diff --git a/POC/README.md b/POC/README.md index 6d009b89..eba42d54 100644 --- a/POC/README.md +++ b/POC/README.md @@ -195,7 +195,7 @@ spire spire-server-0 2/2 Runnin ![Structure for each Mithril cluster with the bookinfo example.](img/overview.png) ### SPIRE Entries -When using [K8S Workload Registrar](https://github.com/spiffe/spire/tree/main/support/k8s/k8s-workload-registrar) for automatic workload registration within Kubernetes, you can check the created entries using the following command: +When using the [SPIRE Controller Manager]([https://github.com/spiffe/spire/tree/main/support/k8s/k8s-workload-registrar](https://github.com/spiffe/spire-controller-manager) for automatic workload registration within Kubernetes, you can check the created entries using the following command: ``` kubectl exec -i -t pod/spire-server-0 -n spire -c spire-server -- /bin/sh -c "bin/spire-server entry show -socketPath /run/spire/sockets/server.sock" diff --git a/POC/bookinfo/bookinfo.yaml b/POC/bookinfo/bookinfo.yaml index 96a253bc..6a37bf52 100644 --- a/POC/bookinfo/bookinfo.yaml +++ b/POC/bookinfo/bookinfo.yaml @@ -68,6 +68,7 @@ spec: labels: app: details version: v1 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: @@ -123,6 +124,7 @@ spec: labels: app: ratings version: v1 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: @@ -178,6 +180,7 @@ spec: labels: app: reviews version: v1 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: @@ -222,6 +225,7 @@ spec: labels: app: reviews version: v2 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: @@ -266,6 +270,7 @@ spec: labels: app: reviews version: v3 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: @@ -334,6 +339,7 @@ spec: labels: app: productpage version: v1 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: diff --git a/POC/bookinfo/deploy-bookinfo.sh b/POC/bookinfo/deploy-bookinfo.sh index 11a9f924..c2e307f2 100755 --- a/POC/bookinfo/deploy-bookinfo.sh +++ b/POC/bookinfo/deploy-bookinfo.sh @@ -1,4 +1,5 @@ #!/bin/bash istioctl kube-inject --filename bookinfo.yaml | kubectl apply -f - + kubectl apply -f gateway.yaml diff --git a/POC/create-namespaces.sh b/POC/create-namespaces.sh index 7ef68071..29febfe7 100755 --- a/POC/create-namespaces.sh +++ b/POC/create-namespaces.sh @@ -1,7 +1,5 @@ #!/bin/bash -set -e - kubectl create ns istio-system kubectl create ns spire sleep 2 diff --git a/POC/deploy-all.sh b/POC/deploy-all.sh index 13bf6c43..81d3d329 100755 --- a/POC/deploy-all.sh +++ b/POC/deploy-all.sh @@ -1,9 +1,8 @@ #!/bin/bash -./create-namespaces.sh -kubectl apply -f ./configmaps.yaml +kubectl create ns istio-system +kubectl apply -f configmaps.yaml (cd spire ; ./deploy-spire.sh) - (cd istio ; ./deploy-istio.sh) (cd bookinfo ; ./deploy-bookinfo.sh) diff --git a/POC/forward-port.sh b/POC/forward-port.sh index 82900d54..6a40379f 100755 --- a/POC/forward-port.sh +++ b/POC/forward-port.sh @@ -1,4 +1,4 @@ #!/bin/bash INGRESS_POD=$(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}") -kubectl port-forward --address 0.0.0.0 "$INGRESS_POD" 8000:8080 -n istio-system & +kubectl port-forward --address 0.0.0.0 "$INGRESS_POD" 8000:7080 -n istio-system & diff --git a/POC/istio/istio-config.yaml b/POC/istio/istio-config.yaml index c087e0ff..d5a0c388 100644 --- a/POC/istio/istio-config.yaml +++ b/POC/istio/istio-config.yaml @@ -53,6 +53,8 @@ spec: kind: Deployment name: istiod patches: + - path: spec.template.metadata.labels.spireSpiffeid + value: istiod - path: spec.template.spec.containers.[name:discovery].volumeMounts[7] value: name: spire-agent-socket @@ -68,6 +70,7 @@ spec: enabled: true label: istio: ingressgateway + spireSpiffeid: ingress k8s: overlays: - apiVersion: apps/v1 diff --git a/POC/set-bundles.sh b/POC/set-bundles.sh new file mode 100755 index 00000000..8896a290 --- /dev/null +++ b/POC/set-bundles.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +kubectl config use-context kind-kind + +kubectl port-forward --address 0.0.0.0 spire-server-0 4001:8443 -n spire & + +bundle_server=$(kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle show -format spiffe -socketPath /run/spire/sockets/api.sock) + +kubectl config use-context kind-kind2 + +kubectl port-forward --address 0.0.0.0 spire-server-0 4002:8443 -n spire & + +bundle_client=$(kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle show -format spiffe -socketPath /run/spire/sockets/api.sock) + +kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://example.org -socketPath /run/spire/sockets/api.sock <<< "$bundle_server" + +kubectl config use-context kind-kind + +kubectl exec --stdin spire-server-0 -c spire-server -n spire -- /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://domain.test -socketPath /run/spire/sockets/api.sock <<< "$bundle_client" \ No newline at end of file diff --git a/POC/spire/agent-account.yaml b/POC/spire/agent-account.yaml deleted file mode 100644 index 9091404c..00000000 --- a/POC/spire/agent-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire diff --git a/POC/spire/agent-cluster-role.yaml b/POC/spire/agent-cluster-role.yaml deleted file mode 100644 index 8bfe36c5..00000000 --- a/POC/spire/agent-cluster-role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: -- apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-agent - namespace: spire -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/POC/spire/agent-configmap.yaml b/POC/spire/agent-configmap.yaml deleted file mode 100644 index 4b7c4f37..00000000 --- a/POC/spire/agent-configmap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/root-cert.pem" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - # NOTE: Change this to your cluster name - cluster = "demo-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - } - } - - WorkloadAttestor "unix" { - plugin_data { - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } diff --git a/POC/spire/cleanup-spire.sh b/POC/spire/cleanup-spire.sh deleted file mode 100755 index 17f6cd9f..00000000 --- a/POC/spire/cleanup-spire.