- $reconcile = .settings.reconcile }} +{{- end }} +reconcile: + clusterSPIFFEIDs: {{ if hasKey $reconcile "clusterSPIFFEIDs" }}{{ toYaml $reconcile.clusterSPIFFEIDs }}{{ else }}{{ toYaml .defaults.reconcile.clusterSPIFFEIDs }}{{ end }} + clusterStaticEntries: {{ if hasKey $reconcile "clusterStaticEntries" }}{{ toYaml $reconcile.clusterStaticEntries }}{{ else }}{{ toYaml .defaults.reconcile.clusterStaticEntries }}{{ end }} + clusterFederatedTrustDomains: {{ if hasKey $reconcile "clusterFederatedTrustDomains" }}{{ toYaml $reconcile.clusterFederatedTrustDomains }}{{ else }}{{ toYaml .defaults.reconcile.clusterFederatedTrustDomains }}{{ end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml index d2f9e9b85..8b18b3def 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml @@ -24,10 +24,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ include "spire-controller-manager.fullname" . }}-leader-election -subjects: -- kind: ServiceAccount - name: {{ include "spire-server.serviceAccountName" . }} - namespace: {{ include "spire-server.namespace" . }} +{{ include "spire-server.subject" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -87,8 +84,5 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ .Release.Namespace}}-{{ include "spire-controller-manager.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ include "spire-server.serviceAccountName" . }} - namespace: {{ include "spire-server.namespace" . }} +{{ include "spire-server.subject" . }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-service.yaml b/charts/spire/charts/spire-server/templates/controller-manager-service.yaml index 5d3b0a767..864c20472 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-service.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }} apiVersion: v1 kind: Service @@ -20,3 +21,4 @@ spec: selector: {{- include "spire-server.selectorLabels" . | nindent 4 }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml b/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml index 7f91f1090..660c2f86c 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -37,3 +38,4 @@ webhooks: resources: ["clusterspiffeids"] sideEffects: None {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-certificate.yaml b/charts/spire/charts/spire-server/templates/federation-certificate.yaml index 013d3026f..a4329d7a3 100644 --- a/charts/spire/charts/spire-server/templates/federation-certificate.yaml +++ b/charts/spire/charts/spire-server/templates/federation-certificate.yaml @@ -20,7 +20,7 @@ secretName: {{ $issuerFullName }}-cert apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "spire-server.fullname" . }} + name: {{ include "spire-server.fullname" . }}-fed namespace: {{ include "spire-server.namespace" . }} spec: {{ merge (include "spire-server.federation-cert-manager-default-cert" . | fromYaml) .Values.federation.tls.certManager.certificate | toYaml | nindent 2 }} diff --git a/charts/spire/charts/spire-server/templates/hpa.yaml b/charts/spire/charts/spire-server/templates/hpa.yaml index 65b195e52..7fd457a31 100644 --- a/charts/spire/charts/spire-server/templates/hpa.yaml +++ b/charts/spire/charts/spire-server/templates/hpa.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if .Values.autoscaling.enabled }} apiVersion: {{ include "spire-lib.autoscalingVersion" . }} kind: HorizontalPodAutoscaler @@ -38,3 +39,4 @@ spec: averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/podmonitor.yaml b/charts/spire/charts/spire-server/templates/podmonitor.yaml index 878a4bafc..3e736df9a 100644 --- a/charts/spire/charts/spire-server/templates/podmonitor.yaml +++ b/charts/spire/charts/spire-server/templates/podmonitor.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if (dig "telemetry" "prometheus" "podMonitor" "enabled" .Values.telemetry.prometheus.podMonitor.enabled .Values.global) }} {{- $namespace := include "spire-server.podMonitor.namespace" . }} {{- $podNamespace := ( include "spire-server.namespace" . ) }} @@ -25,3 +26,4 @@ spec: kubernetes.io/metadata.name: {{ $podNamespace }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 6b4568edc..3b9bf1b03 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} @@ -87,3 +88,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index 45f952550..683ba91db 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} @@ -87,3 +88,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml index 2a14be910..7c4c0e80b 100644 --- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if eq ((dig "deleteHooks" "enabled" .Values.controllerManager.deleteHook.enabled .Values.global) | toString) "true" }} {{- if .Values.upstreamAuthority.spire.enabled }} apiVersion: v1 @@ -90,3 +91,4 @@ spec: - {{ include "spire-server.namespace" . }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index b3f852520..a3a86b6f4 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} @@ -87,3 +88,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index c09bedecd..fdf2ac517 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -1,5 +1,7 @@ +{{- $subject := include "spire-server.subject" . }} {{- $namespace := include "spire-server.namespace" . }} {{- $bundleNamespace := include "spire-server.bundle-namespace" . }} +{{- if .Values.notifier.k8sbundle.enabled }} # Role to be able to push certificate bundles to a configmap kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -13,6 +15,7 @@ rules: verbs: - get - patch +{{- end }} {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.rbac.create }} --- # Role to be able to manage cert requests with Cert-Manager @@ -39,30 +42,25 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-server.fullname" . }}-cm namespace: {{ $namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "spire-server.serviceAccountName" . }} - namespace: {{ $namespace }} +{{ $subject }} roleRef: kind: Role name: {{ include "spire-server.fullname" . }}-cm apiGroup: rbac.authorization.k8s.io {{- end }} +{{- if .Values.notifier.k8sbundle.enabled }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ $bundleNamespace }} -subjects: - - kind: ServiceAccount - name: {{ include "spire-server.serviceAccountName" . }} - namespace: {{ $namespace }} +{{ $subject }} roleRef: kind: Role name: {{ include "spire-lib.bundle-configmap" . }} apiGroup: rbac.authorization.k8s.io - +{{- end }} {{- if and .Values.nodeAttestor.k8sPsat.enabled }} --- # ClusterRole to allow spire-server node attestor to query Token Review API @@ -89,10 +87,7 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Namespace}}-{{ include "spire-server.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "spire-server.serviceAccountName" . }} - namespace: {{ $namespace }} +{{ $subject }} roleRef: kind: ClusterRole name: {{ .Release.Namespace}}-{{ include "spire-server.fullname" . }} diff --git a/charts/spire/charts/spire-server/templates/server-resource.yaml b/charts/spire/charts/spire-server/templates/server-resource.yaml index 4793db97c..d30910995 100644 --- a/charts/spire/charts/spire-server/templates/server-resource.yaml +++ b/charts/spire/charts/spire-server/templates/server-resource.yaml @@ -21,6 +21,7 @@ {{- else }} {{- fail "Unsupported kind." }} {{- end }} +{{- if not .Values.externalServer }} apiVersion: apps/v1 {{- if eq .Values.kind "statefulset" }} kind: StatefulSet @@ -256,59 +257,7 @@ spec: - name: server-tmp mountPath: /tmp readOnly: false - {{- if eq (.Values.controllerManager.enabled | toString) "true" }} - - name: spire-controller-manager - securityContext: - {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.controllerManager.securityContext) | nindent 12 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} - args: - - --config=controller-manager-config.yaml - {{- if .Values.controllerManager.expandEnv }} - - --expand-env - {{- end }} - env: - - name: ENABLE_WEBHOOKS - value: {{ .Values.controllerManager.validatingWebhookConfiguration.enabled | toString | quote }} - {{- if gt (len .Values.controllerManager.extraEnv) 0 }} - {{- .Values.controllerManager.extraEnv | toYaml | nindent 12 }} - {{- end }} - ports: - - name: https - containerPort: 9443 - protocol: TCP - - containerPort: 8083 - name: healthz - {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - - containerPort: 8082 - name: prom2 - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - {{- toYaml .Values.controllerManager.resources | nindent 12 }} - volumeMounts: - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: true - - name: controller-manager-config - mountPath: /controller-manager-config.yaml - subPath: controller-manager-config.yaml - readOnly: true - - name: spire-controller-manager-tmp - mountPath: /tmp - readOnly: false - {{- if gt (len .Values.extraVolumeMounts) 0 }} - {{- toYaml .Values.