Skip to content

Commit

Permalink
deploy: add spire manifests in helm and kustomize
Browse files Browse the repository at this point in the history
Signed-off-by: TessaIO <[email protected]>
  • Loading branch information
TessaIO committed Apr 14, 2024
1 parent 05e90d0 commit b60483c
Show file tree
Hide file tree
Showing 31 changed files with 741 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
# enableTaints: false
# labelWhiteList: "foo"
# resyncPeriod: "2h"
# enableSpiffe: true
# klog:
# addDirHeader: false
# alsologtostderr: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# labelWhiteList:
# noPublish: false
# sleepInterval: 60s
# enableSpiffe: true
# featureSources: [all]
# labelSources: [all]
# klog:
Expand Down
14 changes: 14 additions & 0 deletions deployment/helm/node-feature-discovery/templates/master.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,12 +115,20 @@ spec:
- "-feature-gates={{ $key }}={{ $value }}"
{{- end }}
- "-metrics={{ .Values.master.metricsPort | default "8081" }}"
{{- if .Values.spiffe.enable }}
- "-enable-spiffe"
{{- end }}
volumeMounts:
{{- if .Values.tls.enable }}
- name: nfd-master-cert
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
readOnly: true
{{- end }}
{{- if .Values.spiffe.enable }}
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
{{- end }}
- name: nfd-master-conf
mountPath: "/etc/kubernetes/node-feature-discovery"
readOnly: true
Expand All @@ -130,6 +138,12 @@ spec:
secret:
secretName: nfd-master-cert
{{- end }}
{{- if .Values.spiffe.enable }}
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
{{- end }}
- name: nfd-master-conf
configMap:
name: {{ include "node-feature-discovery.fullname" . }}-master-conf
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{- if .Values.spiffe.enable }}
# Required cluster role to allow spire-agent to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role
rules:
- apiGroups: [""]
resources: ["pods","nodes","nodes/proxy"]
verbs: ["get"]

---
# Binds above cluster role to spire-agent service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: {{ include "node-feature-discovery.namespace" . }}
roleRef:
kind: ClusterRole
name: spire-agent-cluster-role
apiGroup: rbac.authorization.k8s.io
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "nfd.com"
}
plugins {
NodeAttestor "k8s_sat" {
plugin_data {
cluster = "nfd"
}
}
KeyManager "memory" {
plugin_data {
}
}
WorkloadAttestor "k8s" {
plugin_data {
skip_kubelet_verification = true
node_name_env = "MY_NODE_NAME"
}
}
WorkloadAttestor "unix" {
plugin_data {
}
}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{{- if .Values.spiffe.enable }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
template:
metadata:
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: cgr.dev/chainguard/wait-for-it
args: ["-t", "30", "spire-server:8081"]
containers:
- name: spire-agent
image: ghcr.io/spiffe/spire-agent:1.5.1
args: ["-config", "/run/spire/config/agent.conf"]
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: false
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{{- if .Values.spiffe.enable }}
# Role (namespace scoped) to be able to push certificate bundles to a configmap
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list"]
---
# Binds above role to spire-server service account
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role-binding
namespace: {{ include "node-feature-discovery.namespace" . }}
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ include "node-feature-discovery.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: spire-server-configmap-role
---
# ClusterRole to allow spire-server node attestor to query Token Review API
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role-binding
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ include "node-feature-discovery.namespace" . }}
roleRef:
kind: ClusterRole
name: spire-server-trust-role
apiGroup: rbac.authorization.k8s.io
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
socket_path = "/tmp/spire-server/private/api.sock"
trust_domain = "nfd.com"
data_dir = "/run/spire/data"
log_level = "DEBUG"
#AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
ca_subject = {
country = ["US"],
organization = ["SPIFFE"],
common_name = "nfd.com",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_sat" {
plugin_data {
clusters = {
"nfd" = {
use_token_review_api_validation = true
service_account_allow_list = ["{{ include "node-feature-discovery.namespace" . }}:spire-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
namespace = "{{ include "node-feature-discovery.namespace" . }}"
}
}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.spiffe.enable }}
apiVersion: v1
kind: Service
metadata:
name: spire-server
spec:
type: NodePort
ports:
- name: grpc
port: 8081
targetPort: 8081
protocol: TCP
selector:
app: spire-server
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{{- if .Values.spiffe.enable }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: spire-server
labels:
app: spire-server
spec:
replicas: 1
selector:
matchLabels:
app: spire-server
serviceName: spire-server
template:
metadata:
labels:
app: spire-server
spec:
serviceAccountName: spire-server
containers:
- name: spire-server
image: ghcr.io/spiffe/spire-server:1.5.1
args:
- -config
- /run/spire/config/server.conf
ports:
- containerPort: 8081
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-data
mountPath: /run/spire/data
readOnly: false
livenessProbe:
httpGet:
path: /live
port: 8080
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: spire-config
configMap:
name: spire-server
volumeClaimTemplates:
- metadata:
name: spire-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- end }}
Loading

0 comments on commit b60483c

Please sign in to comment.