Skip to content

Commit

Permalink
Temporarily merge in namespace creation stuff for testing. Will merge…
Browse files Browse the repository at this point in the history 
… origionals.

Signed-off-by: Kevin Fox <[email protected]>
  • Loading branch information
@kfox1111
kfox1111 committed Nov 25, 2023
1 parent 59791b1 commit 663cf28
Show file tree
Hide file tree
Showing 4 changed files with 85 additions and 0 deletions.
10 changes: 10 additions & 0 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,9 +184,19 @@ Now you can interact with the Spire agent socket from your own application. The
| `global.spire.useRecommended.securityContexts` | Set to true to use our recommendations for pod and container securityContexts | `true` |
| `global.spire.useRecommended.priorityClasses` | Set to true to use our recommendations for pod priority classes | `true` |
| `global.spire.useRecommended.namespaceLayout` | Set to true to use our recommendations for installing across namespaces | `true` |
| `global.spire.useRecommended.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` |
| `global.spire.useRecommended.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` |
| `global.spire.useRecommended.prometheus` | Enable prometheus exporters for monitoring | `true` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.namespaces.create` | Set to true to Create all namespaces. | `true` |
| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` |
| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` |
| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` |
| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` |
| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` |
| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` |
| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` |
| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |
Expand Down
26 changes: 26 additions & 0 deletions charts/spire/templates/spire-server-namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.server.create }}
{{- $labels := dict }}
{{- if and (dig "spire" "useRecommended" "enabled" false .Values.global) (dig "spire" "useRecommended" "namespacePSS" true .Values.global) }}
{{- $_ := set $labels "pod-security.kubernetes.io/warn" "restricted" }}
{{- $_ := set $labels "pod-security.kubernetes.io/audit" "restricted" }}
{{- if (dig "openshift" false .Values.global) }}
{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }}
{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "privileged" }}
{{- else }}
{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "restricted" }}
{{- end }}
{{- end }}
{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.global.spire.namespaces.server.name }}
{{- with $labels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.spire.namespaces.server.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
24 changes: 24 additions & 0 deletions charts/spire/templates/spire-system-namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.system.create }}
{{- $labels := dict }}
{{- if and (dig "spire" "useRecommended" "enabled" false .Values.global) (dig "spire" "useRecommended" "namespacePSS" true .Values.global) }}
{{- $_ := set $labels "pod-security.kubernetes.io/warn" "privileged" }}
{{- $_ := set $labels "pod-security.kubernetes.io/audit" "privileged" }}
{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "privileged" }}
{{- if (dig "openshift" false .Values.global) }}
{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }}
{{- end }}
{{- end }}
{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.global.spire.namespaces.system.name }}
{{- with $labels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.spire.namespaces.system.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
25 changes: 25 additions & 0 deletions charts/spire/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ global:
k8s:
## @param global.k8s.clusterDomain Cluster domain name configured for Spire install
clusterDomain: cluster.local

spire:
## @param global.spire.bundleConfigMap A configmap containing the Spire bundle
bundleConfigMap: ""
Expand All @@ -24,20 +25,44 @@ global:
## @param global.spire.useRecommended.securityContexts Set to true to use our recommendations for pod and container securityContexts
## @param global.spire.useRecommended.priorityClasses Set to true to use our recommendations for pod priority classes
## @param global.spire.useRecommended.namespaceLayout Set to true to use our recommendations for installing across namespaces
## @param global.spire.useRecommended.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels
## @param global.spire.useRecommended.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
## @param global.spire.useRecommended.prometheus Enable prometheus exporters for monitoring
useRecommended:
enabled: false
securityContexts: true
priorityClasses: true
namespaceLayout: true
namespacePSS: true
strictMode: true
prometheus: true

image:
## @param global.spire.image.registry Override all Spire image registries at once
registry: ""

namespaces:
## @param global.spire.namespaces.create Set to true to Create all namespaces.
create: false
system:
## @param global.spire.namespaces.system.name Name of the Spire system Namespace.
name: "spire-system"
## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources.
create: false
## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace.
annotations: {}
## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace.
labels: {}
server:
## @param global.spire.namespaces.server.name Name of the Spire server Namespace.
name: "spire-server"
## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources.
create: false
## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace.
annotations: {}
## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace.
labels: {}

## @param global.spire.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
ingressControllerType: ""

Expand Down

0 comments on commit 663cf28

Please sign in to comment.