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - + {{- include "spire-controller-manager.containers" . | nindent 8 }} {{- if eq (.Values.tornjak.enabled | toString) "true" }} - name: tornjak securityContext: @@ -319,7 +268,7 @@ spec: startupProbe: httpGet: scheme: HTTP - path: /api/tornjak/serverinfo + path: / port: 10000 {{- toYaml .Values.tornjak.startupProbe | nindent 12 }} {{- end }} @@ -514,3 +463,4 @@ spec: storageClassName: {{ $storageClass }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/service.yaml b/charts/spire/charts/spire-server/templates/service.yaml index 1e57a0707..b9726efe6 100644 --- a/charts/spire/charts/spire-server/templates/service.yaml +++ b/charts/spire/charts/spire-server/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} apiVersion: v1 kind: Service metadata: @@ -26,3 +27,4 @@ spec: {{- end }} selector: {{- include "spire-server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/serviceaccount.yaml b/charts/spire/charts/spire-server/templates/serviceaccount.yaml index cd717b588..0b793d244 100644 --- a/charts/spire/charts/spire-server/templates/serviceaccount.yaml +++ b/charts/spire/charts/spire-server/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -11,3 +12,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml index 9c48b620e..57b4434ba 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalServer }} {{ $values := merge .Values }} apiVersion: v1 kind: Pod @@ -64,3 +65,4 @@ spec: secretName: {{ .Values.tests.tls.customCA }} {{- end }} restartPolicy: Never +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml index f187e47ba..ec7b2e6e3 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-config.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-config.yaml @@ -42,5 +42,13 @@ data: } } {{- end }} + {{- if ne .Values.tornjak.config.userManagement.issuer "" }} + UserManagement "KeycloakAuth" { + plugin_data { + issuer = "{{ .Values.tornjak.config.userManagement.issuer }}" + audience = "{{ .Values.tornjak.config.userManagement.audience }}" + } + } + {{- end }} } {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 1e38cbd6e..da3b8a0de 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -23,6 +23,9 @@ image: ## @param kind Define SPIRE server deployment type. Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental. kind: statefulset +## @param externalServer Deploy only the bundle ConfigMap, RBAC rules, and identity documents but not the server. Use in a nested setup where the server is external. +externalServer: false + ## @param imagePullSecrets [array] Pull secrets for images imagePullSecrets: [] @@ -207,6 +210,8 @@ federation: port: 8443 ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" + ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. + refresh_hint: "5m" tls: spire: @@ -466,7 +471,7 @@ controllerManager: watchClassless: false ## @param controllerManager.entryIDPrefixCleanup Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. - entryIDPrefixCleanup: "" + entryIDPrefixCleanup: false ## @param controllerManager.parentIDTemplate The template that is used to register workloads. parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" @@ -535,6 +540,31 @@ controllerManager: - kube-system - kube-public - local-path-storage + # openshift related namespaces that should be typically ignored + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + # ibmcloud specific namespaces + - ibm-odf-validation-webhook + - ibm-system ## @param controllerManager.reconcile.clusterSPIFFEIDs Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterStaticEntries Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server @@ -579,6 +609,14 @@ controllerManager: ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false + child-servers: + ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager + enabled: false + ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.type The type of rule this is. + type: child-servers + ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream Set if this spire instance is a root server and the workloads are downstream servers. + downstream: true + oidc-discovery-provider: ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable this identity for controller manager enabled: true @@ -645,6 +683,78 @@ controllerManager: # fieldSelectors: # fName: f1 +externalControllerManagers: + ## @param externalControllerManagers.enabled Flag to enable external controller managers + enabled: false + defaults: + ## @param externalControllerManagers.defaults.reconcile.clusterSPIFFEIDs Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server + ## @param externalControllerManagers.defaults.reconcile.clusterStaticEntries Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server + ## @param externalControllerManagers.defaults.reconcile.clusterFederatedTrustDomains Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server + reconcile: + clusterSPIFFEIDs: true + clusterStaticEntries: false + clusterFederatedTrustDomains: false + ## @param externalControllerManagers.defaults.className specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. + className: "" + ## @param externalControllerManagers.defaults.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. + watchClassless: false + ## @param externalControllerManagers.defaults.entryIDPrefixCleanup consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. + entryIDPrefixCleanup: false + ## @param externalControllerManagers.defaults.parentIDTemplate The template that is used to register workloads. + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" + ## @param externalControllerManagers.defaults.expandEnv Set to true to enable environment variable substitution of config file options + expandEnv: false + ## @param externalControllerManagers.defaults.extraEnv [array] Extra environment variables to add to the controller manager + extraEnv: [] + ## @param externalControllerManagers.defaults.resources [object] Resource requests and limits for controller manager + resources: {} + ## @param externalControllerManagers.defaults.securityContext [object] Security context + securityContext: {} + configMap: + ## @param externalControllerManagers.defaults.configMap.annotations [object] Annotations to add to the Controller Manager ConfigMap + annotations: {} + ## @param externalControllerManagers.defaults.ignoreNamespaces [array] These namespaces are ignored by controller manager + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + # openshift related namespaces that should be typically ignored + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + # ibmcloud specific namespaces + - ibm-odf-validation-webhook + - ibm-system + ## @param externalControllerManagers.defaults.cacheNamespaces [object] If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. + cacheNamespaces: {} + + ## @param externalControllerManagers.clusters [object] A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. + clusters: {} + # clustera: + # Should match the name of the config in the kubeConfigs section + # kubeConfigName: foo + # reconcile: + # clusterStaticEntries: true + # other: {} + tools: kubectl: ## @param tools.kubectl.image.registry The OCI registry to pull the image from @@ -797,7 +907,7 @@ tornjak: repository: spiffe/tornjak-backend pullPolicy: IfNotPresent tag: "" - defaultTag: "v1.4.2" + defaultTag: "v1.6.0" service: ## @param tornjak.service.type Type of service resource @@ -860,6 +970,12 @@ tornjak: driver: "sqlite3" ## @param tornjak.config.dataStore.file File path for sqlite3 file file: "/run/spire/data/tornjak.sqlite3" + ## @extra tornjak.config.userManagement [object] UserManagement config + userManagement: + ## @param tornjak.config.userManagement.issuer UserManagement issuer URL + issuer: "" + ## @param tornjak.config.userManagement.audience UserManagement audience check + audience: "" # Tornjak supports 3 connection types: `http`, `tls`, and `mtls`. # The connections are determined based on provided configuration @@ -947,7 +1063,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7 + tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index d8f94c80d..2d67db39f 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.4.2" +appVersion: "v1.6.0" home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 68dc1af58..0b8a46f5f 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -55,47 +55,50 @@ port forwarding. See the chart NOTES output for more details. ### Chart parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/tornjak-frontend` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `labels` | Labels for tornjak frontend pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `service.type` | Service type | `ClusterIP` | -| `service.port` | Service port | `3000` | -| `service.annotations` | Annotations for service resource | `{}` | -| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | -| `affinity` | Affinity rules | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` | -| `apiServerURL` | URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. If unset, autodetection is atempted. | `""` | -| `spireHealthCheck.enabled` | Enables the SPIRE Healthchecker indicator | `true` | -| `startupProbe.enabled` | Enable startupProbe on Tornjak frontend container | `true` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | -| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | -| `workingDir` | Set to override the default path containing the Tornjak frontend within the image | `""` | -| `ingress.enabled` | Flag to enable ingress for Tornjak frontend service | `false` | -| `ingress.className` | Ingress class name for Tornjak frontend service | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for Tornjak frontend service | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `tornjak-frontend` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | -| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76` | +| Name | Description | Value | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/tornjak-frontend` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `labels` | Labels for tornjak frontend pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.port` | Service port | `3000` | +| `service.annotations` | Annotations for service resource | `{}` | +| `nodeSelector` | (Optional) Select specific nodes to run on. Tornjak currently supports amd64 and arm64 architectures | `{}` | +| `affinity` | Affinity rules | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` | +| `apiServerURL` | URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. If not provided, auto-detection is attempted. | `""` | +| `spireHealthCheck.enabled` | Enables the SPIRE Healthchecker indicator | `true` | +| `auth.enabled` | Enables auth for Tornjak | `false` | +| `auth.serverURL` | URL of the Auth service. Tornjak Frontend will redirect to this URL to authenticate the user | `""` | +| `startupProbe.enabled` | Enable startupProbe on Tornjak frontend container | `true` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | +| `workingDir` | Set to override the default path containing the Tornjak frontend within the image | `""` | +| `logsDir` | Directory path for NPM logs | `""` | +| `ingress.enabled` | Flag to enable ingress for Tornjak frontend service | `false` | +| `ingress.className` | Ingress class name for Tornjak frontend service | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for Tornjak frontend service | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `tornjak-frontend` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | diff --git a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt index 85a568e41..ff51e5535 100644 --- a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt +++ b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt @@ -6,23 +6,36 @@ Your release is named: {{ .Release.Name }} Namespace: {{ include "tornjak-frontend.namespace" . }} Tornjak UI (Frontend) - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} - pull policy: {{ .Values.image.pullPolicy }} + Image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} + Image pull policy: {{ .Values.image.pullPolicy }} + Ingress enabled: {{ .Values.ingress.enabled }} Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} - SPIRE health check enabled: "{{ .Values.spireHealthCheck.enabled }}" + SPIRE health check enabled: {{ .Values.spireHealthCheck.enabled }} + User Management enabled: {{ .Values.auth.enabled }} +{{- if .Values.auth.enabled }} + User Management API: "{{ .Values.auth.serverURL }}" +{{- else }} -### WARNING ### + ### WARNING ### -Tornjak runs without authentication and is therefore NOT suitable to run in production environments. -Only use in test environments! + Tornjak is configured to run without authentication and is therefore NOT suitable to run in production environments. + Only use in test environments! +{{- end }} -Access Tornjak: +Access Tornjak UI: + +{{- if .Values.ingress.enabled }} + +Open browser to: +{{ printf "https://tornjak-frontend.%s" (include "spire-lib.trust-domain" .) }} +{{- else }} kubectl -n {{ include "tornjak-frontend.namespace" . }} port-forward service/{{ include "tornjak-frontend.fullname" . }} {{ .Values.service.port }}:3000 Ensure you have port-forwarding for tornjak-backend as well. Open browser to: http://localhost:{{ .Values.service.port }} +{{- end }} To learn more about the release, try: diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index c810f0f0a..d36812404 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -100,3 +100,13 @@ Create URL for accessing Tornjak APIs {{- printf "/usr/src/app" }} {{- end }} {{- end }} + +{{- define "tornjak-frontend.logsDir" }} +{{- if .Values.logsDir }} +{{- .Values.logsDir }} +{{- else if (dig "openshift" false .Values.global) }} +{{- printf "/opt/app-root/src/.npm/_cacache/" }} +{{- else }} +{{- printf "/home/node/" }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 84e152ba4..e70b5c0b0 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -35,10 +35,14 @@ spec: env: - name: REACT_APP_API_SERVER_URI value: {{ include "tornjak-frontend.apiURL" . }} - {{- if eq (.Values.spireHealthCheck.enabled | toString) "true" }} + {{- if .Values.spireHealthCheck.enabled }} - name: REACT_APP_SPIRE_HEALTH_CHECK_ENABLE value: "{{ .Values.spireHealthCheck.enabled }}" {{- end }} + {{- if .Values.auth.enabled }} + - name: REACT_APP_AUTH_SERVER_URI + value: "{{ .Values.auth.serverURL }}" + {{- end }} {{- if .Values.startupProbe.enabled }} startupProbe: httpGet: @@ -57,7 +61,7 @@ spec: - name: env mountPath: {{ include "tornjak-frontend.workingDir" . }}/build/tmp - name: logs - mountPath: /opt/app-root/src/.npm/ + mountPath: {{ include "tornjak-frontend.logsDir" . }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index f58dd0843..d3f71c59f 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -63,10 +63,8 @@ service: port: 3000 annotations: {} -## @extra nodeSelector Select specific nodes to run on (currently only amd64 is supported by Tornjak) -nodeSelector: - ## @skip nodeSelector.kubernetes.io/arch - kubernetes.io/arch: amd64 +## @param nodeSelector (Optional) Select specific nodes to run on. Tornjak currently supports amd64 and arm64 architectures +nodeSelector: {} ## @param affinity [object] Affinity rules affinity: {} @@ -86,7 +84,7 @@ topologySpreadConstraints: [] # cpu: 100m # memory: 512Mi -## @param apiServerURL URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. If unset, autodetection is atempted. +## @param apiServerURL URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. If not provided, auto-detection is attempted. apiServerURL: "" # SPIRE Healthchecker indicator @@ -94,6 +92,13 @@ spireHealthCheck: ## @param spireHealthCheck.enabled Enables the SPIRE Healthchecker indicator enabled: true +# User Management +auth: + ## @param auth.enabled Enables auth for Tornjak + enabled: false + ## @param auth.serverURL URL of the Auth service. Tornjak Frontend will redirect to this URL to authenticate the user + serverURL: "" + ## Configure extra options for Tornjak frontend container's startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes ## @param startupProbe.enabled Enable startupProbe on Tornjak frontend container @@ -114,9 +119,12 @@ startupProbe: ## @param workingDir Set to override the default path containing the Tornjak frontend within the image workingDir: "" +## @param logsDir Directory path for NPM logs +logsDir: "" + ## @param ingress.enabled Flag to enable ingress for Tornjak frontend service ## @param ingress.className Ingress class name for Tornjak frontend service -## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. +## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. ## @param ingress.annotations [object] Annotations for Tornjak frontend service ingress: enabled: false @@ -130,14 +138,14 @@ ingress: ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: tornjak-frontend.example.org # paths: # - path: / # pathType: Prefix - ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. + ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. tls: [] # - secretName: chart-example-tls # hosts: @@ -154,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:5921884408efe50b77796675dc109ad2126f54476fe7403c37d8898a5ceb2e76 + tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d diff --git a/charts/spire/templates/namespaces.yaml b/charts/spire/templates/namespaces.yaml new file mode 100644 index 000000000..62d1a49f6 --- /dev/null +++ b/charts/spire/templates/namespaces.yaml @@ -0,0 +1 @@ +{{- include "spire-lib.namespaces" . }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index c77eb696c..ce3b5391e 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -117,6 +117,9 @@ spire-server: controllerManager: ## @param spire-server.controllerManager.enabled Enable controller manager and provision CRD's enabled: true + externalControllerManagers: + ## @param spire-server.externalControllerManagers.enabled Enable external controller manager support + enabled: true ## @section Spire agent parameters ## Parameter values for Spire agent diff --git a/tests/integration/psat/kind-config.yaml b/examples/nested-full/.test-files/child-kind-config.yaml similarity index 81% rename from tests/integration/psat/kind-config.yaml rename to examples/nested-full/.test-files/child-kind-config.yaml index d85992ac3..086e96bf0 100644 --- a/tests/integration/psat/kind-config.yaml +++ b/examples/nested-full/.test-files/child-kind-config.yaml @@ -4,4 +4,4 @@ networking: apiServerAddress: "172.17.0.1" apiServerPort: 7443 podSubnet: "10.245.0.0/16" - serviceSubnet: "10.97.0.0/12" + serviceSubnet: "10.97.0.0/16" diff --git a/examples/nested-full/.test-files/other-kind-config.yaml b/examples/nested-full/.test-files/other-kind-config.yaml new file mode 100644 index 000000000..0204e7529 --- /dev/null +++ b/examples/nested-full/.test-files/other-kind-config.yaml @@ -0,0 +1,7 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +networking: + apiServerAddress: "172.17.0.1" + apiServerPort: 5443 + podSubnet: "10.246.0.0/16" + serviceSubnet: "10.98.0.0/16" diff --git a/examples/nested-full/child-values.yaml b/examples/nested-full/child-values.yaml new file mode 100644 index 000000000..0fb62ae1e --- /dev/null +++ b/examples/nested-full/child-values.yaml @@ -0,0 +1,8 @@ +#global: +# spire: +# clusterName: changeme +# upstreamSpireAddress: spire-server.changeme + +tags: + nestedChildFull: true + diff --git a/examples/nested-full/root-values.yaml b/examples/nested-full/root-values.yaml new file mode 100644 index 000000000..d9066ece3 --- /dev/null +++ b/examples/nested-full/root-values.yaml @@ -0,0 +1,10 @@ +tags: + nestedRoot: true + +spiffe-oidc-discovery-provider: + ingress: + enabled: true + +external-spire-server: + ingress: + enabled: true diff --git a/examples/nested-full/run-tests.sh b/examples/nested-full/run-tests.sh new file mode 100755 index 000000000..6d51cbcdb --- /dev/null +++ b/examples/nested-full/run-tests.sh @@ -0,0 +1,137 @@ +#!/usr/bin/env bash + +set -xe + +SCRIPT="$(readlink -f "$0")" +SCRIPTPATH="$(dirname "${SCRIPT}")" +TESTDIR="${SCRIPTPATH}/../../.github/tests" +#DEPS="${TESTDIR}/dependencies" + +# shellcheck source=/dev/null +source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh" +# shellcheck source=/dev/null +source "${TESTDIR}/common.sh" + +CLEANUP=1 + +for i in "$@"; do + case $i in + -c) + CLEANUP=0 + shift # past argument=value + ;; + esac +done + +teardown() { + print_helm_releases + print_spire_workload_status spire-root-server + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-root-server + get_namespace_details spire-server spire-system + fi + + if [ "${CLEANUP}" -eq 1 ]; then + helm uninstall --namespace spire-server spire 2>/dev/null || true + kubectl delete ns spire-server 2>/dev/null || true + kubectl delete ns spire-system 2>/dev/null || true + + helm uninstall --namespace mysql spire-root-server 2>/dev/null || true + kubectl delete ns spire-root-server 2>/dev/null || true + fi +} + +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT + +# Update deps +helm dep up charts/spire-nested + +# List nodes +kubectl get nodes + +# Deploy an ingress controller +IP=$(kubectl get nodes chart-testing-control-plane -o go-template='{{ range .status.addresses }}{{ if eq .type "InternalIP" }}{{ .address }}{{ end }}{{ end }}') +helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \ + --namespace ingress-nginx \ + --create-namespace \ + --set "controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP,controller.service.externalIPs[0]=$IP" \ + --set controller.ingressClassResource.default=true \ + --wait + +# Test the ingress controller. Should 404 as there is no services yet. +curl "$IP" + +kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply -f - +kubectl get configmap -n kube-system coredns -o yaml | grep production.other || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\ $IP oidc-discovery.production.other\n $IP spire-server.production.other\n" | kubectl apply -f - +kubectl rollout restart -n kube-system deployment/coredns +kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns + +for cluster in child other; do + KC="${SCRIPTPATH}/kubeconfig-${cluster}" + + kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" + md5sum "${KC}" + wc -l "${KC}" + + helm upgrade --kubeconfig "${KC}" --install --create-namespace --namespace spire-mgmt spire-crds charts/spire-crds + helm upgrade --kubeconfig "${KC}" --install --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/child-values.yaml" \ + --set "global.spire.upstreamSpireAddress=spire-server.production.other" \ + --set "global.spire.namespaces.create=true" \ + --set "global.spire.clusterName=${cluster}" \ + spire charts/spire-nested + + kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | grep hosts || kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply --kubeconfig "${KC}" -f - + kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | grep production.other || kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | sed "/hosts/a\ $IP spire-server.production.other\n $IP spire-server.production.other\n" | kubectl apply --kubeconfig "${KC}" -f - + kubectl rollout restart --kubeconfig "${KC}" -n kube-system deployment/coredns + kubectl rollout status --kubeconfig "${KC}" -n kube-system -w --timeout=1m deploy/coredns +done + +docker exec -i child-control-plane bash -c 'kubeadm kubeconfig user --client-name=spire-root' > "${SCRIPTPATH}/child-spire-root.kubeconfig" +docker exec -i other-control-plane bash -c 'kubeadm kubeconfig user --client-name=spire-root' > "${SCRIPTPATH}/other-spire-root.kubeconfig" +CHILD_KCB64="$(base64 < "${SCRIPTPATH}/child-spire-root.kubeconfig" | tr '\n' ' ' | sed 's/ //g')" +OTHER_KCB64="$(base64 < "${SCRIPTPATH}/other-spire-root.kubeconfig" | tr '\n' ' ' | sed 's/ //g')" + +helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/root-values.yaml" \ + --wait spire charts/spire-nested \ + --set "global.spire.namespaces.create=true" \ + --set "global.spire.ingressControllerType=ingress-nginx" \ + --set "external-spire-server.kubeConfigs.child.kubeConfigBase64=${CHILD_KCB64}" \ + --set "external-spire-server.kubeConfigs.other.kubeConfigBase64=${OTHER_KCB64}" + +for cluster in child other; do + KC="${SCRIPTPATH}/kubeconfig-${cluster}" + kubectl --kubeconfig "${KC}" get configmap -n spire-system spire-bundle-upstream -o yaml + kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-upstream -n spire-system + kubectl --kubeconfig "${KC}" rollout restart statefulset spire-internal-server -n spire-server + kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-downstream -n spire-system + kubectl --kubeconfig "${KC}" rollout restart deployment spiffe-oidc-discovery-provider -n spire-server + kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-upstream -n spire-system --timeout 60s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-upstream -n spire-system --prefix --all-containers=true + kubectl --kubeconfig "${KC}" rollout status statefulset spire-internal-server -n spire-server --timeout 60s || kubectl logs --kubeconfig "${KC}" statefulset/spire-internal-server -n spire-server --prefix --all-containers=true + kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-downstream -n spire-system --timeout 60s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-downstream -n