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -kubectl delete CustomResourceDefinition spiffeids.spiffeid.spiffe.io -kubectl delete -f k8s-workload-registrar-crd-configmap.yaml -f k8s-workload-registrar-crd-cluster-role.yaml -kubectl delete clusterrole spire-server-trust-role spire-agent-cluster-role -kubectl delete clusterrolebinding spire-server-trust-role-binding spire-agent-cluster-role-binding -kubectl delete namespace spire diff --git a/POC/spire/crd-rbac/leader_election_role.yaml b/POC/spire/crd-rbac/leader_election_role.yaml new file mode 100644 index 00000000..452c0b31 --- /dev/null +++ b/POC/spire/crd-rbac/leader_election_role.yaml @@ -0,0 +1,16 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: spire +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/POC/spire/crd-rbac/leader_election_role_binding.yaml b/POC/spire/crd-rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..3d276aba --- /dev/null +++ b/POC/spire/crd-rbac/leader_election_role_binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire diff --git a/POC/spire/crd-rbac/role.yaml b/POC/spire/crd-rbac/role.yaml new file mode 100644 index 00000000..77c92327 --- /dev/null +++ b/POC/spire/crd-rbac/role.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] diff --git a/POC/spire/crd-rbac/role_binding.yaml b/POC/spire/crd-rbac/role_binding.yaml new file mode 100644 index 00000000..6487b6da --- /dev/null +++ b/POC/spire/crd-rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire diff --git a/POC/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/POC/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..0e98fefb --- /dev/null +++ b/POC/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,88 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + - jsonPath: .spec.bundleEndpointProfile + name: Endpoint Profile + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the initial contents of the bundle + for the referenced trust domain. This field is optional. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true diff --git a/POC/spire/crd/spire.spiffe.io_clusterspiffeids.yaml b/POC/spire/crd/spire.spiffe.io_clusterspiffeids.yaml new file mode 100644 index 00000000..545e01af --- /dev/null +++ b/POC/spire/crd/spire.spiffe.io_clusterspiffeids.yaml @@ -0,0 +1,211 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targetted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targetted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true diff --git a/POC/spire/deploy-spire.sh b/POC/spire/deploy-spire.sh index eeebe100..bca18d4d 100755 --- a/POC/spire/deploy-spire.sh +++ b/POC/spire/deploy-spire.sh @@ -1,35 +1,7 @@ #!/bin/bash -set -e +kubectl apply -k . +kubectl rollout status statefulset -n spire spire-server +kubectl rollout status daemonset -n spire spire-agent -# Create the k8s-workload-registrar crd, configmap and associated role bindingsspace -kubectl apply \ - -f k8s-workload-registrar-crd-cluster-role.yaml \ - -f k8s-workload-registrar-crd-configmap.yaml \ - -f spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f server-account.yaml \ - -f spire-bundle-configmap.yaml \ - -f server-cluster-role.yaml - -# Deploy the server configmap and statefulset -kubectl apply \ - -f server-configmap.yaml \ - -f server-statefulset.yaml \ - -f server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f agent-account.yaml \ - -f agent-cluster-role.yaml - -sleep 2 - -kubectl apply \ - -f agent-configmap.yaml \ - -f agent-daemonset.yaml - -# Applying SPIFFE CSI Driver configuration -kubectl apply -f spiffe-csi-driver.yaml +kubectl apply -f spiffe-ids.yaml diff --git a/POC/spire/k8s-workload-registrar-crd-cluster-role.yaml b/POC/spire/k8s-workload-registrar-crd-cluster-role.yaml deleted file mode 100644 index f4982cfa..00000000 --- a/POC/spire/k8s-workload-registrar-crd-cluster-role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: k8s-workload-registrar-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-workload-registrar-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: k8s-workload-registrar-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -- apiGroups: [""] - resources: ["endpoints", "nodes", "pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["spiffeid.spiffe.io"] - resources: ["spiffeids"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] -- apiGroups: ["spiffeid.spiffe.io"] - resources: ["spiffeids/status"] - verbs: ["get", "patch", "update"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "update", "watch"] diff --git a/POC/spire/k8s-workload-registrar-crd-configmap.yaml b/POC/spire/k8s-workload-registrar-crd-configmap.yaml deleted file mode 100644 index c3a86345..00000000 --- a/POC/spire/k8s-workload-registrar-crd-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: k8s-workload-registrar - namespace: spire -data: - k8s-workload-registrar.conf: | - trust_domain = "example.org" - server_socket_path = "/run/spire/sockets/server.sock" - cluster = "demo-cluster" - mode = "crd" - metrics_bind_addr = "0" diff --git a/POC/spire/kustomization.yaml b/POC/spire/kustomization.yaml index 0a491013..549f1029 100644 --- a/POC/spire/kustomization.yaml +++ b/POC/spire/kustomization.yaml @@ -1,18 +1,21 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +generatorOptions: + disableNameSuffixHash: true -namespace: spire +configMapGenerator: + - name: spire-controller-manager-config + namespace: spire + files: + - spire-controller-manager-config.yaml resources: - spire-namespace.yaml -- agent-account.yaml -- agent-cluster-role.yaml -- agent-configmap.yaml -- agent-daemonset.yaml -- server-account.yaml -- server-cluster-role.yaml -- server-configmap.yaml -- server-service.yaml -- server-statefulset.yaml -- spire-bundle-configmap.yaml - +- spiffe-csi-driver.yaml +- crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml +- crd/spire.spiffe.io_clusterspiffeids.yaml +- crd-rbac/role.yaml +- crd-rbac/role_binding.yaml +- crd-rbac/leader_election_role.yaml +- crd-rbac/leader_election_role_binding.yaml +- spire-server.yaml +- spire-agent.yaml +- spire-controller-manager-webhook.yaml diff --git a/POC/spire/server-account.yaml b/POC/spire/server-account.yaml deleted file mode 100644 index 51ad4c5e..00000000 --- a/POC/spire/server-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire diff --git a/POC/spire/server-cluster-role.yaml b/POC/spire/server-cluster-role.yaml deleted file mode 100644 index 6f4cbd64..00000000 --- a/POC/spire/server-cluster-role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# ClusterRole to allow spire-server node attestor to query Token Review API -# and to be able to push certificate bundles to a configmap -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-trust-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["patch", "get", "list"] - ---- -# Binds above cluster role to spire-server service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-trust-role-binding -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: ClusterRole - name: spire-server-trust-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/POC/spire/server-configmap.yaml b/POC/spire/server-configmap.yaml deleted file mode 100644 index d3cd7005..00000000 --- a/POC/spire/server-configmap.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - socket_path = "/run/spire/sockets/server.sock" - trust_domain = "example.org" - data_dir = "/run/spire/data" - log_level = "DEBUG" - ca_key_type = "rsa-2048" - - default_svid_ttl = "1h" - ca_subject = { - country = ["US"], - organization = ["SPIFFE"], - common_name = "", - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - # NOTE: Change this to your cluster name - "demo-cluster" = { - use_token_review_api_validation = true - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - namespace = "spire" - config_map = "trust-bundle" - config_map_key = "root-cert.pem" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } diff --git a/POC/spire/server-service.yaml b/POC/spire/server-service.yaml deleted file mode 100644 index fa4df2e9..00000000 --- a/POC/spire/server-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: NodePort - ports: - - name: grpc - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server diff --git a/POC/spire/server-statefulset.yaml b/POC/spire/server-statefulset.yaml deleted file mode 100644 index 8af7d050..00000000 --- a/POC/spire/server-statefulset.yaml +++ /dev/null @@ -1,90 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - serviceName: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: gcr.io/spiffe-io/spire-server:1.1.1 - args: - - -config - - /run/spire/config/server.conf - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-data - mountPath: /run/spire/data - readOnly: false - - name: spire-registration-socket - mountPath: /run/spire/sockets - readOnly: false - - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.1.1 - args: - - -config - - /run/spire/config/k8s-workload-registrar.conf - ports: - - containerPort: 9443 - name: webhook - protocol: TCP - volumeMounts: - - mountPath: /run/spire/config - name: k8s-workload-registrar-config - readOnly: true - - name: spire-registration-socket - mountPath: /run/spire/sockets - readOnly: true - volumes: - - name: spire-config - configMap: - name: spire-server - - name: k8s-workload-registrar-config - configMap: - name: k8s-workload-registrar - - name: spire-registration-socket - hostPath: - path: /run/spire/server-sockets - type: DirectoryOrCreate - volumeClaimTemplates: - - metadata: - name: spire-data - namespace: spire - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/POC/spire/spiffe-csi-driver.yaml b/POC/spire/spiffe-csi-driver.yaml index e9d07bc5..3de2889f 100644 --- a/POC/spire/spiffe-csi-driver.yaml +++ b/POC/spire/spiffe-csi-driver.yaml @@ -3,18 +3,20 @@ kind: CSIDriver metadata: name: "csi.spiffe.io" spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. + # We only support ephemeral, inline volumes. We don't need a controller to + # provision and attach volumes. attachRequired: false - # Request the pod information which the CSI driver uses to verify that an + # We want the pod information so that the CSI driver can verify that an # ephemeral mount was requested. podInfoOnMount: true - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). + # We don't want (or need) K8s to change ownership on the contents of the mount + # when it is moutned into the pod, since the Workload API is completely open + # (i.e. 0777). + # Note, this was added in Kubernetes 1.19, so omit fsGroupPolicy: None - # Declare support for ephemeral volumes only. - volumeLifecycleModes: + # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 + volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta - Ephemeral diff --git a/POC/spire/spiffe-ids.yaml b/POC/spire/spiffe-ids.yaml new file mode 100644 index 00000000..cc594f3d --- /dev/null +++ b/POC/spire/spiffe-ids.yaml @@ -0,0 +1,45 @@ +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: istiod +spec: + spiffeIDTemplate: spiffe://example.org/istiod/{{ .PodMeta.Name }} + dnsNameTemplates: + - "{{ .PodMeta.Labels.app }}.{{ .PodMeta.Namespace }}.svc" + - "{{ .PodMeta.Name }}" + podSelector: + matchLabels: + spireSpiffeid: istiod +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: ingress +spec: + spiffeIDTemplate: spiffe://example.org/ingress/{{ .PodMeta.Name }} + dnsNameTemplates: + - "{{ .PodMeta.Labels.app }}.{{ .PodMeta.Namespace }}.svc" + - "{{ .PodMeta.Name }}" + podSelector: + matchLabels: + spireSpiffeid: ingress +# federatesWith: ["domain.test"] +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: workloads +spec: + spiffeIDTemplate: spiffe://example.org/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + dnsNameTemplates: + - "{{ .PodMeta.Name }}" + - "{{ .PodMeta.Labels.app }}.{{ .PodMeta.Namespace }}.svc" + workloadSelectorTemplates: + - k8s:ns:default + - k8s:sa:{{ .PodSpec.ServiceAccountName }} + - k8s:node-name:kind-control-plane + - k8s:pod-image-count:2 + podSelector: + matchLabels: + spireSpiffeid: workloads +# federatesWith: ["domain.test"] diff --git a/POC/spire/spiffeid.spiffe.io_spiffeids.yaml b/POC/spire/spiffeid.spiffe.io_spiffeids.yaml deleted file mode 100644 index 94a4fb30..00000000 --- a/POC/spire/spiffeid.spiffe.io_spiffeids.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.4 - name: spiffeids.spiffeid.spiffe.io -spec: - group: spiffeid.spiffe.io - names: - kind: SpiffeID - listKind: SpiffeIDList - plural: spiffeids - singular: spiffeid - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: SpiffeID is the Schema for the spiffeid API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SpiffeIDSpec defines the desired state of SpiffeID - properties: - dnsNames: - items: - type: string - type: array - parentId: - type: string - selector: - properties: - arbitrary: - description: Arbitrary selectors - items: - type: string - type: array - containerImage: - description: Container image to match for this spiffe ID - type: string - containerName: - description: Container name to match for this spiffe ID - type: string - namespace: - description: Namespace to match for this spiffe ID - type: string - nodeName: - description: Node name to match for this spiffe ID - type: string - podLabel: - additionalProperties: - type: string - description: Pod label name/value to match for this spiffe ID - type: object - podName: - description: Pod name to match for this spiffe ID - type: string - podUid: - description: Pod UID to match for this spiffe ID - type: string - serviceAccount: - description: ServiceAccount to match for this spiffe ID - type: string - type: object - spiffeId: - type: string - required: - - parentId - - selector - - spiffeId - type: object - status: - description: SpiffeIDStatus defines the observed state of SpiffeID - properties: - entryId: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' - type: string - type: object - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - \ No newline at end of file diff --git a/POC/spire/agent-daemonset.yaml b/POC/spire/spire-agent.yaml similarity index 64% rename from POC/spire/agent-daemonset.yaml rename to POC/spire/spire-agent.yaml index 222153b8..41f83a02 100644 --- a/POC/spire/agent-daemonset.yaml +++ b/POC/spire/spire-agent.yaml @@ -1,3 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire +--- +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: + - apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/root-cert.pem" + trust_domain = "example.org" + + sds = { + default_bundle_name = "null" + default_all_bundles_name = "ROOTCA" + } + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "demo-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } + +--- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -59,10 +149,16 @@ spec: image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0 imagePullPolicy: IfNotPresent args: [ - "-node-id", "CSI_NODE", - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName volumeMounts: # The volume containing the SPIRE agent socket. The SPIFFE CSI # driver will mount this directory into containers. @@ -86,8 +182,8 @@ spec: image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0 imagePullPolicy: IfNotPresent args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", ] volumeMounts: # The registrar needs access to the SPIFFE CSI driver socket diff --git a/POC/spire/spire-bundle-configmap.yaml b/POC/spire/spire-bundle-configmap.yaml deleted file mode 100644 index c9d93983..00000000 --- a/POC/spire/spire-bundle-configmap.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: trust-bundle - namespace: spire - annotations: - synator/sync: 'yes' - synator/include-namespaces: 'istio-system,default' diff --git a/POC/spire/spire-controller-manager-config.yaml b/POC/spire/spire-controller-manager-config.yaml new file mode 100644 index 00000000..c1d50615 --- /dev/null +++ b/POC/spire/spire-controller-manager-config.yaml @@ -0,0 +1,13 @@ +apiVersion: spire.spiffe.io/v1alpha1 +kind: ControllerManagerConfig +metrics: + bindAddress: 127.0.0.1:8082 +healthProbe: + bindAddress: 127.0.0.1:8083 +leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: spire +clusterName: demo-cluster +trustDomain: example.org +ignoreNamespaces: ["kube-system", "kube-public", "local-path-storage", "spire"] diff --git a/POC/spire/spire-controller-manager-webhook.yaml b/POC/spire/spire-controller-manager-webhook.yaml new file mode 100644 index 00000000..7b1313f3 --- /dev/null +++ b/POC/spire/spire-controller-manager-webhook.