diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml index 400a10cab..124c8dd4a 100644 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ b/.github/tests/dependencies/spire-root-server-values.yaml @@ -6,13 +6,15 @@ global: spire-server: controllerManager: identities: - namespaceSelector: - kubernetes.io/metadata.name: spire-server - podSelector: - app.kubernetes.io/component: server - app.kubernetes.io/instance: spire - app.kubernetes.io/name: server - downstream: true + clusterSPIFFEIDs: + default: + namespaceSelector: + kubernetes.io/metadata.name: spire-server + podSelector: + app.kubernetes.io/component: server + app.kubernetes.io/instance: spire + app.kubernetes.io/name: server + downstream: true nodeAttestor: k8sPsat: serviceAccountAllowList: diff --git a/charts/spire/README.md b/charts/spire/README.md index 2696e6b79..dba164188 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -32,6 +32,10 @@ For production installs, please see [the production example](https://github.com/ ## Upgrade notes +### 0.16.X + +The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. + ### 0.15.X The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart. diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 72ad0ac2e..0c219892c 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -79,192 +79,194 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr ### Chart parameters -| Name | Description | Value | -| ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-server` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `priorityClassName` | Priority class assigned to statefulset pods | `""` | -| `service.type` | Type of the Spire server service created | `ClusterIP` | -| `service.port` | Port for the created service | `8081` | -| `service.annotations` | Annotations to add to the service object | `{}` | -| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `affinity` | List of node affinities | `{}` | -| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | -| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | -| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | -| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | -| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | -| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | -| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | -| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | -| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | -| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | -| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | -| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | -| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | -| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | -| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | -| `federation.enabled` | Flag to enable federation | `false` | -| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | -| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | -| `federation.ingress.className` | Ingress class name for federation | `""` | -| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | -| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | -| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `ca_subject.country` | Country for Spire server CA | `ARPA` | -| `ca_subject.organization` | Organization for Spire server CA | `Example` | -| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | -| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | -| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | -| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | -| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | -| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | -| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | -| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | -| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | -| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | -| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | -| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | -| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | -| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | -| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | -| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | -| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | -| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | -| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | -| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | -| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | -| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | -| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | -| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | -| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | -| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | -| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | -| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | -| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | -| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | -| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | -| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | -| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | -| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | -| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | -| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | -| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | -| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | -| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | -| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | -| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | -| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | -| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | -| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | -| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | -| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | -| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | -| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `controllerManager.enabled` | Flag to enable controller manager | `false` | -| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | -| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | -| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | -| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | -| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | -| `controllerManager.securityContext` | Security context | `{}` | -| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | -| `controllerManager.service.port` | Service port for controller manager | `443` | -| `controllerManager.service.annotations` | Annotations for service resource | `{}` | -| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | -| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | -| `controllerManager.identities.enabled` | Flag to enable default identities for controller manager | `true` | -| `controllerManager.identities.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | -| `controllerManager.identities.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.namespaceSelector` | Selector for namespacs to issue identity | `{}` | -| `controllerManager.identities.dnsNameTemplates` | DNS name template for issued identities | `[]` | -| `controllerManager.identities.federatesWith` | Other Spire server URLs for identity federation | `[]` | -| `controllerManager.identities.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | -| `controllerManager.identities.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | -| `controllerManager.identities.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | -| `controllerManager.identities.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | -| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for the ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `extraVolumes` | Extra volumes to be mounted | `[]` | -| `extraVolumeMounts` | Extra volume mounts | `[]` | -| `extraContainers` | Additional containers to create | `[]` | -| `initContainers` | Additional init containers to create | `[]` | -| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | -| `caTTL` | TTL for CA | `24h` | -| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | -| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| Name | Description | Value | +| --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-server` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `priorityClassName` | Priority class assigned to statefulset pods | `""` | +| `service.type` | Type of the Spire server service created | `ClusterIP` | +| `service.port` | Port for the created service | `8081` | +| `service.annotations` | Annotations to add to the service object | `{}` | +| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | List of node affinities | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | +| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | +| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | +| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | +| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | +| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | +| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | +| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | +| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | +| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | +| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | +| `federation.enabled` | Flag to enable federation | `false` | +| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | +| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | +| `federation.ingress.className` | Ingress class name for federation | `""` | +| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | +| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | +| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ca_subject.country` | Country for Spire server CA | `ARPA` | +| `ca_subject.organization` | Organization for Spire server CA | `Example` | +| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | +| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | +| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | +| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | +| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | +| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | +| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | +| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | +| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | +| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | +| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | +| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | +| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | +| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | +| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | +| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | +| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | +| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | +| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | +| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | +| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | +| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | +| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | +| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | +| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | +| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | +| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | +| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | +| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | +| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | +| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | +| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | +| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | +| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | +| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | +| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | +| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | +| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | +| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | +| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | +| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | +| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | +| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `controllerManager.enabled` | Flag to enable controller manager | `false` | +| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | +| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | +| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | +| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | +| `controllerManager.securityContext` | Security context | `{}` | +| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | +| `controllerManager.service.port` | Service port for controller manager | `443` | +| `controllerManager.service.annotations` | Annotations for service resource | `{}` | +| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | +| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | +| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for the ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `extraVolumes` | Extra volumes to be mounted | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `extraContainers` | Additional containers to create | `[]` | +| `initContainers` | Additional init containers to create | `[]` | +| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | +| `caTTL` | TTL for CA | `24h` | +| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | +| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | ### Tornjak diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index f82e48b23..8670f7332 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -1,42 +1,68 @@ {{- $root := . }} -{{- with .Values.controllerManager }} -{{- if and (eq (.enabled | toString) "true") (eq (.identities.enabled | toString) "true") }} +{{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "spiffeIDTemplate" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID metadata: - name: {{ $root.Release.Namespace }}-{{ include "spire-controller-manager.fullname" $root }}-service-account-based - namespace: {{ include "spire-server.namespace" $root }} + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: - spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }} - {{- with .identities.federatesWith }} + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} + {{- with $value.federatesWith }} federatesWith: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.podSelector }} + {{- with $value.podSelector }} podSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.namespaceSelector }} + {{- with $value.namespaceSelector }} namespaceSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.dnsNameTemplates }} + {{- with $value.dnsNameTemplates }} dnsNameTemplates: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.workloadSelectorTemplates }} + {{- with $value.workloadSelectorTemplates }} workloadSelectorTemplates: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.ttl }} + {{- with $value.ttl }} ttl: {{ . | quote }} {{- end }} - {{- with .identities.jwtTTL }} + {{- with $value.jwtTTL }} jwtTtl: {{ . | quote }} {{- end }} - admin: {{ .identities.admin }} - downstream: {{ .identities.downstream }} - autoPopulateDNSNames: {{ .identities.autoPopulateDNSNames }} - className: {{ include "spire-server.controller-manager-class-name" $root | quote}} -{{- end }} + {{- with $value.admin }} + admin: {{ . }} + {{- end }} + {{- with $value.downstream }} + downstream: {{ . }} + {{- end }} + {{- with $value.autoPopulateDNSNames }} + autoPopulateDNSNames: {{ . }} + {{- end }} +{{- end }} +{{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml new file mode 100644 index 000000000..1c2b659a0 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml @@ -0,0 +1,45 @@ +{{- $root := . }} +{{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterFederatedTrustDomain +metadata: + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- with $value.bundleEndpointProfile }} + bundleEndpointProfile: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.bundleEndpointURL }} + bundleEndpointURL: {{ . | quote }} + {{- end }} + {{- with $value.trustDomain }} + trustDomain: {{ . | quote }} + {{- end }} + {{- with $value.trustDomainBundle }} + trustDomainBundle: {{ . | quote }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml new file mode 100644 index 000000000..47629c4a4 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml @@ -0,0 +1,63 @@ +{{- $root := . }} +{{- range $key, $value := .Values.controllerManager.identities.clusterStaticEntries }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "spiffeID" "selectors" "parentID" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterStaticEntry +metadata: + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + spiffeID: {{ $value.spiffeID | quote }} + {{- with $value.federatesWith }} + federatesWith: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.selectors }} + selectors: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.parentID }} + parentID: {{ . | quote }} + {{- end }} + {{- with $value.dnsNames }} + dnsNames: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.hint }} + hint: {{ . | quote }} + {{- end }} + {{- with $value.x509SVIDTTL }} + x509SVIDTTL: {{ . | quote }} + {{- end }} + {{- with $value.jwtSVIDTTL }} + jwtSVIDTTL: {{ . | quote }} + {{- end }} + {{- with $value.admin }} + admin: {{ . }} + {{- end }} + {{- with $value.downstream }} + downstream: {{ . }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 143cde8c9..170d46e68 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -445,38 +445,70 @@ controllerManager: - local-path-storage identities: - ## @param controllerManager.identities.enabled Flag to enable default identities for controller manager - enabled: true - - ## @param controllerManager.identities.spiffeIDTemplate Spiffe ID template for identities - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} - ## @param controllerManager.identities.podSelector [object] Selector for pods to issue identity - podSelector: {} - # matchLabels: - # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.namespaceSelector [object] Selector for namespacs to issue identity - namespaceSelector: {} - # matchLabels: - # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.dnsNameTemplates [array] DNS name template for issued identities - dnsNameTemplates: [] - # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' - ## @param controllerManager.identities.federatesWith [array] Other Spire server URLs for identity federation - federatesWith: [] - # - example.io - # - example.ai - ## @param controllerManager.identities.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID - workloadSelectorTemplates: [] - ## @param controllerManager.identities.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. - ttl: "" - ## @param controllerManager.identities.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. - jwtTTL: "" - ## @param controllerManager.identities.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care. - admin: false - ## @param controllerManager.identities.downstream Set if this spire instance is a root server and the workloads are downstream servers. - downstream: false - ## @param controllerManager.identities.autoPopulateDNSNames Auto populate DNS names from services attached to pods - autoPopulateDNSNames: false + clusterSPIFFEIDs: + # NOTE you can add multiple uniquely named entries to create multiple ClusterSPIFFEID objects. See example below. + default: + ## @param controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate Spiffe ID template for identities + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + ## @param controllerManager.identities.clusterSPIFFEIDs.default.podSelector [object] Selector for pods to issue identity + podSelector: {} + # matchLabels: + # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity + namespaceSelector: {} + # matchLabels: + # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates [array] DNS name template for issued identities + dnsNameTemplates: [] + # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + ## @param controllerManager.identities.clusterSPIFFEIDs.default.federatesWith [array] Other Spire server URLs for identity federation + federatesWith: [] + # - example.io + # - example.ai + ## @param controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID + workloadSelectorTemplates: [] + ## @param controllerManager.identities.clusterSPIFFEIDs.default.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. + ttl: "" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. + jwtTTL: "" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care. + admin: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.downstream Set if this spire instance is a root server and the workloads are downstream servers. + downstream: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods + autoPopulateDNSNames: false + + # You can specify additional ClusterSPIFFEIDs following this example: + # foo: + # labels: + # foo: bar + # spiffeIDTemplate: spiffe://{{ .TrustDomain }}/foo + # namespaceSelector: + # matchLabels: + # foo: bar + + ## @param controllerManager.identities.clusterStaticEntries Specify ClusterStaticEntry objects. + clusterStaticEntries: {} + # foo: + # labels: + # foo: bar + # parentID: spiffe://example.com/bar + # spiffeID: spiffe://example.com/foo + # selectors: + # - k8s:pod-label:app.kubernetes.io/name:server + + ## @param controllerManager.identities.clusterFederatedTrustDomains Specify ClusterFederatedTrustDomain objects. + clusterFederatedTrustDomains: {} + # foo: + # labels: + # foo: bar + # bundleEndpointProfile: + # endpointSPIFFEID: spiffe://example.com/foo + # type: https_spiffe + # bundleEndpointURL: https://rootserver.example.com:1234 + # trustDomain: example.com validatingWebhookConfiguration: ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index d24df6ea4..0a26f7334 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -11,7 +11,9 @@ spire-server: controllerManager: enabled: true identities: - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + clusterSPIFFEIDs: + default: + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} spiffe-oidc-discovery-provider: enabled: true diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index 5ef92b62b..a60342a05 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -2,7 +2,7 @@ set -xe -UPGRADE_VERSION=v0.14.0 +UPGRADE_VERSION=v0.15.1 UPGRADE_REPO=https://spiffe.github.io/helm-charts-hardened SCRIPT="$(readlink -f "$0")"