spire-system --prefix --all-containers=true + kubectl --kubeconfig "${KC}" rollout status deployment spiffe-oidc-discovery-provider -n spire-server --timeout 60s || kubectl logs --kubeconfig "${KC}" deployment/spiffe-oidc-discovery-provider -n spire-server --prefix --all-containers=true + + echo Pods on "${cluster}" + kubectl --kubeconfig "${KC}" get pods -A + + ENTRIES="$(kubectl --kubeconfig "${KC}" exec -i -n spire-server spire-internal-server-0 -- spire-server entry show)" + + if [[ "${ENTRIES}" == "Found 0 entries" ]]; then + echo "${ENTRIES}" + exit 1 + fi +done + +ENTRIES="$(kubectl exec -i -n spire-server spire-external-server-0 -- spire-server entry show)" + +if [[ "${ENTRIES}" == "Found 0 entries" ]]; then + echo "${ENTRIES}" + exit 1 +fi + +helm test --namespace spire-mgmt spire + +helm test --kubeconfig "${SCRIPTPATH}/kubeconfig-child" --namespace spire-mgmt spire +helm test --kubeconfig "${SCRIPTPATH}/kubeconfig-other" --namespace spire-mgmt spire + diff --git a/examples/nested-security/.test-files/child-kind-config.yaml b/examples/nested-security/.test-files/child-kind-config.yaml new file mode 100644 index 000000000..086e96bf0 --- /dev/null +++ b/examples/nested-security/.test-files/child-kind-config.yaml @@ -0,0 +1,7 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +networking: + apiServerAddress: "172.17.0.1" + apiServerPort: 7443 + podSubnet: "10.245.0.0/16" + serviceSubnet: "10.97.0.0/16" diff --git a/examples/nested-security/.test-files/other-kind-config.yaml b/examples/nested-security/.test-files/other-kind-config.yaml new file mode 100644 index 000000000..0204e7529 --- /dev/null +++ b/examples/nested-security/.test-files/other-kind-config.yaml @@ -0,0 +1,7 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +networking: + apiServerAddress: "172.17.0.1" + apiServerPort: 5443 + podSubnet: "10.246.0.0/16" + serviceSubnet: "10.98.0.0/16" diff --git a/examples/nested-security/child-values.yaml b/examples/nested-security/child-values.yaml new file mode 100644 index 000000000..6c5d27db1 --- /dev/null +++ b/examples/nested-security/child-values.yaml @@ -0,0 +1,12 @@ +# global: +# spire: +# clusterName: changeme + +tags: + nestedChildSecurity: true + +# downstream-spire-agent-security: +# serviceAccount: +# server: +# address: spire-server.changeme + diff --git a/examples/nested-security/root-values.yaml b/examples/nested-security/root-values.yaml new file mode 100644 index 000000000..d9066ece3 --- /dev/null +++ b/examples/nested-security/root-values.yaml @@ -0,0 +1,10 @@ +tags: + nestedRoot: true + +spiffe-oidc-discovery-provider: + ingress: + enabled: true + +external-spire-server: + ingress: + enabled: true diff --git a/examples/nested-security/run-tests.sh b/examples/nested-security/run-tests.sh new file mode 100755 index 000000000..ba139c0eb --- /dev/null +++ b/examples/nested-security/run-tests.sh @@ -0,0 +1,126 @@ +#!/usr/bin/env bash + +set -xe + +SCRIPT="$(readlink -f "$0")" +SCRIPTPATH="$(dirname "${SCRIPT}")" +TESTDIR="${SCRIPTPATH}/../../.github/tests" +#DEPS="${TESTDIR}/dependencies" + +# shellcheck source=/dev/null +source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh" +# shellcheck source=/dev/null +source "${TESTDIR}/common.sh" + +CLEANUP=1 + +for i in "$@"; do + case $i in + -c) + CLEANUP=0 + shift # past argument=value + ;; + esac +done + +teardown() { + print_helm_releases + print_spire_workload_status spire-root-server + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-root-server + get_namespace_details spire-server spire-system + fi + + if [ "${CLEANUP}" -eq 1 ]; then + helm uninstall --namespace spire-server spire 2>/dev/null || true + kubectl delete ns spire-server 2>/dev/null || true + kubectl delete ns spire-system 2>/dev/null || true + + helm uninstall --namespace mysql spire-root-server 2>/dev/null || true + kubectl delete ns spire-root-server 2>/dev/null || true + fi +} + +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT + +# Update deps +helm dep up charts/spire-nested + +# List nodes +kubectl get nodes + +# Deploy an ingress controller +IP=$(kubectl get nodes chart-testing-control-plane -o go-template='{{ range .status.addresses }}{{ if eq .type "InternalIP" }}{{ .address }}{{ end }}{{ end }}') +helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \ + --namespace ingress-nginx \ + --create-namespace \ + --set "controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP,controller.service.externalIPs[0]=$IP" \ + --set controller.ingressClassResource.default=true \ + --wait + +# Test the ingress controller. Should 404 as there is no services yet. +curl "$IP" + +kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply -f - +kubectl get configmap -n kube-system coredns -o yaml | grep production.other || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\ $IP oidc-discovery.production.other\n $IP spire-server.production.other\n" | kubectl apply -f - +kubectl rollout restart -n kube-system deployment/coredns +kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns + +# The check is being too pedantic. +# shellcheck shell=bash disable=SC2043 +for cluster in child; do + KC="${SCRIPTPATH}/kubeconfig-${cluster}" + + kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" + md5sum "${KC}" + wc -l "${KC}" + + helm upgrade --kubeconfig "${KC}" --install --create-namespace --namespace spire-mgmt spire-crds charts/spire-crds + helm upgrade --kubeconfig "${KC}" --install --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/child-values.yaml" \ + --set "downstream-spire-agent-security.server.address=spire-server.production.other" \ + --set "global.spire.namespaces.create=true" \ + --set "global.spire.clusterName=${cluster}" \ + spire charts/spire-nested + + kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | grep hosts || kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply --kubeconfig "${KC}" -f - + kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | grep production.other || kubectl get configmap --kubeconfig "${KC}" -n kube-system coredns -o yaml | sed "/hosts/a\ $IP spire-server.production.other\n $IP spire-server.production.other\n" | kubectl apply --kubeconfig "${KC}" -f - + kubectl rollout restart --kubeconfig "${KC}" -n kube-system deployment/coredns + kubectl rollout status --kubeconfig "${KC}" -n kube-system -w --timeout=1m deploy/coredns +done + +docker exec -i child-control-plane bash -c 'kubeadm kubeconfig user --client-name=spire-root' > "${SCRIPTPATH}/child-spire-root.kubeconfig" +CHILD_KCB64="$(base64 < "${SCRIPTPATH}/child-spire-root.kubeconfig" | tr '\n' ' ' | sed 's/ //g')" + +helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/root-values.yaml" \ + --wait spire charts/spire-nested \ + --set "global.spire.namespaces.create=true" \ + --set "global.spire.ingressControllerType=ingress-nginx" \ + --set "external-spire-server.kubeConfigs.child.kubeConfigBase64=${CHILD_KCB64}" + +# The check is being too pedantic. +# shellcheck shell=bash disable=SC2043 +for cluster in child; do + KC="${SCRIPTPATH}/kubeconfig-${cluster}" + kubectl --kubeconfig "${KC}" get configmap -n spire-system spire-bundle-upstream -o yaml + kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-downstream -n spire-system + kubectl --kubeconfig "${KC}" rollout restart deployment spiffe-oidc-discovery-provider -n spire-server + kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-downstream -n spire-system --timeout 60s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-downstream -n spire-system --prefix --all-containers=true + kubectl --kubeconfig "${KC}" rollout status deployment spiffe-oidc-discovery-provider -n spire-server --timeout 60s || kubectl logs --kubeconfig "${KC}" deployment/spiffe-oidc-discovery-provider -n spire-server --prefix --all-containers=true + + echo Pods on "${cluster}" + kubectl --kubeconfig "${KC}" get pods -A +done + +ENTRIES="$(kubectl exec -i -n spire-server spire-external-server-0 -- spire-server entry show)" + +if [[ "${ENTRIES}" == "Found 0 entries" ]]; then + echo "${ENTRIES}" + exit 1 +fi + +helm test --namespace spire-mgmt spire + +helm test --kubeconfig "${SCRIPTPATH}/kubeconfig-child" --namespace spire-mgmt spire + diff --git a/examples/nested/README.md b/examples/nested/README.md deleted file mode 100644 index 2b2986eff..000000000 --- a/examples/nested/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Possible Nesting Configurations - -There are multiple ways of configuring the chart depending on what you want to use nesting