diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index b741572d..62bcaf7f 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.7.6 +version: 0.8.0 appVersion: "1.5.3" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 0f8e9496..6582123f 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.6](https://img.shields.io/badge/Version-0.7.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. @@ -59,6 +59,19 @@ Kubernetes: `>=1.21.0-0` | agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | | | agent.resources | object | `{}` | | | agent.service.annotations | object | `{}` | | +| controllerManager.affinity | object | `{}` | | +| controllerManager.enabled | bool | `false` | | +| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | | +| controllerManager.image.registry | string | `"ghcr.io"` | | +| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | | +| controllerManager.image.version | string | `"0.2.1"` | | +| controllerManager.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | | +| controllerManager.podAnnotations | object | `{}` | | +| controllerManager.podSecurityContext | object | `{}` | | +| controllerManager.replicaCount | int | `1` | | +| controllerManager.resources | object | `{}` | | +| controllerManager.securityContext | object | `{}` | | +| controllerManager.tolerations | list | `[]` | | | csiDriver.image.pullPolicy | string | `"IfNotPresent"` | | | csiDriver.image.registry | string | `"ghcr.io"` | | | csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | | @@ -135,6 +148,7 @@ Kubernetes: `>=1.21.0-0` | waitForIt.image.repository | string | `"chainguard/wait-for-it"` | | | waitForIt.image.version | string | `"latest-20221215"` | | | waitForIt.resources | object | `{}` | | +| workloadRegistrar.enabled | bool | `true` | | | workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | | | workloadRegistrar.image.registry | string | `"gcr.io"` | | | workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | | diff --git a/charts/spire/crds/clusterfederatedtrustdomains.yaml b/charts/spire/crds/clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..91aae17e --- /dev/null +++ b/charts/spire/crds/clusterfederatedtrustdomains.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/crds/clusterspiffeids.yaml b/charts/spire/crds/clusterspiffeids.yaml new file mode 100644 index 00000000..74758a5a --- /dev/null +++ b/charts/spire/crds/clusterspiffeids.yaml @@ -0,0 +1,221 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targetted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targetted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/crds/controllermanagerconfigs.yaml b/charts/spire/crds/controllermanagerconfigs.yaml new file mode 100644 index 00000000..7845a107 --- /dev/null +++ b/charts/spire/crds/controllermanagerconfigs.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to remove/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/spire/templates/_helpers.tpl b/charts/spire/templates/_helpers.tpl index ee4073eb..f4d8ed22 100644 --- a/charts/spire/templates/_helpers.tpl +++ b/charts/spire/templates/_helpers.tpl @@ -110,6 +110,28 @@ app.kubernetes.io/name: {{ include "spire.name" . }}-oidc app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} + +{{/* +Common controllerManager labels +*/}} +{{- define "spire.controllerManager.labels" -}} +helm.sh/chart: {{ include "spire.chart" . }} +{{ include "spire.controllerManager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector controller-manager labels +*/}} +{{- define "spire.controllerManager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spire.name" . }}-controller-manager +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + {{/* Create the name of the service account to use */}} diff --git a/charts/spire/templates/server-cluster-role.yaml b/charts/spire/templates/server-cluster-role.yaml index db5793c0..927308b9 100644 --- a/charts/spire/templates/server-cluster-role.yaml +++ b/charts/spire/templates/server-cluster-role.yaml @@ -11,12 +11,32 @@ rules: resources: ["tokenreviews"] verbs: ["get", "create"] - apiGroups: [""] - resources: ["pods", "nodes"] + resources: ["pods", "nodes", "namespaces"] verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "update", "delete", "get", "list", "watch"] - + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] --- # Binds above cluster role to spire-server service account kind: ClusterRoleBinding diff --git a/charts/spire/templates/server-role.yaml b/charts/spire/templates/server-role.yaml index 7b3c8d6b..4feec256 100644 --- a/charts/spire/templates/server-role.yaml +++ b/charts/spire/templates/server-role.yaml @@ -18,11 +18,7 @@ rules: verbs: ["get", "patch"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["create"] - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-k8s-registrar-leader-election"] - verbs: ["update", "get"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create"] diff --git a/charts/spire/templates/server-statefulset.yaml b/charts/spire/templates/server-statefulset.yaml index 6c53a9e4..e359aee6 100644 --- a/charts/spire/templates/server-statefulset.yaml +++ b/charts/spire/templates/server-statefulset.yaml @@ -75,6 +75,7 @@ spec: periodSeconds: 5 resources: {{- toYaml .Values.server.resources | nindent 12 }} + {{- if .Values.workloadRegistrar.enabled }} - name: {{ .Chart.Name }}-workload-registrar securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -95,6 +96,7 @@ spec: readOnly: true resources: {{- toYaml .Values.workloadRegistrar.resources | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -112,9 +114,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + {{- if .Values.workloadRegistrar.enabled }} - name: spire-workload-registrar-config configMap: name: {{ include "spire.fullname" . }}-workload-registrar + {{- end }} - name: spire-config configMap: name: {{ include "spire.fullname" . }}-server diff --git a/charts/spire/templates/spire-controller-manager-configmap.yaml b/charts/spire/templates/spire-controller-manager-configmap.yaml new file mode 100644 index 00000000..f03eed5c --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-configmap.yaml @@ -0,0 +1,31 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: {{ include "spire.fullname" . }}-controller-manager-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: {{ .Release.Namespace }} + clusterName: {{ .Values.spire.clusterName }} + trustDomain: {{ .Values.spire.trustDomain }} + ignoreNamespaces: + - kube-system + - kube-public + - {{ .Release.Namespace }} + spireServerSocketPath: {{ .Values.server.config.socketPath | quote }} +{{- end }} diff --git a/charts/spire/templates/spire-controller-manager-deployment.yaml b/charts/spire/templates/spire-controller-manager-deployment.yaml new file mode 100644 index 00000000..3a5834ee --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-deployment.yaml @@ -0,0 +1,72 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +{{- $fullname := include "spire.fullname" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ printf "%s-controller-manager" $fullname }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.controllerManager.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicaCount }} + selector: + matchLabels: + {{- include "spire.controllerManager.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.controllerManager.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spire.controllerManager.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- range . }} + - name: {{ printf "%s-%s" $fullname .name }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "spire.serviceAccountName" . }}-agent + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }}-controller-manager + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }} + imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} + args: + - "--config=spire-controller-manager-config.yaml" + ports: + - containerPort: 9443 + volumeMounts: + - name: spire-server-socket + mountPath: /run/spire/server-sockets + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + resources: + {{- toYaml .Values.controllerManager.resources | nindent 12 }} + volumes: + - name: spire-server-socket + hostPath: + path: /run/spire/server-sockets + type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: {{ include "spire.fullname" . }}-controller-manager-config + {{- with .Values.controllerManager.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controllerManager.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controllerManager.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{ end }} diff --git a/charts/spire/templates/spire-controller-manager-webhook-service.yaml b/charts/spire/templates/spire-controller-manager-webhook-service.yaml new file mode 100644 index 00000000..388f5062 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook-service.yaml @@ -0,0 +1,19 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "spire.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "spire.server.labels" . | nindent 4 }} +spec: + type: {{ .Values.server.service.type }} + ports: + - name: https + port: 443 + targetPort: 9443 + protocol: TCP + selector: + {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} + diff --git a/charts/spire/templates/spire-controller-manager-webhook.yaml b/charts/spire/templates/spire-controller-manager-webhook.yaml new file mode 100644 index 00000000..e80e0987 --- /dev/null +++ b/charts/spire/templates/spire-controller-manager-webhook.yaml @@ -0,0 +1,35 @@ +{{- if eq (.Values.controllerManager.enabled | toString) "true" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "spire.fullname" . }}-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "spire.fullname" . }}-controller-manager-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +{{- end }} diff --git a/charts/spire/templates/workload-registrar-configmap.yaml b/charts/spire/templates/workload-registrar-configmap.yaml index 72f0ed58..b0aca3b7 100644 --- a/charts/spire/templates/workload-registrar-configmap.yaml +++ b/charts/spire/templates/workload-registrar-configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -12,3 +13,4 @@ data: server_address = "unix://{{ .Values.server.config.socketPath }}" leader_election = true metrics_addr = "0.0.0.0:18080" +{{- end }} diff --git a/charts/spire/templates/workload-registrar-service.yaml b/charts/spire/templates/workload-registrar-service.yaml index 0588e905..cb5cec1d 100644 --- a/charts/spire/templates/workload-registrar-service.yaml +++ b/charts/spire/templates/workload-registrar-service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.workloadRegistrar.enabled }} apiVersion: v1 kind: Service metadata: @@ -18,3 +19,4 @@ spec: protocol: TCP selector: {{- include "spire.server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index ad286ce5..b12f6f77 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -10,6 +10,7 @@ waitForIt: resources: {} workloadRegistrar: + enabled: true image: registry: gcr.io repository: spiffe-io/k8s-workload-registrar @@ -28,10 +29,51 @@ workloadRegistrar: # limits: # cpu: 100m # memory: 64Mi - service: annotations: {} +controllerManager: + enabled: false + replicaCount: 1 + + image: + registry: ghcr.io + repository: spiffe/spire-controller-manager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + version: "0.2.1" + + nodeSelector: + kubernetes.io/arch: amd64 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 32Mi + # limits: + # cpu: 100m + # memory: 64Mi + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + tolerations: [] + + affinity: {} + podAnnotations: {} + server: replicaCount: 1 image: