diff --git a/helm-charts/0.27.2/README.md b/helm-charts/0.27.2/README.md index bfafc59c..46a99a83 100644 --- a/helm-charts/0.27.2/README.md +++ b/helm-charts/0.27.2/README.md @@ -5,7 +5,7 @@ that your sensitive data is always secure and protected. VSecM is perfect for securely storing arbitrary configuration information at a central location and securely dispatching it to workloads. -![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) +![Version: 0.27.2](https://img.shields.io/badge/Version-0.27.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.2](https://img.shields.io/badge/AppVersion-0.27.2-informational?style=flat-square) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) @@ -28,7 +28,7 @@ To use VMware Secrets Manager, follow the steps below: 3. Install VMware Secrets Manager using Helm: ```bash - helm install vsecm vsecm/vsecm --version 0.27.1 + helm install vsecm vsecm/vsecm --version 0.27.2 ``` ## Options @@ -47,7 +47,7 @@ and `global.baseImage` respectively. Here's an example command with the above options: ```bash -helm install vsecm vsecm/helm-charts --version 0.27.1 \ +helm install vsecm vsecm/helm-charts --version 0.27.2 \ --set global.deploySpire=true --set global.baseImage=distroless ``` @@ -65,7 +65,7 @@ These environment variable configurations are expose through subcharts. You can modify them as follows: ```bash -helm install vsecm vsecm/helm-charts --version 0.27.1 \ +helm install vsecm vsecm/helm-charts --version 0.27.2 \ --set safe.environments.VSECM_LOG_LEVEL="6" --set sentinel.environments.VSECM_LOGL_LEVEL="5" # You can update other environment variables too. @@ -97,10 +97,10 @@ The sections below are autogenerated from chart source code: | Repository | Name | Version | |------------|------|---------| -| file://charts/keystone | keystone | 0.27.1 | -| file://charts/safe | safe | 0.27.1 | -| file://charts/sentinel | sentinel | 0.27.1 | -| file://charts/spire | spire | 0.27.1 | +| file://charts/keystone | keystone | 0.27.2 | +| file://charts/safe | safe | 0.27.2 | +| file://charts/sentinel | sentinel | 0.27.2 | +| file://charts/spire | spire | 0.27.2 | ## Values diff --git a/helm-charts/0.27.2/charts/safe/README.md b/helm-charts/0.27.2/charts/safe/README.md index d1709a19..8f9728a2 100644 --- a/helm-charts/0.27.2/charts/safe/README.md +++ b/helm-charts/0.27.2/charts/safe/README.md @@ -1,6 +1,6 @@ # safe -![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) +![Version: 0.27.2](https://img.shields.io/badge/Version-0.27.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.2](https://img.shields.io/badge/AppVersion-0.27.2-informational?style=flat-square) Helm chart for VMware Secrets Manager (VSecM) Safe diff --git a/helm-charts/0.27.2/charts/sentinel/README.md b/helm-charts/0.27.2/charts/sentinel/README.md index a4d3f608..c583644a 100644 --- a/helm-charts/0.27.2/charts/sentinel/README.md +++ b/helm-charts/0.27.2/charts/sentinel/README.md @@ -1,6 +1,6 @@ # sentinel -![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) +![Version: 0.27.2](https://img.shields.io/badge/Version-0.27.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.2](https://img.shields.io/badge/AppVersion-0.27.2-informational?style=flat-square) Helm chart for sentinel diff --git a/helm-charts/0.27.2/charts/spire/README.md b/helm-charts/0.27.2/charts/spire/README.md index 3af5f07b..3fbd2abf 100644 --- a/helm-charts/0.27.2/charts/spire/README.md +++ b/helm-charts/0.27.2/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) +![Version: 0.27.2](https://img.shields.io/badge/Version-0.27.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.2](https://img.shields.io/badge/AppVersion-0.27.2-informational?style=flat-square) Helm chart for spire diff --git a/k8s/0.27.2/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.27.2/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..658617dd --- /dev/null +++ b/k8s/0.27.2/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,100 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set the class of controller to handle this object. + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/k8s/0.27.2/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.27.2/crds/spire.spiffe.io_clusterspiffeids.yaml new file mode 100644 index 00000000..597b2b08 --- /dev/null +++ b/k8s/0.27.2/crds/spire.spiffe.io_clusterspiffeids.yaml @@ -0,0 +1,239 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.2/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.27.2/crds/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 00000000..c19df220 --- /dev/null +++ b/k8s/0.27.2/crds/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,103 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.2/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.27.2/crds/spire.spiffe.io_controllermanagerconfigs.yaml new file mode 100644 index 00000000..538ac974 --- /dev/null +++ b/k8s/0.27.2/crds/spire.spiffe.io_controllermanagerconfigs.yaml @@ -0,0 +1,68 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to deletion/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/k8s/0.27.2/eks/vsecm-distroless-fips.yaml b/k8s/0.27.2/eks/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..64583d39 --- /dev/null +++ b/k8s/0.27.2/eks/vsecm-distroless-fips.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/eks/vsecm-distroless.yaml b/k8s/0.27.2/eks/vsecm-distroless.yaml new file mode 100644 index 00000000..92ac2411 --- /dev/null +++ b/k8s/0.27.2/eks/vsecm-distroless.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/local/vsecm-distroless-fips.yaml b/k8s/0.27.2/local/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..530e368d --- /dev/null +++ b/k8s/0.27.2/local/vsecm-distroless-fips.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "localhost:5000/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/local/vsecm-distroless.yaml b/k8s/0.27.2/local/vsecm-distroless.yaml new file mode 100644 index 00000000..58568bb2 --- /dev/null +++ b/k8s/0.27.2/local/vsecm-distroless.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "localhost:5000/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "localhost:5000/vsecm-ist-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/remote/vsecm-distroless-fips.yaml b/k8s/0.27.2/remote/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..91089a39 --- /dev/null +++ b/k8s/0.27.2/remote/vsecm-distroless-fips.