for. - -## Nesting across Kubernetes clusters: -![Multiple Kubernetes Cluster](./multicluster.png) - -## Nesting within a Kubernetes cluster: -![Single Hardened](./singlehardened.png) - diff --git a/examples/nested/multicluster.dot b/examples/nested/multicluster.dot deleted file mode 100644 index fb9283339..000000000 --- a/examples/nested/multicluster.dot +++ /dev/null @@ -1,61 +0,0 @@ -digraph G { - subgraph cluster_root { - label="Cluster: Root K8S"; - subgraph cluster_root_release { - label="Helm Release: Namespace=spire-root Name=spire" - spireRoot [label="Root Spire Server"]; - } - } - subgraph cluster_nested1 { - label="Cluster: K8S Workload 1"; - subgraph cluster_nested1_release { - label="Helm Release: Namespace=spire-server Name=spire" - subgraph cluster_nested1_ns1 { - label="Namespace: spire-system" - spireUpstreamAgent1 [label="Upstream Spire Agent/CSI"]; - } - subgraph cluster_nested1_ns2 { - label="Namespace: spire-server" - spireServerNested1 [label="Nested Spire Server"]; - } - subgraph cluster_nested1_ns3 { - label="Namespace: spire-system" - spireDownstreamAgent1 [label="Downstream Spire Agent/CSI"]; - } - } - subgraph cluster_nested1_user { - label="Namespace: user" - userWorkload1 [label="User Workload"]; - } - } - subgraph cluster_nested2 { - label="Cluster: K8S Workload 2"; - subgraph cluster_nested2_release { - label="Helm Release: Namespace=spire-server Name=spire" - subgraph cluster_nested2_ns1 { - label="Namespace: spire-system" - spireUpstreamAgent2 [label="Upstream Spire Agent/CSI"]; - } - subgraph cluster_nested2_ns2 { - label="Namespace: spire-server" - spireServerNested2 [label="Nested Spire Server"]; - } - subgraph cluster_nested2_ns3 { - label="Namespace: spire-system" - spireDownstreamAgent2 [label="Downstream Spire Agent/CSI"]; - } - } - subgraph cluster_nested2_user { - label="Namespace: user" - userWorkload2 [label="Other User Workload"]; - } - } - spireRoot -> spireUpstreamAgent1; - spireRoot -> spireUpstreamAgent2; - spireUpstreamAgent1 -> spireServerNested1; - spireServerNested1 -> spireDownstreamAgent1; - spireDownstreamAgent1 -> userWorkload1; - spireUpstreamAgent2 -> spireServerNested2; - spireServerNested2 -> spireDownstreamAgent2; - spireDownstreamAgent2 -> userWorkload2; -} diff --git a/examples/nested/multicluster.png b/examples/nested/multicluster.png deleted file mode 100644 index a0ffd8d3d..000000000 Binary files a/examples/nested/multicluster.png and /dev/null differ diff --git a/examples/nested/run-tests.sh b/examples/nested/run-tests.sh deleted file mode 100755 index ee0dbe549..000000000 --- a/examples/nested/run-tests.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -set -xe - -SCRIPT="$(readlink -f "$0")" -SCRIPTPATH="$(dirname "${SCRIPT}")" -TESTDIR="${SCRIPTPATH}/../../.github/tests" -DEPS="${TESTDIR}/dependencies" - -# shellcheck source=/dev/null -source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh" -# shellcheck source=/dev/null -source "${TESTDIR}/common.sh" - -CLEANUP=1 - -for i in "$@"; do - case $i in - -c) - CLEANUP=0 - shift # past argument=value - ;; - esac -done - -teardown() { - print_helm_releases - print_spire_workload_status spire-root-server - print_spire_workload_status spire-server spire-system - - if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-root-server - get_namespace_details spire-server spire-system - fi - - if [ "${CLEANUP}" -eq 1 ]; then - helm uninstall --namespace spire-server spire 2>/dev/null || true - kubectl delete ns spire-server 2>/dev/null || true - kubectl delete ns spire-system 2>/dev/null || true - - helm uninstall --namespace mysql spire-root-server 2>/dev/null || true - kubectl delete ns spire-root-server 2>/dev/null || true - fi -} - -trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT - -kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - -kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true -kubectl create namespace spire-server --dry-run=client -o yaml | kubectl apply -f - -kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted || true - -helm upgrade --install --create-namespace spire charts/spire \ - --namespace spire-root-server \ - --values "${DEPS}/spire-root-server-values.yaml" \ - --wait - -helm upgrade --install --create-namespace --namespace spire-server --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../misc/values-node-pod-antiaffinity.yaml" \ - --wait spire charts/spire -helm test --namespace spire-server spire - diff --git a/examples/nested/singlehardened.dot b/examples/nested/singlehardened.dot deleted file mode 100644 index 9f3ac97a6..000000000 --- a/examples/nested/singlehardened.dot +++ /dev/null @@ -1,55 +0,0 @@ -digraph G { - subgraph cluster_baremetal { - label="(Bare Metal|Virtual) Node" - spireDownstreamAgent3 [label="Downstream Spire Agent"]; - userWorkload3 [label="External User Workload"]; - } - subgraph cluster_k8s { - label="Cluster: K8S"; - subgraph cluster_root_release { - label="Helm Release: Namespace=spire-root Name=spire"; - subgraph cluster_ns_root { - label="Namespace: spire-root" - spireRoot [label="Root Spire Server"]; - } - subgraph cluster_ns_1_system { - label="Namespace: spire-system" - spireUpstreamAgent1 [label="Upstream Spire Agent/CSI"]; - } - } - subgraph cluster_nested1_release { - label="Helm Release: Namespace=spire-server Name=spire" - subgraph cluster_ns_nested_server { - label="Namespace: spire-server"; - spireServerNested1 [label="Internal Nested Spire Server"]; - } - subgraph cluster_ns_nested_system { - label="Namespace: spire-system"; - spireDownstreamAgent1 [label="Downstream Spire Agent/CSI"]; - } - } - subgraph cluster_ns_nested_system { - label="Namespace: user"; - userWorkload1 [label="User Workload"]; - } - subgraph cluster_ns_nested2_system { - label="Namespace: user-other"; - userWorkload2 [label="Other User Workload"]; - } - subgraph cluster_nested3_release { - label="Helm Release: Namespace=spire-external Name=spire" - subgraph cluster_ns_nested2_system { - label="Namespace: spire-external"; - spireServerNested2 [label="External Nested Spire Server"]; - } - } - spireRoot -> spireUpstreamAgent1; - spireUpstreamAgent1 -> spireServerNested1; - spireServerNested1 -> spireDownstreamAgent1; - spireDownstreamAgent1 -> userWorkload1; - spireDownstreamAgent1 -> userWorkload2; - spireUpstreamAgent1 -> spireServerNested2; - spireServerNested2 -> spireDownstreamAgent3; - spireDownstreamAgent3 -> userWorkload3; - } -} diff --git a/examples/nested/singlehardened.png b/examples/nested/singlehardened.png deleted file mode 100644 index 7b161bc9f..000000000 Binary files a/examples/nested/singlehardened.png and /dev/null differ diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml deleted file mode 100644 index f06b140c6..000000000 --- a/examples/nested/values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -global: - spire: - upstreamSpireAddress: spire-server.spire-root-server - -spire-server: - upstreamAuthority: - spire: - enabled: true - upstreamDriver: upstream.csi.spiffe.io - controllerManager: - identities: - clusterSPIFFEIDs: - default: - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} - oidc-discovery-provider: - autoPopulateDNSNames: false - -upstream: - enabled: true diff --git a/examples/tornjak/README.md b/examples/tornjak/README.md index 51bdc4da0..8893209ef 100644 --- a/examples/tornjak/README.md +++ b/examples/tornjak/README.md @@ -1,32 +1,41 @@ # Recommended setup to deploy Tornjak -> [!Warning] -> The current version of Tornjak in this chart is deployed without authentication. Therefore it is not suitable to run this version in production. +> [!WARNING] +> The default version of Tornjak in this chart is deployed without authentication. Therefore it is not suitable to run this version in production. In order to enable the user authentication, +> follow [Keycloak instructions](keycloak/README.md) -To install Spire with the least privileges possible we deploy spire across 2 namespaces. +## Deploy Standard SPIRE + +Follow the production installation of SPIRE as described in the [install instructions] (https://artifacthub.io/packages/helm/spiffe/spire) document. + +## Upgrade to enable Tornjak + +Before we can deploy Tornjak with SPIRE we need to decide whether the services would be +using direct access, Ingress, or some other method. + +## Tornjak with Direct Access + +This can be done using port-forward. For example, to start Tornjak APIs on port 10000 + +Deploy SPIRE with Tornjak enabled ```shell -kubectl create namespace "spire-system" -kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged -kubectl create namespace "spire-server" -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted - -# deploy SPIRE with Tornjak enabled -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ +export TORNJAK_API=http://localhost:10000 + +helm upgrade --install -n spire-mgmt spire spire \ +--repo https://spiffe.github.io/helm-charts-hardened/ \ +--set tornjak-frontend.apiServerURL=$TORNJAK_API \ --values examples/tornjak/values.yaml \ +--values your-values.yaml \ --render-subchart-notes - # test the Tornjak deployment helm test spire -n spire-server ``` -## Access Tornjak - -To access Tornjak you will have to use port-forwarding for the time being *(until we add authentication and ingress)*. - -Run following commands from your shell, if you ran with different values your namespace might differ. Consult the install notes printed when running above `helm upgrade` command in that case. +Run following commands from your shell, to start port forwarding for Tornjak backend (APIs) +and Tornjak frontend (UI) services. + If you deployed in different namespace, your values might differ. Consult the install notes printed when running above `helm upgrade` command in that case. Since `port-forward` is a blocking command, execute them in two different consoles: @@ -38,39 +47,63 @@ kubectl -n spire-server port-forward service/spire-tornjak-backend 10000:10000 kubectl -n spire-server port-forward service/spire-tornjak-frontend 3000:3000 ``` -You can now access Tornjak at [localhost:3000](http://localhost:3000). +You can now access Tornjak with your browser at [localhost:3000](http://localhost:3000). See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup. -## Tornjak and Ingress with ingress-nginx +## Deploy Tornjak with ingress-nginx -Update examples/production/example-your-values.yaml with your information, most importantly, trustDomain. +Update your-values.yaml with your ingress information, most importantly, trustDomain, and redeploy +adding the following: ```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/tornjak/values.yaml \ ---values examples/tornjak/values-ingress.yaml \ --set global.spire.ingressControllerType=ingress-nginx \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes --debug +--values examples/tornjak/values-ingress.yaml ``` -## Tornjak and Ingress on Openshift +## Deploy Tornjak with Ingress on Openshift -When deploying on Openshift, follow the deployment setup as described in -[Openshift README](../openshift/README.md) +Obtain the OpenShift Apps Subdomain for Ingress and assign it to the `trustDomain` +environment variable: + +```shell +export appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') +echo $appdomain +``` -Then just add Openshift specific configuration to the above command: +So it can be passed as follow: ```shell ---values examples/openshift/openshift-values.yaml +--set global.openshift=true \ +--set global.spire.trustDomain=$appdomain \ +--values examples/tornjak/values-ingress.yaml \ ``` When running on Openshift in some environments like IBM Cloud, -you might need to add the following configurations: +you might need to also add the following configurations: + +```shell +--values examples/openshift/values-ibm-cloud.yaml +``` + +## Validation + +Confirm access to the Tornjak API (backend): + +```shell +curl https://tornjak-backend.$appdomain +"Welcome to the Tornjak Backend!" +``` + +If the APIs are accessible, we can verify the Tornjak UI (A React application running in the local browser) can be accessed. +Test access to Tornjak by opening the URL provided in Tornjak-frontend route: + +```shell +oc get route -n spire-server -l=app.kubernetes.io/name=tornjak-frontend -o jsonpath='https://{ .items[0].spec.host }' +``` + +The value should match the following URL: ```shell ---set spiffe-csi-driver.kubeletPath=/var/data/kubelet \ ---set spiffe-csi-driver.restrictedScc.enabled=true \ +echo "https://tornjak-frontend.$appdomain" ``` diff --git a/examples/tornjak/keycloak/README.md b/examples/tornjak/keycloak/README.md new file mode 100644 index 000000000..f9c47315d --- /dev/null +++ b/examples/tornjak/keycloak/README.md @@ -0,0 +1,81 @@ +# Deploy Tornjak with Authentication Enabled + +This example demonstrates Tornjak's capability to control access to the Frontend Application using +User Management via [Keycloak](https://www.keycloak.org/). + +Tested on: + +- Keycloak Application Version - 24.0.3 +- Keycloak Chart Version - 21.0.3 + +For more information regarding Tornjak User Management, please refer to the following documentation: + +- [Tornjak User Management](https://github.com/spiffe/tornjak/blob/main/docs/user-management.md) +- [Keycloak Configuration for Tornjak](https://github.com/spiffe/tornjak/blob/main/docs/keycloak-configuration.md) +- [Detailed Blogs on Tornjak User Management](https://github.com/spiffe/tornjak/blob/main/docs/blogs.md) + +> [!NOTE] +> This example works only with the Vanilla version of Kubernetes; it does not yet support Openshift. + +As part of the exercise, an instance of Keycloak is deployed to illustrate how to manage users' access to Tornjak. +Once enabled, the Tornjak UI will redirect all authentication calls to the Keycloak instance to obtain the +correct credentials. Authorization is based on these credentials and occurs at the Tornjak application level. + +## Deploy Keycloak Instance (Authentication Service) + +We will deploy the instance of Keycloak in a dedicated namespace + +```shell +# If does not exist, create a namespace to deploy Keycloak +kubectl create namespace keycloak +``` + +> [!IMPORTANT] +> The example uses default userid and password (`admin`,`admin`). You must change these values +> by setting `auth.adminUser` and `auth.adminPassword` as shown below. + +```shell +# Deploy most recent Keycloak instance as an authentication service +helm upgrade --install -n keycloak keycloak \ +--values examples/tornjak/keycloak/values.yaml \ +--set auth.adminUser=your-userid --set auth.adminPassword=your-password \ +oci://registry-1.docker.io/bitnamicharts/keycloak --render-subchart-notes +``` + +> [!IMPORTANT] +> It is important to start the Tornjak service before starting Tornjak with authentication + +The example below demonstrates port forward for local access. In cloud deployment scenario, +enable Ingress to the Keycloak service accordingly. + +```shell +# Start an auth Service [Keycloak] in separate terminal +kubectl -n keycloak port-forward service/keycloak 8080:80 +``` + +See the helm Notes for more information about accessing Keycloak + +## Deploy SPIRE with Tornjak User Management Enabled + +Please follow the instructions for [deploying Tornjak](../README.md) +with addition of the User Management values `--values examples/tornjak/values-auth.yaml`. + +> [!IMPORTANT] +> Make sure Tornjak backend User Management issuer points to the correct Keycloak issuer URL. Which is in format +> `http://.:/realms/tornjak`. +> For the example above it will be: `http://keycloak.keycloak:8080/realms/tornjak` +> You can set the issuer URL using `--set spire-server.tornjak.config.userManagement.issuer=http://tornjak.tornjak:8080/realms/tornjak` +> +> [!IMPORTANT] +> If audience is set, make sure the Tornjak backend `audience` is set correctly. You can set it using: +> `--set spire-server.tornjak.config.userManagement.audience=your-audience` +> +> [!TIP] +> Keep in mind, when redeploying Tornjak, you might have to recreate port forwarding for that service. + +The sample [examples/tornjak/values-auth.yaml](../values-auth.yaml) assumes local +Keycloak deployment using port forwarding. When using Ingress, update the URLs accordingly. + +## Access Tornjak + +Follow the standard [steps for Accessing Tornjak](../README.md) diff --git a/examples/tornjak/keycloak/values.yaml b/examples/tornjak/keycloak/values.yaml new file mode 100644 index 000000000..ccbba06ec --- /dev/null +++ b/examples/tornjak/keycloak/values.yaml @@ -0,0 +1,128 @@ +auth: + ## @param keycloak.auth.realm Realm name in which to create users## @param auth.adminUser Keycloak administrator user + ## + adminUser: admin + ## @param auth.adminPassword Keycloak administrator password for the new user + ## + adminPassword: admin +proxy: edge # for https proxy reverse mode +keycloakConfigCli: + enabled: true + configuration: # tornjak realm configuration + tornjak.json: | + { + "realm": "tornjak", + "enabled": true, + "roles" : { + "realm" : [ { + "name" : "tornjak-viewer-realm-role" + }, { + "name" : "tornjak-admin-realm-role" + } ], + "client" : { + "tornjak" : [ { + "name" : "viewer", + "composite" : true, + "composites" : { + "realm" : [ "tornjak-viewer-realm-role" ] + }, + "clientRole" : true + }, { + "name" : "admin", + "composite" : true, + "composites" : { + "realm" : [ "tornjak-admin-realm-role" ] + }, + "clientRole" : true + } ] + } + }, + "groups" : [ { + "name" : "admin", + "path" : "/admin", + "realmRoles" : [ "tornjak-admin-realm-role" ] + }, { + "name" : "viewer", + "path" : "/viewer", + "realmRoles" : [ "tornjak-viewer-realm-role" ] + } ], + "users" : [ { + "username" : "admin", + "enabled" : true, + "firstName" : "Admin", + "lastName" : "User", + "credentials" : [ { + "type" : "password", + "userLabel" : "My password", + "secretData" : "{\"value\":\"Y1Kcmx/XxLWtnRLyMy/zn6wWbfu2fSKdaefrXM50cva3P+kA2BqBDvTZDswGP6JZ+IWrJaitm8RKV0L9LiwaFQ==\",\"salt\":\"Mh5g1EgTo26xhzoj67bovA==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "groups" : [ "/admin" ] + }, { + "username" : "viewer", + "enabled" : true, + "firstName" : "Viewer", + "lastName" : "User", + "credentials" : [ { + "type" : "password", + "userLabel" : "My password", + "secretData" : "{\"value\":\"1ow3LfLDvpBRLfRbr2LtFRqje8NsKouHMw95Wwpsg5NP2Pga4ZBL7+T62bCDV6dOvy3U9xEEU4CRkhSWFaeDLg==\",\"salt\":\"qML2gBVSG7xYRZcaffW68A==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "groups" : [ "/viewer" ] + } ], + "clients" : [ { + "clientId" : "tornjak", + "name" : "Tornjak", + "enabled" : true, + "alwaysDisplayInConsole" : true, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "http://localhost:3000/*" ], + "webOrigins" : [ "*" ], + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : true, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "http://localhost:3000/*" + }, + "fullScopeAllowed" : true, + "defaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr", + "tornjak-backend", + ] + }], + "clientScopes": [{ + "name": "tornjak-backend", + "description": "tornjak backend audience check", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [{ + "name": "tornjak-backend", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "included.custom.audience": "tornjak-backend", + "userinfo.token.claim": "false", + "id.token.claim": "false", + "lightweight.claim": "false", + "access.token.claim": "true" + } + }] + }] + } \ No newline at end of file diff --git a/examples/tornjak/values-auth.yaml b/examples/tornjak/values-auth.yaml new file mode 100644 index 000000000..4f7e2d92d --- /dev/null +++ b/examples/tornjak/values-auth.yaml @@ -0,0 +1,12 @@ +spire-server: + tornjak: + config: + ## @extra tornjak.config.userManagement [object] UserManagement config + userManagement: + issuer: "http://keycloak:80/realms/tornjak" + audience: "tornjak-backend" + +tornjak-frontend: + auth: + enabled: true + serverURL: http://localhost:8080/ # enable auth by providing url diff --git a/tests/go.mod b/tests/go.mod index 463447c99..e292ca58d 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,13 +1,12 @@ module github.com/spiffe/helm-charts/tests go 1.21 - -toolchain go1.21.5 +toolchain go1.22.2 require ( - github.com/onsi/ginkgo/v2 v2.17.1 - github.com/onsi/gomega v1.32.0 - helm.sh/helm/v3 v3.14.3 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 + helm.sh/helm/v3 v3.15.1 ) require ( @@ -22,14 +21,14 @@ require ( github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect github.com/google/uuid v1.3.0 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/imdario/mergo v0.3.13 // indirect @@ -47,27 +46,27 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/net v0.20.0 // indirect + golang.org/x/crypto v0.23.0 // indirect + golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.21.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.29.0 // indirect - k8s.io/apiextensions-apiserver v0.29.0 // indirect - k8s.io/apimachinery v0.29.0 // indirect - k8s.io/client-go v0.29.0 // indirect - k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/api v0.30.0 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/apimachinery v0.30.0 // indirect + k8s.io/client-go v0.30.0 // indirect + k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/tests/go.sum b/tests/go.sum index 5f675dab7..d405560e9 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -7,9 +7,6 @@ github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= @@ -22,7 +19,6 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -31,34 +27,31 @@ github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2Kv github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= @@ -90,10 +83,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= -github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= -github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= -github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -114,7 +107,6 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= @@ -135,8 +127,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -148,8 +140,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -158,27 +150,26 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -186,16 +177,14 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -212,25 +201,25 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.14.3 h1:HmvRJlwyyt9HjgmAuxHbHv3PhMz9ir/XNWHyXfmnOP4= -helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= -k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= +helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/tests/integration/psat/run-tests.sh b/tests/integration/psat/run-tests.sh deleted file mode 100755 index 6b7785aec..000000000 --- a/tests/integration/psat/run-tests.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash - -set -xe - -SCRIPT="$(readlink -f "$0")" -SCRIPTPATH="$(dirname "${SCRIPT}")" -TESTDIR="${SCRIPTPATH}/../../../.github/tests" -DEPS="${TESTDIR}/dependencies" - -# shellcheck source=/dev/null -source "${SCRIPTPATH}/../../../.github/scripts/parse-versions.sh" -# shellcheck source=/dev/null -source "${TESTDIR}/common.sh" - -CLEANUP=1 - -for i in "$@"; do - case $i in - -c) - CLEANUP=0 - shift # past argument=value - ;; - esac -done - -teardown() { - print_helm_releases - print_spire_workload_status spire-root-server - print_spire_workload_status spire-server spire-system - - if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-root-server - get_namespace_details spire-server spire-system - fi - - if [ "${CLEANUP}" -eq 1 ]; then - helm uninstall --namespace spire-server spire 2>/dev/null || true - kubectl delete ns spire-server 2>/dev/null || true - kubectl delete ns spire-system 2>/dev/null || true - - helm uninstall --namespace mysql spire-root-server 2>/dev/null || true - kubectl delete ns spire-root-server 2>/dev/null || true - fi -} - -trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT - -kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - -kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true -kubectl create namespace spire-server --dry-run=client -o yaml | kubectl apply -f - -kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted || true - -helm upgrade --install --create-namespace spire charts/spire \ - --namespace spire-root-server \ - --values "${DEPS}/spire-root-server-values.yaml" \ - --wait - -kind create cluster --name other --kubeconfig "${SCRIPTPATH}/kubeconfig" --config "${SCRIPTPATH}/kind-config.yaml" -md5sum "${SCRIPTPATH}/kubeconfig" -wc -l "${SCRIPTPATH}/kubeconfig" -KCB64="$(base64 < "${SCRIPTPATH}/kubeconfig" | tr '\n' ' ' | sed 's/ //g')" -kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" create namespace spire-system -kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" create configmap -n spire-system spire-bundle-upstream - -helm upgrade --install --create-namespace --namespace spire-server --values "${SCRIPTPATH}/values.yaml" \ - --wait spire charts/spire --set "spire-server.kubeConfigs.other.kubeConfigBase64=$KCB64" -helm test --namespace spire-server spire -kubectl --kubeconfig "${SCRIPTPATH}/kubeconfig" get configmap -n spire-system spire-bundle-upstream diff --git a/tests/integration/psat/values.yaml b/tests/integration/psat/values.yaml deleted file mode 100644 index fbb7b55e8..000000000 --- a/tests/integration/psat/values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -global: - spire: - recommendations: - enabled: true - clusterName: production - trustDomain: production.other - -spire-server: - ca_subject: - country: US - organization: Production - common_name: production.other