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: +- admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None +- admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None diff --git a/POC/spire/spire-namespace.yaml b/POC/spire/spire-namespace.yaml new file mode 100644 index 00000000..c6ba3499 --- /dev/null +++ b/POC/spire/spire-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: spire diff --git a/POC/spire/spire-server.yaml b/POC/spire/spire-server.yaml new file mode 100644 index 00000000..f856fdd2 --- /dev/null +++ b/POC/spire/spire-server.yaml @@ -0,0 +1,300 @@ +# ServiceAccount used by the SPIRE server. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire +--- +# Trust bundle used by to bootstrap SPIRE agent. +apiVersion: v1 +kind: ConfigMap +metadata: + name: trust-bundle + namespace: spire +--- +# Required cluster role to allow spire-server to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] +--- +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +# Role for the SPIRE server +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: spire + name: spire-server-role +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap below) +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] +--- +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io +--- +# ConfigMap containing the latest trust bundle for the trust domain. It is +# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount +# this config map and use the certificate to bootstrap trust with the SPIRE +# server during attestation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire +--- +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + socket_path = "/run/spire/sockets/api.sock" + trust_domain = "example.org" + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + ca_key_type = "rsa-2048" + + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + federates_with "domain.test" { + bundle_endpoint_url = "https://192.168.0.16:4002" + bundle_endpoint_profile "https_spiffe" { + endpoint_spiffe_id = "spiffe://domain.test/spire/server" + } + } + } + + default_svid_ttl = "1h" + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "demo-cluster" = { + use_token_review_api_validation = true + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "spire" + config_map = "trust-bundle" + config_map_key = "root-cert.pem" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + serviceName: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: gcr.io/spiffe-io/spire-server:1.1.1 + args: ["-config", "/run/spire/config/server.conf"] + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: spire-registration-socket + mountPath: /run/spire/sockets + readOnly: false + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:nightly + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + args: + - "--config=spire-controller-manager-config.yaml" + volumeMounts: + - name: spire-registration-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-registration-socket + hostPath: + path: /run/spire/server-sockets + type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: spire + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Service definition for SPIRE server defining the gRPC port. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: NodePort + ports: + - name: api + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server +--- +# Service definition for SPIRE server bundle endpoint +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: spire +spec: + type: NodePort + ports: + - name: api + port: 8443 + protocol: TCP + selector: + app: spire-server +--- +# Service definition for SPIRE controller manager webhook +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: spire +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server diff --git a/usecases/common/workloads/httpbin.yaml b/usecases/common/workloads/httpbin.yaml index 449f092b..5cb43fc4 100644 --- a/usecases/common/workloads/httpbin.yaml +++ b/usecases/common/workloads/httpbin.yaml @@ -33,6 +33,7 @@ spec: labels: app: httpbin version: v1 + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: diff --git a/usecases/common/workloads/sleep.yaml b/usecases/common/workloads/sleep.yaml index cedb5a01..ee2894f9 100644 --- a/usecases/common/workloads/sleep.yaml +++ b/usecases/common/workloads/sleep.yaml @@ -30,6 +30,7 @@ spec: metadata: labels: app: sleep + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: diff --git a/usecases/external-workload/istio/istio-config.yaml b/usecases/external-workload/istio/istio-config.yaml index 73141779..567a4547 100644 --- a/usecases/external-workload/istio/istio-config.yaml +++ b/usecases/external-workload/istio/istio-config.yaml @@ -57,6 +57,8 @@ spec: kind: Deployment name: istiod patches: + - path: spec.template.metadata.labels.spireSpiffeid + value: istiod - path: spec.template.spec.containers.[name:discovery].volumeMounts[7] value: name: spire-agent-socket @@ -70,6 +72,9 @@ spec: ingressGateways: - name: istio-ingressgateway enabled: true + label: + istio: ingressgateway + spireSpiffeid: ingress k8s: overlays: - apiVersion: apps/v1 diff --git a/usecases/external-workload/workloads/sleep.yaml b/usecases/external-workload/workloads/sleep.yaml index e30823f9..561d1c1e 100644 --- a/usecases/external-workload/workloads/sleep.yaml +++ b/usecases/external-workload/workloads/sleep.yaml @@ -47,6 +47,7 @@ spec: metadata: labels: app: sleep + spireSpiffeid: workloads annotations: inject.istio.io/templates: "sidecar,spire" spec: diff --git a/usecases/federation/bookinfo/deploy-bookinfo.sh b/usecases/federation/bookinfo/deploy-bookinfo.sh index acc9cf11..6dc4ebfc 100755 --- a/usecases/federation/bookinfo/deploy-bookinfo.sh +++ b/usecases/federation/bookinfo/deploy-bookinfo.sh @@ -2,10 +2,6 @@ DIR="../../../POC" -if [[ "$1" ]]; then - DIR=$1 -fi - -istioctl kube-inject --filename $DIR/bookinfo/bookinfo.yaml | kubectl apply -f - +istioctl --filename $DIR/bookinfo/bookinfo.yaml | kubectl apply -f - kubectl apply -f gateway.yaml diff --git a/usecases/federation/istio/deploy-istio.sh b/usecases/federation/istio/deploy-istio.sh index 67ba3fd9..8048c238 100755 --- a/usecases/federation/istio/deploy-istio.sh +++ b/usecases/federation/istio/deploy-istio.sh @@ -26,3 +26,6 @@ kubectl create ns istio-system sleep 2 istioctl install -f istio-config.yaml --skip-confirmation $args kubectl apply -f $DIR/istio/auth.yaml + +# apply cluster spiffe id definition to federate +kubectl apply -f spiffe-ids.yaml diff --git a/usecases/federation/istio/istio-config.yaml b/usecases/federation/istio/istio-config.yaml index 1d470559..eba10655 100644 --- a/usecases/federation/istio/istio-config.yaml +++ b/usecases/federation/istio/istio-config.yaml @@ -53,6 +53,8 @@ spec: kind: Deployment name: istiod patches: + - path: spec.template.metadata.labels.spireSpiffeid + value: istiod - path: spec.template.spec.containers.[name:discovery].volumeMounts[7] value: name: spire-agent-socket @@ -68,6 +70,7 @@ spec: enabled: true label: istio: ingressgateway + spireSpiffeid: ingress k8s: overlays: - apiVersion: apps/v1 @@ -93,6 +96,7 @@ spec: enabled: true label: istio: ingressgateway-mtls + spireSpiffeid: ingress-mtls k8s: podAnnotations: spiffe.io/federatesWith: "domain.test" diff --git a/usecases/federation/istio/spiffe-ids.yaml b/usecases/federation/istio/spiffe-ids.yaml new file mode 100644 index 00000000..9cb5e8ea --- /dev/null +++ b/usecases/federation/istio/spiffe-ids.yaml @@ -0,0 +1,14 @@ +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: ingress-mtls +spec: + spiffeIDTemplate: spiffe://example.org/ingress/{{ .PodMeta.Name }} + dnsNameTemplates: + - "{{ .PodMeta.Labels.app }}.{{ .PodMeta.Namespace }}.svc" + - "{{ .PodMeta.Name }}" + podSelector: + matchLabels: + spireSpiffeid: ingress-mtls + federatesWith: ["domain.test"] +--- diff --git a/usecases/federation/spire/deploy-spire.sh b/usecases/federation/spire/deploy-spire.sh index 5f25ff05..6400b625 100755 --- a/usecases/federation/spire/deploy-spire.sh +++ b/usecases/federation/spire/deploy-spire.sh @@ -9,34 +9,15 @@ if [[ "$1" ]]; then DIR=$1 fi -# Create the k8s-workload-registrar crd, configmap and associated role bindingsspace -kubectl apply \ - -f $DIR/spire/k8s-workload-registrar-crd-cluster-role.yaml \ - -f $DIR/spire/k8s-workload-registrar-crd-configmap.yaml \ - -f $DIR/spire/spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f $DIR/spire/server-account.yaml \ - -f $DIR/spire/spire-bundle-configmap.yaml \ - -f $DIR/spire/server-cluster-role.yaml - -# Deploy the server configmap and statefulset -kubectl apply \ - -f server-configmap.yaml \ - -f $DIR/spire/server-statefulset.yaml \ - -f $DIR/spire/server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f $DIR/spire/agent-account.yaml \ - -f $DIR/spire/agent-cluster-role.yaml +kubectl apply -k ../../../POC/spire/ +kubectl apply -f server-configmap.yaml + +# Re-deploy spire-server to reflect configmap update +kubectl delete pod -n spire spire-server-0 sleep 2 -kubectl apply \ - -f agent-configmap.yaml \ - -f $DIR/spire/agent-daemonset.yaml +kubectl apply -f agent-configmap.yaml -# Applying SPIFFE CSI Driver configuration -kubectl apply -f $DIR/spire/spiffe-csi-driver.yaml +# Re-deploy spire-agent to reflect configmap update +kubectl delete pod -n spire -l app=spire-agent diff --git a/usecases/workload-to-ingress-upstream-disk/client-cluster/spire/deploy-spire.sh b/usecases/workload-to-ingress-upstream-disk/client-cluster/spire/deploy-spire.sh index fa6f0cd7..479fa8a5 100755 --- a/usecases/workload-to-ingress-upstream-disk/client-cluster/spire/deploy-spire.sh +++ b/usecases/workload-to-ingress-upstream-disk/client-cluster/spire/deploy-spire.sh @@ -1,35 +1,8 @@ #!/bin/bash -set -e - -# Create the k8s-workload-registrar crd, configmap and associated role bindingsspace -kubectl apply \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-cluster-role.yaml \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-configmap.yaml \ - -f ../../../../POC/spire/spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f ../../../../POC/spire/server-account.yaml \ - -f ../../../../POC/spire/spire-bundle-configmap.yaml \ - -f ../../../../POC/spire/server-cluster-role.yaml +kubectl apply -k ../../../../POC/spire/ # Deploy the server configmap and statefulset kubectl apply \ -f ../../common/spire/server-configmap.yaml \ -f ../../common/spire/server-statefulset.yaml \ - -f ../../../../POC/spire/server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f ../../../../POC/spire/agent-account.yaml \ - -f ../../../../POC/spire/agent-cluster-role.yaml - -sleep 2 - -kubectl apply \ - -f ../../../../POC/spire/agent-configmap.yaml \ - -f ../../../../POC/spire/agent-daemonset.yaml - -# Applying SPIFFE CSI Driver configuration -kubectl apply -f ../../../../POC/spire/spiffe-csi-driver.yaml diff --git a/usecases/workload-to-ingress-upstream-disk/common/spire/server-configmap.yaml b/usecases/workload-to-ingress-upstream-disk/common/spire/server-configmap.yaml index 2d23362d..517dcd37 100644 --- a/usecases/workload-to-ingress-upstream-disk/common/spire/server-configmap.yaml +++ b/usecases/workload-to-ingress-upstream-disk/common/spire/server-configmap.yaml @@ -8,7 +8,7 @@ data: server { bind_address = "0.0.0.0" bind_port = "8081" - socket_path = "/run/spire/sockets/server.sock" + socket_path = "/run/spire/sockets/api.sock" trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" diff --git a/usecases/workload-to-ingress-upstream-disk/common/spire/server-statefulset.yaml b/usecases/workload-to-ingress-upstream-disk/common/spire/server-statefulset.yaml index 4f3fd258..fd2e7ec8 100644 --- a/usecases/workload-to-ingress-upstream-disk/common/spire/server-statefulset.yaml +++ b/usecases/workload-to-ingress-upstream-disk/common/spire/server-statefulset.yaml @@ -22,9 +22,7 @@ spec: containers: - name: spire-server image: gcr.io/spiffe-io/spire-server:1.1.1 - args: - - -config - - /run/spire/config/server.conf + args: ["-config", "/run/spire/config/server.conf"] livenessProbe: httpGet: path: /live @@ -57,33 +55,31 @@ spec: - name: upstream-key mountPath: /run/spire/data/upstream-ca.key.pem subPath: upstream-ca.key.pem - - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.1.1 - args: - - -config - - /run/spire/config/k8s-workload-registrar.conf + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:nightly + imagePullPolicy: IfNotPresent ports: - containerPort: 9443 - name: webhook - protocol: TCP + args: + - "--config=spire-controller-manager-config.yaml" volumeMounts: - - mountPath: /run/spire/config - name: k8s-workload-registrar-config - readOnly: true - name: spire-registration-socket - mountPath: /run/spire/sockets + mountPath: /spire-server readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml volumes: - name: spire-config configMap: name: spire-server - - name: k8s-workload-registrar-config - configMap: - name: k8s-workload-registrar - name: spire-registration-socket hostPath: path: /run/spire/server-sockets type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config - name: upstream-crt configMap: name: "upstream-ca-crt" diff --git a/usecases/workload-to-ingress-upstream-disk/server-cluster/spire/deploy-spire.sh b/usecases/workload-to-ingress-upstream-disk/server-cluster/spire/deploy-spire.sh index fa6f0cd7..479fa8a5 100755 --- a/usecases/workload-to-ingress-upstream-disk/server-cluster/spire/deploy-spire.sh +++ b/usecases/workload-to-ingress-upstream-disk/server-cluster/spire/deploy-spire.sh @@ -1,35 +1,8 @@ #!/bin/bash -set -e - -# Create the k8s-workload-registrar crd, configmap and associated role bindingsspace -kubectl apply \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-cluster-role.yaml \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-configmap.yaml \ - -f ../../../../POC/spire/spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f ../../../../POC/spire/server-account.yaml \ - -f ../../../../POC/spire/spire-bundle-configmap.yaml \ - -f ../../../../POC/spire/server-cluster-role.yaml +kubectl apply -k ../../../../POC/spire/ # Deploy the server configmap and statefulset kubectl apply \ -f ../../common/spire/server-configmap.yaml \ -f ../../common/spire/server-statefulset.yaml \ - -f ../../../../POC/spire/server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f ../../../../POC/spire/agent-account.yaml \ - -f ../../../../POC/spire/agent-cluster-role.yaml - -sleep 2 - -kubectl apply \ - -f ../../../../POC/spire/agent-configmap.yaml \ - -f ../../../../POC/spire/agent-daemonset.yaml - -# Applying SPIFFE CSI Driver configuration -kubectl apply -f ../../../../POC/spire/spiffe-csi-driver.yaml diff --git a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/deploy-spire.sh b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/deploy-spire.sh index b2008389..5c525d98 100755 --- a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/deploy-spire.sh +++ b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/deploy-spire.sh @@ -1,36 +1,14 @@ #!/bin/bash -set -e - -# Create the k8s-workload-registrar crd, configmap and associated role bindings space -kubectl apply \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-cluster-role.yaml \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-configmap.yaml \ - -f ../../../../POC/spire/spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f ../../../../POC/spire/server-account.yaml \ - -f ../../../../POC/spire/spire-bundle-configmap.yaml \ - -f ../../../../POC/spire/server-cluster-role.yaml +kubectl apply -k ../../../../POC/spire/ # Deploy the server configmap and statefulset kubectl apply \ -f server-configmap.yaml \ -f server-statefulset.yaml \ - -f ../../../../POC/spire/server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f ../../../../POC/spire/agent-account.yaml \ - -f ../../../../POC/spire/agent-cluster-role.yaml - -sleep 2 - -kubectl apply \ - -f ../../../../POC/spire/agent-configmap.yaml \ - -f ../../../../POC/spire/agent-daemonset.yaml +# Re-deploy spire-server to reflect configmap update +kubectl delete pod -n spire spire-server-0 # Configuring and deploying nested SPIRE Agent kubectl apply \ @@ -42,5 +20,5 @@ sleep 2 kubectl apply \ -f agent-nest-configmap.yaml -# Applying SPIFFE CSI Driver configuration -kubectl apply -f ../../../../POC/spire/spiffe-csi-driver.yaml +# Re-deploy spire-agent to reflect configmap update +kubectl delete pod -n spire -l app=spire-agent diff --git a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-configmap.yaml b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-configmap.yaml index 0430b87f..bb4627c7 100644 --- a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-configmap.yaml +++ b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-configmap.yaml @@ -8,7 +8,7 @@ data: server { bind_address = "0.0.0.0" bind_port = "8081" - socket_path = "/run/spire/sockets/server.sock" + socket_path = "/run/spire/sockets/api.sock" trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" diff --git a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-statefulset.yaml b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-statefulset.yaml index 0bfc11b9..342b88f7 100644 --- a/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-statefulset.yaml +++ b/usecases/workload-to-ingress-upstream-spire/client-cluster/spire/server-statefulset.yaml @@ -59,22 +59,20 @@ spec: readOnly: false - name: tmp mountPath: /tmp - - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.1.1 - args: - - -config - - /run/spire/config/k8s-workload-registrar.conf + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:nightly + imagePullPolicy: IfNotPresent ports: - containerPort: 9443 - name: webhook - protocol: TCP + args: + - "--config=spire-controller-manager-config.yaml" volumeMounts: - - mountPath: /run/spire/config - name: k8s-workload-registrar-config - readOnly: true - name: spire-registration-socket - mountPath: /run/spire/sockets + mountPath: /spire-server readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml - name: spire-agent-nest image: gcr.io/spiffe-io/spire-agent:1.1.1 args: ["-config", "/run/spire/config/agent.conf"] @@ -116,13 +114,13 @@ spec: - name: spire-config configMap: name: spire-server - - name: k8s-workload-registrar-config - configMap: - name: k8s-workload-registrar - name: spire-registration-socket hostPath: path: /run/spire/server-sockets type: DirectoryOrCreate + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config - name: spire-token projected: sources: diff --git a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/deploy-spire.sh b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/deploy-spire.sh index b2008389..5c525d98 100755 --- a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/deploy-spire.sh +++ b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/deploy-spire.sh @@ -1,36 +1,14 @@ #!/bin/bash -set -e - -# Create the k8s-workload-registrar crd, configmap and associated role bindings space -kubectl apply \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-cluster-role.yaml \ - -f ../../../../POC/spire/k8s-workload-registrar-crd-configmap.yaml \ - -f ../../../../POC/spire/spiffeid.spiffe.io_spiffeids.yaml - -# Create the server’s service account, configmap and associated role bindings -kubectl apply \ - -f ../../../../POC/spire/server-account.yaml \ - -f ../../../../POC/spire/spire-bundle-configmap.yaml \ - -f ../../../../POC/spire/server-cluster-role.yaml +kubectl apply -k ../../../../POC/spire/ # Deploy the server configmap and statefulset kubectl apply \ -f server-configmap.yaml \ -f server-statefulset.yaml \ - -f ../../../../POC/spire/server-service.yaml - -# Configuring and deploying the SPIRE Agent -kubectl apply \ - -f ../../../../POC/spire/agent-account.yaml \ - -f ../../../../POC/spire/agent-cluster-role.yaml - -sleep 2 - -kubectl apply \ - -f ../../../../POC/spire/agent-configmap.yaml \ - -f ../../../../POC/spire/agent-daemonset.yaml +# Re-deploy spire-server to reflect configmap update +kubectl delete pod -n spire spire-server-0 # Configuring and deploying nested SPIRE Agent kubectl apply \ @@ -42,5 +20,5 @@ sleep 2 kubectl apply \ -f agent-nest-configmap.yaml -# Applying SPIFFE CSI Driver configuration -kubectl apply -f ../../../../POC/spire/spiffe-csi-driver.yaml +# Re-deploy spire-agent to reflect configmap update +kubectl delete pod -n spire -l app=spire-agent diff --git a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-configmap.yaml b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-configmap.yaml index 5236894b..7d23a21d 100644 --- a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-configmap.yaml +++ b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-configmap.yaml @@ -8,7 +8,7 @@ data: server { bind_address = "0.0.0.0" bind_port = "8081" - socket_path = "/run/spire/sockets/server.sock" + socket_path = "/run/spire/sockets/api.sock" trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" diff --git a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-statefulset.yaml b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-statefulset.yaml index 4f1a5d11..30408c6f 100644 --- a/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-statefulset.yaml +++ b/usecases/workload-to-ingress-upstream-spire/server-cluster/spire/server-statefulset.yaml @@ -59,22 +59,20 @@ spec: readOnly: false - name: tmp mountPath: /tmp - - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.1.1 - args: - - -config - - /run/spire/config/k8s-workload-registrar.conf + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:nightly + imagePullPolicy: IfNotPresent ports: - containerPort: 9443 - name: webhook - protocol: TCP + args: + - "--config=spire-controller-manager-config.yaml" volumeMounts: - - mountPath: /run/spire/config - name: k8s-workload-registrar-config - readOnly: true - name: spire-registration-socket - mountPath: /run/spire/sockets + mountPath: /spire-server readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml - name: spire-agent-nest image: gcr.io/spiffe-io/spire-agent:1.1.1 args: ["-config", "/run/spire/config/agent.conf"] @@ -116,9 +114,9 @@ spec: - name: spire-config configMap: name: spire-server - - name: k8s-workload-registrar-config + - name: spire-controller-manager-config configMap: - name: k8s-workload-registrar + name: spire-controller-manager-config - name: spire-registration-socket hostPath: path: /run/spire/server-sockets diff --git a/usecases/workload-to-ingress-upstream-spire/server-cluster/workloads/deploy-workloads.sh b/usecases/workload-to-ingress-upstream-spire/server-cluster/workloads/deploy-workloads.sh index a1f97e1e..9782573d 100755 --- a/usecases/workload-to-ingress-upstream-spire/server-cluster/workloads/deploy-workloads.sh +++ b/usecases/workload-to-ingress-upstream-spire/server-cluster/workloads/deploy-workloads.sh @@ -1,4 +1,5 @@ #!/bin/bash + istioctl kube-inject --filename ../../../common/workloads/httpbin.yaml | kubectl apply -f - -kubectl apply -f ../../../common/networking/gateway.yaml \ No newline at end of file +kubectl apply -f ../../../common/networking/gateway.yaml