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "vsecm/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "vsecm/vsecm-ist-fips-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-fips-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-fips-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/remote/vsecm-distroless.yaml b/k8s/0.27.2/remote/vsecm-distroless.yaml new file mode 100644 index 00000000..8fc9ea0d --- /dev/null +++ b/k8s/0.27.2/remote/vsecm-distroless.yaml @@ -0,0 +1,1050 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-root-key +automountServiceAccountToken: true +secrets: + - name: vsecm-root-key +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret +automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "vsecm/vsecm-ist-init-container:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "vsecm/vsecm-ist-keystone:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-sentinel:0.27.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-safe:0.27.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.27.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.27.2 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.27.2 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.27.2" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.2/spire.yaml b/k8s/0.27.2/spire.yaml new file mode 100644 index 00000000..02afb3ef --- /dev/null +++ b/k8s/0.27.2/spire.yaml @@ -0,0 +1,1803 @@ +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/configmap-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire-system +data: + agent.conf: | + { + "agent": { + "data_dir": "/run/spire", + "log_level": "info", + "retry_bootstrap": true, + "server_address": "spire-server.spire-server", + "server_port": "443", + "socket_path": "/tmp/spire-agent/public/spire-agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "vsecm.com" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "disable_container_selectors": false, + "skip_kubelet_verification": true, + "use_new_container_locator": false, + "verbose_container_locator_logs": false + } + } + } + ] + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: vsecm/charts/spire/templates/configmap-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire-system +--- +# Source: vsecm/charts/spire/templates/configmap-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager + namespace: spire-server +data: + controller-manager-config.yaml: | + + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: spire-controller-manager + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + metrics: + bindAddress: 0.0.0.0:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: 6f304bd2.spiffe.io + resourceNamespace: spire-server + validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook + entryIDPrefix: vsecm-cluster + clusterName: vsecm-cluster + trustDomain: vsecm.com + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system + spireServerSocketPath: "/tmp/spire-server/private/api.sock" + className: "vsecm" + watchClassless: false + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" + reconcile: + clusterSPIFFEIDs: true + clusterStaticEntries: true + clusterFederatedTrustDomains: true +--- +# Source: vsecm/charts/spire/templates/configmap-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire-server +data: + server.conf: | + { + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "connection_string": "/run/spire/data/datastore.sqlite3", + "database_type": "sqlite3" + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/data/keys.json" + } + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": [ + { + "vsecm-cluster": { + "allowed_node_label_keys": [], + "allowed_pod_label_keys": [], + "audience": [ + "spire-server" + ], + "service_account_allow_list": [ + "spire-system:spire-agent" + ] + } + } + ] + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "spire-system" + } + } + } + ] + }, + "server": { + "audit_log_enabled": false, + "bind_address": "0.0.0.0", + "bind_port": "8081", + "ca_key_type": "rsa-2048", + "ca_subject": [ + { + "common_name": "aegist.ist", + "country": [ + "US" + ], + "organization": [ + "vsecm.com" + ] + } + ], + "ca_ttl": "24h", + "data_dir": "/run/spire/data", + "default_jwt_svid_ttl": "1h", + "default_x509_svid_ttl": "4h", + "jwt_issuer": "https://oidc-discovery.vsecm.com", + "log_level": "info", + "trust_domain": "vsecm.com" + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - nodes/proxy + verbs: ["get"] +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-spire-controller-manager +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ClusterRole to allow spire-server node attestor to query Token Review API +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server +rules: + - apiGroups: [""] + resources: [nodes, pods] + verbs: ["get", "list"] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: ["get", "watch", "list", "create"] +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds SPIRE Agent Cluster Role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire-system +roleRef: + kind: ClusterRole + name: spire-agent + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server-spire-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server-spire-controller-manager +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds spire-server-spire-server cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server + +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-spire-server + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/role-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Role to be able to push certificate bundles to a configmap +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +rules: + - apiGroups: [""] + resources: [configmaps] + resourceNames: [spire-bundle] + verbs: + - get + - patch +--- +# Source: vsecm/charts/spire/templates/role-spire-controller-manager-leader-election.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: vsecm/charts/spire/templates/rolebinding-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: Role + name: spire-bundle + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: spire-controller-manager-leader-election +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: vsecm/charts/spire/templates/service-spire-controller-manager-webhook.