-
Notifications
You must be signed in to change notification settings - Fork 251
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: add helm and kustomize deployments of spiffe
Signed-off-by: AhmedGrati <[email protected]>
- Loading branch information
Showing
22 changed files
with
721 additions
and
0 deletions.
There are no files selected for viewing
24 changes: 24 additions & 0 deletions
24
deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Required cluster role to allow spire-agent to query k8s API server | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-agent-cluster-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods","nodes","nodes/proxy"] | ||
| verbs: ["get"] | ||
|
|
||
| --- | ||
| # Binds above cluster role to spire-agent service account | ||
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-agent-cluster-role-binding | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-agent | ||
| namespace: spire | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: spire-agent-cluster-role | ||
| apiGroup: rbac.authorization.k8s.io |
50 changes: 50 additions & 0 deletions
50
deployment/helm/node-feature-discovery/templates/spire-agent-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-agent | ||
| data: | ||
| agent.conf: | | ||
| agent { | ||
| data_dir = "/run/spire" | ||
| log_level = "DEBUG" | ||
| server_address = "spire-server" | ||
| server_port = "8081" | ||
| socket_path = "/run/spire/sockets/agent.sock" | ||
| trust_bundle_path = "/run/spire/bundle/bundle.crt" | ||
| trust_domain = "nfd.com" | ||
| } | ||
| plugins { | ||
| NodeAttestor "k8s_sat" { | ||
| plugin_data { | ||
| cluster = "nfd" | ||
| } | ||
| } | ||
| KeyManager "memory" { | ||
| plugin_data { | ||
| } | ||
| } | ||
| WorkloadAttestor "k8s" { | ||
| plugin_data { | ||
| skip_kubelet_verification = true | ||
| node_name_env = "MY_NODE_NAME" | ||
| } | ||
| } | ||
| WorkloadAttestor "unix" { | ||
| plugin_data { | ||
| } | ||
| } | ||
| } | ||
| health_checks { | ||
| listener_enabled = true | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8080" | ||
| live_path = "/live" | ||
| ready_path = "/ready" | ||
| } | ||
| {{- end }} |
71 changes: 71 additions & 0 deletions
71
deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: apps/v1 | ||
| kind: DaemonSet | ||
| metadata: | ||
| name: spire-agent | ||
| labels: | ||
| app: spire-agent | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: spire-agent | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: spire-agent | ||
| spec: | ||
| hostPID: true | ||
| hostNetwork: true | ||
| dnsPolicy: ClusterFirstWithHostNet | ||
| serviceAccountName: spire-agent | ||
| initContainers: | ||
| - name: init | ||
| # This is a small image with wait-for-it, choose whatever image | ||
| # you prefer that waits for a service to be up. This image is built | ||
| # from https://github.com/lqhl/wait-for-it | ||
| image: cgr.dev/chainguard/wait-for-it | ||
| args: ["-t", "30", "spire-server:8081"] | ||
| containers: | ||
| - name: spire-agent | ||
| image: ghcr.io/spiffe/spire-agent:1.5.1 | ||
| args: ["-config", "/run/spire/config/agent.conf"] | ||
| env: | ||
| - name: MY_NODE_NAME | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: status.podIP | ||
| volumeMounts: | ||
| - name: spire-config | ||
| mountPath: /run/spire/config | ||
| readOnly: true | ||
| - name: spire-bundle | ||
| mountPath: /run/spire/bundle | ||
| - name: spire-agent-socket | ||
| mountPath: /run/spire/sockets | ||
| readOnly: false | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /live | ||
| port: 8080 | ||
| failureThreshold: 2 | ||
| initialDelaySeconds: 15 | ||
| periodSeconds: 60 | ||
| timeoutSeconds: 3 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /ready | ||
| port: 8080 | ||
| initialDelaySeconds: 5 | ||
| periodSeconds: 5 | ||
| volumes: | ||
| - name: spire-config | ||
| configMap: | ||
| name: spire-agent | ||
| - name: spire-bundle | ||
| configMap: | ||
| name: spire-bundle | ||
| - name: spire-agent-socket | ||
| hostPath: | ||
| path: /run/spire/sockets | ||
| type: DirectoryOrCreate | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-agent-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: spire-agent | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-bundle-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-bundle | ||
| {{- end }} |
51 changes: 51 additions & 0 deletions
51
deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| # Role (namespace scoped) to be able to push certificate bundles to a configmap | ||
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-configmap-role | ||
| namespace: spire | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] | ||
| verbs: ["patch", "get", "list"] | ||
| --- | ||
| # Binds above role to spire-server service account | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-configmap-role-binding | ||
| namespace: spire | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-server | ||
| namespace: spire | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: spire-server-configmap-role | ||
| --- | ||
| # ClusterRole to allow spire-server node attestor to query Token Review API | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-trust-role | ||
| rules: | ||
| - apiGroups: ["authentication.k8s.io"] | ||
| resources: ["tokenreviews"] | ||
| verbs: ["create"] | ||
| --- | ||
| # Binds above cluster role to spire-server service account | ||
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-trust-role-binding | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-server | ||
| namespace: spire | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: spire-server-trust-role | ||
| apiGroup: rbac.authorization.k8s.io | ||
| {{- end }} |
63 changes: 63 additions & 0 deletions
63
deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-server | ||
| data: | ||
| server.conf: | | ||
| server { | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8081" | ||
| socket_path = "/tmp/spire-server/private/api.sock" | ||
| trust_domain = "nfd.com" | ||
| data_dir = "/run/spire/data" | ||
| log_level = "DEBUG" | ||
| #AWS requires the use of RSA. EC cryptography is not supported | ||
| ca_key_type = "rsa-2048" | ||
| ca_subject = { | ||
| country = ["US"], | ||
| organization = ["SPIFFE"], | ||
| common_name = "", | ||
| } | ||
| } | ||
| plugins { | ||
| DataStore "sql" { | ||
| plugin_data { | ||
| database_type = "sqlite3" | ||
| connection_string = "/run/spire/data/datastore.sqlite3" | ||
| } | ||
| } | ||
| NodeAttestor "k8s_sat" { | ||
| plugin_data { | ||
| clusters = { | ||
| "nfd" = { | ||
| use_token_review_api_validation = true | ||
| service_account_allow_list = ["spire:spire-agent"] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| KeyManager "disk" { | ||
| plugin_data { | ||
| keys_path = "/run/spire/data/keys.json" | ||
| } | ||
| } | ||
| Notifier "k8sbundle" { | ||
| plugin_data { | ||
| } | ||
| } | ||
| } | ||
| health_checks { | ||
| listener_enabled = true | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8080" | ||
| live_path = "/live" | ||
| ready_path = "/ready" | ||
| } | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-server-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: spire-server | ||
| {{- end }} |
15 changes: 15 additions & 0 deletions
15
deployment/helm/node-feature-discovery/templates/spire-server-service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: spire-server | ||
| spec: | ||
| type: NodePort | ||
| ports: | ||
| - name: grpc | ||
| port: 8081 | ||
| targetPort: 8081 | ||
| protocol: TCP | ||
| selector: | ||
| app: spire-server | ||
| {{- end }} |
64 changes: 64 additions & 0 deletions
64
deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: spire-server | ||
| labels: | ||
| app: spire-server | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| app: spire-server | ||
| serviceName: spire-server | ||
| template: | ||
| metadata: | ||
| namespace: spire | ||
| labels: | ||
| app: spire-server | ||
| spec: | ||
| serviceAccountName: spire-server | ||
| containers: | ||
| - name: spire-server | ||
| image: ghcr.io/spiffe/spire-server:1.5.1 | ||
| args: | ||
| - -config | ||
| - /run/spire/config/server.conf | ||
| ports: | ||
| - containerPort: 8081 | ||
| volumeMounts: | ||
| - name: spire-config | ||
| mountPath: /run/spire/config | ||
| readOnly: true | ||
| - name: spire-data | ||
| mountPath: /run/spire/data | ||
| readOnly: false | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /live | ||
| port: 8080 | ||
| failureThreshold: 2 | ||
| initialDelaySeconds: 15 | ||
| periodSeconds: 60 | ||
| timeoutSeconds: 3 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /ready | ||
| port: 8080 | ||
| initialDelaySeconds: 5 | ||
| periodSeconds: 5 | ||
| volumes: | ||
| - name: spire-config | ||
| configMap: | ||
| name: spire-server | ||
| volumeClaimTemplates: | ||
| - metadata: | ||
| name: spire-data | ||
| namespace: spire | ||
| spec: | ||
| accessModes: | ||
| - ReadWriteOnce | ||
| resources: | ||
| requests: | ||
| storage: 1Gi | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.