Merge pull request #6 from alexandrealvino/controller-manager

Controller manager integration

POC/README.md

@@ -195,7 +195,7 @@ spire                spire-server-0                               2/2     Runnin
 ![Structure for each Mithril cluster with the bookinfo example.](img/overview.png)
 
 ### SPIRE Entries
-When using [K8S Workload Registrar](https://github.com/spiffe/spire/tree/main/support/k8s/k8s-workload-registrar) for automatic workload registration within Kubernetes, you can check the created entries using the following command:
+When using the [SPIRE Controller Manager]([https://github.com/spiffe/spire/tree/main/support/k8s/k8s-workload-registrar](https://github.com/spiffe/spire-controller-manager) for automatic workload registration within Kubernetes, you can check the created entries using the following command:
 
 ```
 kubectl exec -i -t pod/spire-server-0 -n spire -c spire-server -- /bin/sh -c "bin/spire-server entry show -socketPath /run/spire/sockets/server.sock"

POC/bookinfo/bookinfo.yaml

@@ -68,6 +68,7 @@ spec:
       labels:
         app: details
         version: v1
+        spireSpiffeid: workloads
       annotations:        
         inject.istio.io/templates: "sidecar,spire"
     spec:
@@ -123,6 +124,7 @@ spec:
       labels:
         app: ratings
         version: v1
+        spireSpiffeid: workloads
       annotations:        
         inject.istio.io/templates: "sidecar,spire"
     spec:
@@ -178,6 +180,7 @@ spec:
       labels:
         app: reviews
         version: v1
+        spireSpiffeid: workloads
       annotations:        
         inject.istio.io/templates: "sidecar,spire"
     spec:
@@ -222,6 +225,7 @@ spec:
       labels:
         app: reviews
         version: v2
+        spireSpiffeid: workloads
       annotations:
         inject.istio.io/templates: "sidecar,spire"
     spec:
@@ -266,6 +270,7 @@ spec:
       labels:
         app: reviews
         version: v3
+        spireSpiffeid: workloads
       annotations:
         inject.istio.io/templates: "sidecar,spire"
     spec:
@@ -334,6 +339,7 @@ spec:
       labels:
         app: productpage
         version: v1
+        spireSpiffeid: workloads
       annotations:
         inject.istio.io/templates: "sidecar,spire"
     spec:

POC/bookinfo/deploy-bookinfo.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
 
 istioctl kube-inject --filename bookinfo.yaml | kubectl apply -f -
+
 kubectl apply -f gateway.yaml

POC/create-namespaces.sh

@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -e
-
 kubectl create ns istio-system
 kubectl create ns spire
 sleep 2

POC/deploy-all.sh

@@ -1,9 +1,8 @@
 #!/bin/bash
 
-./create-namespaces.sh
-kubectl apply -f ./configmaps.yaml
+kubectl create ns istio-system
+kubectl apply -f configmaps.yaml
 
 (cd spire ; ./deploy-spire.sh)
-
 (cd istio ; ./deploy-istio.sh)
 (cd bookinfo ; ./deploy-bookinfo.sh)

POC/forward-port.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
 INGRESS_POD=$(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}")
-kubectl port-forward --address 0.0.0.0 "$INGRESS_POD"  8000:8080 -n istio-system &
+kubectl port-forward --address 0.0.0.0 "$INGRESS_POD" 8000:7080 -n istio-system &

POC/istio/istio-config.yaml

@@ -53,6 +53,8 @@ spec:
             kind: Deployment
             name: istiod
             patches:
+              - path: spec.template.metadata.labels.spireSpiffeid
+                value: istiod
               - path: spec.template.spec.containers.[name:discovery].volumeMounts[7]
                 value:
                   name: spire-agent-socket
@@ -68,6 +70,7 @@ spec:
         enabled: true
         label:
           istio: ingressgateway
+          spireSpiffeid: ingress
         k8s:
           overlays:
             - apiVersion: apps/v1

POC/set-bundles.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+kubectl config use-context kind-kind
+
+kubectl port-forward --address 0.0.0.0 spire-server-0 4001:8443 -n spire &
+
+bundle_server=$(kubectl exec --stdin spire-server-0 -c spire-server -n spire  -- /opt/spire/bin/spire-server bundle show -format spiffe -socketPath /run/spire/sockets/api.sock)
+
+kubectl config use-context kind-kind2
+
+kubectl port-forward --address 0.0.0.0 spire-server-0 4002:8443 -n spire &
+
+bundle_client=$(kubectl exec --stdin spire-server-0 -c spire-server -n spire  -- /opt/spire/bin/spire-server bundle show -format spiffe -socketPath /run/spire/sockets/api.sock)
+
+kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://example.org -socketPath /run/spire/sockets/api.sock <<< "$bundle_server"
+
+kubectl config use-context kind-kind
+
+kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://domain.test -socketPath /run/spire/sockets/api.sock <<< "$bundle_client"

POC/spire/crd-rbac/leader_election_role.yaml

@@ -0,0 +1,16 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: leader-election-role
+  namespace: spire
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]

POC/spire/crd-rbac/leader_election_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: leader-election-rolebinding
+  namespace: spire
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: spire

POC/spire/crd-rbac/role.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "patch", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids/status"]
+    verbs: ["get", "patch", "update"]

POC/spire/crd-rbac/role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: spire

POC/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml

@@ -0,0 +1,88 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  name: clusterfederatedtrustdomains.spire.spiffe.io
+spec:
+  group: spire.spiffe.io
+  names:
+    kind: ClusterFederatedTrustDomain
+    listKind: ClusterFederatedTrustDomainList
+    plural: clusterfederatedtrustdomains
+    singular: clusterfederatedtrustdomain
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.trustDomain
+      name: Trust Domain
+      type: string
+    - jsonPath: .spec.bundleEndpointURL
+      name: Endpoint URL
+      type: string
+    - jsonPath: .spec.bundleEndpointProfile
+      name: Endpoint Profile
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterFederatedTrustDomainSpec defines the desired state
+              of ClusterFederatedTrustDomain
+            properties:
+              bundleEndpointProfile:
+                description: BundleEndpointProfile is the profile for the bundle endpoint.
+                properties:
+                  endpointSPIFFEID:
+                    description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
+                      It is required for the "https_spiffe" profile.
+                    type: string
+                  type:
+                    description: Type is the type of the bundle endpoint profile.
+                    enum:
+                    - https_spiffe
+                    - https_web
+                    type: string
+                required:
+                - type
+                type: object
+              bundleEndpointURL:
+                description: BundleEndpointURL is the URL of the bundle endpoint.
+                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
+                type: string
+              trustDomain:
+                description: TrustDomain is the name of the trust domain to federate
+                  with (e.g. example.org)
+                pattern: '[a-z0-9._-]{1,255}'
+                type: string
+              trustDomainBundle:
+                description: TrustDomainBundle is the initial contents of the bundle
+                  for the referenced trust domain. This field is optional.
+                type: string
+            required:
+            - bundleEndpointProfile
+            - bundleEndpointURL
+            - trustDomain
+            type: object
+          status:
+            description: ClusterFederatedTrustDomainStatus defines the observed state
+              of ClusterFederatedTrustDomain
+            type: object
+        type: object
+    served: true
+    storage: true