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: vsecm/charts/spire/templates/service-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: vsecm/charts/spire/templates/daemonset-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-agent + checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 + labels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + spec: + + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + priorityClassName: system-node-critical + initContainers: + - name: ensure-alternate-names + image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" + imagePullPolicy: IfNotPresent + command: ["bash", "-xc"] + args: + - | + cd /run/spire/agent-sockets + L=`readlink socket` + [ "x$L" != "xspire-agent.sock" ] && rm -f socket + [ ! -L socket ] && ln -s spire-agent.sock socket + L=`readlink api.sock` + [ "x$L" != "xspire-agent.sock" ] && rm -f api.sock + [ ! -L api.sock ] && ln -s spire-agent.sock api.sock + [ -L spire-agent.sock ] && rm -f spire-agent.sock + exit 0 + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + securityContext: + runAsUser: 0 + runAsGroup: 0 + - name: fsgroupfix + image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" + imagePullPolicy: IfNotPresent + command: ["bash", "-c"] + args: + - "chown -R 1000:1000 /run/spire/agent-sockets /tmp/spire-agent/private" + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private + securityContext: + runAsUser: 0 + runAsGroup: 0 + containers: + - name: spire-agent + image: "ghcr.io/spiffe/spire-agent:1.9.6" + imagePullPolicy: IfNotPresent + args: ["-config", "/opt/spire/conf/agent/agent.conf"] + securityContext: + {} + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - containerPort: 9982 + name: healthz + - containerPort: 9988 + name: prom + volumeMounts: + - name: spire-config + mountPath: /opt/spire/conf/agent + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /tmp/spire-agent/public + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + {} + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-agent-admin-socket-dir + emptyDir: {} + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate +--- +# Source: vsecm/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + hhelm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + spec: + serviceAccountName: spire-spiffe-csi-driver + + priorityClassName: system-node-critical + containers: + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: "ghcr.io/spiffe/spiffe-csi-driver:0.2.6" + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-plugin-name", "csi.spiffe.io", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + privileged: true + resources: + {} + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0" + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + "-health-port", "9809" + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + ports: + - containerPort: 9809 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + {} + volumes: + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- +# Source: vsecm/charts/spire/templates/statefulset-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: server +spec: + replicas: 1 + serviceName: spire-server + selector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-server + checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 + checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 + checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + component: server + release: spire + release-namespace: spire-server + spec: + + serviceAccountName: spire-server + shareProcessNamespace: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + priorityClassName: system-cluster-critical + containers: + - name: spire-server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/spiffe/spire-server:1.9.6" + imagePullPolicy: IfNotPresent + args: + - -expandEnv + - -config + - /run/spire/config/server.conf + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - name: grpc + containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + - containerPort: 9988 + name: prom + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: server-tmp + mountPath: /tmp + readOnly: false + + - name: spire-controller-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/spiffe/spire-controller-manager:0.5.0" + imagePullPolicy: IfNotPresent + args: + - --config=controller-manager-config.yaml + env: + - name: ENABLE_WEBHOOKS + value: "true" + ports: + - name: https + containerPort: 9443 + protocol: TCP + - containerPort: 8083 + name: healthz + - containerPort: 8082 + name: prom-cm + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + - name: spire-controller-manager-tmp + mountPath: /tmp + subPath: spire-controller-manager + readOnly: false + volumes: + - name: server-tmp + emptyDir: {} + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-tmp + emptyDir: {} + - name: controller-manager-config + configMap: + name: spire-controller-manager + # noinspection KubernetesUnknownKeys + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +# Source: vsecm/charts/spire/templates/openshift-security-context-constraints.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-test-keys +spec: + className: "vsecm" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: test-keys + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system + - vsecm-system +--- +# Source: vsecm/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-server-spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + annotations: + "helm.sh/hook": pre-install +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted + annotations: + "helm.sh/hook": pre-install +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-install + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-install + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-pre-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-pre-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-install + spec: + + restartPolicy: Never + serviceAccountName: spire-server-post-install + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-upgrade + spec: + + restartPolicy: Never + serviceAccountName: spire-server-post-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-upgrade-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.27.2 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-pre-upgrade + spec: + + restartPolicy: Never + serviceAccountName: spire-server-pre-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Ignore" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Ignore" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + annotations: + "helm.sh/hook": pre-install + +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral