-
Notifications
You must be signed in to change notification settings - Fork 248
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deploy: add spire manifests in helm and kustomize
Signed-off-by: TessaIO <[email protected]>
- Loading branch information
Showing
33 changed files
with
757 additions
and
390 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| # Required cluster role to allow spire-agent to query k8s API server | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-agent-cluster-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods","nodes","nodes/proxy"] | ||
| verbs: ["get"] | ||
|
|
||
| --- | ||
| # Binds above cluster role to spire-agent service account | ||
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-agent-cluster-role-binding | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-agent | ||
| namespace: {{ include "node-feature-discovery.namespace" . }} | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: spire-agent-cluster-role | ||
| apiGroup: rbac.authorization.k8s.io | ||
| {{- end }} |
45 changes: 45 additions & 0 deletions
45
deployment/helm/node-feature-discovery/templates/spire-agent-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-agent | ||
| data: | ||
| agent.conf: | | ||
| agent { | ||
| data_dir = "/run/spire" | ||
| log_level = "DEBUG" | ||
| server_address = "spire-server" | ||
| server_port = "8081" | ||
| socket_path = "/run/spire/sockets/agent.sock" | ||
| trust_bundle_path = "/run/spire/bundle/bundle.crt" | ||
| trust_domain = "nfd.com" | ||
| } | ||
| plugins { | ||
| NodeAttestor "k8s_sat" { | ||
| plugin_data { | ||
| cluster = "nfd" | ||
| } | ||
| } | ||
| KeyManager "memory" { | ||
| plugin_data { | ||
| } | ||
| } | ||
| WorkloadAttestor "k8s" { | ||
| plugin_data { | ||
| skip_kubelet_verification = true | ||
| node_name_env = "MY_NODE_NAME" | ||
| } | ||
| } | ||
| WorkloadAttestor "unix" { | ||
| plugin_data { | ||
| } | ||
| } | ||
| } | ||
| health_checks { | ||
| listener_enabled = true | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8080" | ||
| live_path = "/live" | ||
| ready_path = "/ready" | ||
| } | ||
| {{- end }} |
57 changes: 57 additions & 0 deletions
57
deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: apps/v1 | ||
| kind: DaemonSet | ||
| metadata: | ||
| name: spire-agent | ||
| labels: | ||
| app: spire-agent | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: spire-agent | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: spire-agent | ||
| spec: | ||
| hostPID: true | ||
| hostNetwork: true | ||
| dnsPolicy: ClusterFirstWithHostNet | ||
| serviceAccountName: spire-agent | ||
| initContainers: | ||
| - name: init | ||
| # This is a small image with wait-for-it, choose whatever image | ||
| # you prefer that waits for a service to be up. This image is built | ||
| # from https://github.com/lqhl/wait-for-it | ||
| image: cgr.dev/chainguard/wait-for-it | ||
| args: ["-t", "30", "spire-server:8081"] | ||
| containers: | ||
| - name: spire-agent | ||
| image: ghcr.io/spiffe/spire-agent:1.5.1 | ||
| args: ["-config", "/run/spire/config/agent.conf"] | ||
| env: | ||
| - name: MY_NODE_NAME | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: status.podIP | ||
| volumeMounts: | ||
| - name: spire-config | ||
| mountPath: /run/spire/config | ||
| readOnly: true | ||
| - name: spire-bundle | ||
| mountPath: /run/spire/bundle | ||
| - name: spire-agent-socket | ||
| mountPath: /run/spire/sockets | ||
| readOnly: false | ||
| volumes: | ||
| - name: spire-config | ||
| configMap: | ||
| name: spire-agent | ||
| - name: spire-bundle | ||
| configMap: | ||
| name: spire-bundle | ||
| - name: spire-agent-socket | ||
| hostPath: | ||
| path: /run/spire/sockets | ||
| type: DirectoryOrCreate | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-agent-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: spire-agent | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-bundle-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-bundle | ||
| {{- end }} |
50 changes: 50 additions & 0 deletions
50
deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| # Role (namespace scoped) to be able to push certificate bundles to a configmap | ||
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-configmap-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] | ||
| verbs: ["patch", "get", "list"] | ||
| --- | ||
| # Binds above role to spire-server service account | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-configmap-role-binding | ||
| namespace: {{ include "node-feature-discovery.namespace" . }} | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-server | ||
| namespace: {{ include "node-feature-discovery.namespace" . }} | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: spire-server-configmap-role | ||
| --- | ||
| # ClusterRole to allow spire-server node attestor to query Token Review API | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-trust-role | ||
| rules: | ||
| - apiGroups: ["authentication.k8s.io"] | ||
| resources: ["tokenreviews"] | ||
| verbs: ["create"] | ||
| --- | ||
| # Binds above cluster role to spire-server service account | ||
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: spire-server-trust-role-binding | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: spire-server | ||
| namespace: {{ include "node-feature-discovery.namespace" . }} | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: spire-server-trust-role | ||
| apiGroup: rbac.authorization.k8s.io | ||
| {{- end }} |
58 changes: 58 additions & 0 deletions
58
deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: spire-server | ||
| data: | ||
| server.conf: | | ||
| server { | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8081" | ||
| socket_path = "/tmp/spire-server/private/api.sock" | ||
| trust_domain = "nfd.com" | ||
| data_dir = "/run/spire/data" | ||
| log_level = "DEBUG" | ||
| #AWS requires the use of RSA. EC cryptography is not supported | ||
| ca_key_type = "rsa-2048" | ||
| ca_subject = { | ||
| country = ["US"], | ||
| organization = ["SPIFFE"], | ||
| common_name = "nfd.com", | ||
| } | ||
| } | ||
| plugins { | ||
| DataStore "sql" { | ||
| plugin_data { | ||
| database_type = "sqlite3" | ||
| connection_string = "/run/spire/data/datastore.sqlite3" | ||
| } | ||
| } | ||
| NodeAttestor "k8s_sat" { | ||
| plugin_data { | ||
| clusters = { | ||
| "nfd" = { | ||
| use_token_review_api_validation = true | ||
| service_account_allow_list = ["{{ include "node-feature-discovery.namespace" . }}:spire-agent"] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| KeyManager "disk" { | ||
| plugin_data { | ||
| keys_path = "/run/spire/data/keys.json" | ||
| } | ||
| } | ||
| Notifier "k8sbundle" { | ||
| plugin_data { | ||
| namespace = "{{ include "node-feature-discovery.namespace" . }}" | ||
| } | ||
| } | ||
| } | ||
| health_checks { | ||
| listener_enabled = true | ||
| bind_address = "0.0.0.0" | ||
| bind_port = "8080" | ||
| live_path = "/live" | ||
| ready_path = "/ready" | ||
| } | ||
| {{- end }} |
6 changes: 6 additions & 0 deletions
6
deployment/helm/node-feature-discovery/templates/spire-server-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: spire-server | ||
| {{- end }} |
15 changes: 15 additions & 0 deletions
15
deployment/helm/node-feature-discovery/templates/spire-server-service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: spire-server | ||
| spec: | ||
| type: NodePort | ||
| ports: | ||
| - name: grpc | ||
| port: 8081 | ||
| targetPort: 8081 | ||
| protocol: TCP | ||
| selector: | ||
| app: spire-server | ||
| {{- end }} |
62 changes: 62 additions & 0 deletions
62
deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| {{- if .Values.spiffe.enable }} | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: spire-server | ||
| labels: | ||
| app: spire-server | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| app: spire-server | ||
| serviceName: spire-server | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: spire-server | ||
| spec: | ||
| serviceAccountName: spire-server | ||
| containers: | ||
| - name: spire-server | ||
| image: ghcr.io/spiffe/spire-server:1.5.1 | ||
| args: | ||
| - -config | ||
| - /run/spire/config/server.conf | ||
| ports: | ||
| - containerPort: 8081 | ||
| volumeMounts: | ||
| - name: spire-config | ||
| mountPath: /run/spire/config | ||
| readOnly: true | ||
| - name: spire-data | ||
| mountPath: /run/spire/data | ||
| readOnly: false | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /live | ||
| port: 8080 | ||
| failureThreshold: 2 | ||
| initialDelaySeconds: 15 | ||
| periodSeconds: 60 | ||
| timeoutSeconds: 3 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /ready | ||
| port: 8080 | ||
| initialDelaySeconds: 5 | ||
| periodSeconds: 5 | ||
| volumes: | ||
| - name: spire-config | ||
| configMap: | ||
| name: spire-server | ||
| volumeClaimTemplates: | ||
| - metadata: | ||
| name: spire-data | ||
| spec: | ||
| accessModes: | ||
| - ReadWriteOnce | ||
| resources: | ||
| requests: | ||
| storage: 1Gi | ||
| {{- end }} |
Oops, something went wrong.