From c68ac7f677cae12458e8b97ee73dc642eff078df Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 12:01:01 +0100 Subject: [PATCH 1/7] Update statement on minimum required spire version Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 4 ++-- charts/spire/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 97a58165..db85d9c4 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,9 +3,9 @@ name: spire description: | A Helm chart for deploying spire-server and spire-agent. - > :warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. + > **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. - > :warning: Minimum Spire version is `v1.0.2`. + > **Note**: Minimum Spire version is `v1.5.3`. To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM. diff --git a/charts/spire/README.md b/charts/spire/README.md index 6fc3d0f3..76f12766 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -6,9 +6,9 @@ A Helm chart for deploying spire-server and spire-agent. -> :warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. +> **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server. -> :warning: Minimum Spire version is `v1.0.2`. +> **Note**: Minimum Spire version is `v1.5.3`. To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM. From 19ff1c9dc53815834fef61bdc12f6a0e0eb2f8c3 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 11:51:49 +0100 Subject: [PATCH 2/7] Utilize helper function for spire-k8s-workload-registrar Signed-off-by: Marco Franssen --- .../spire/charts/spire-server/templates/_helpers.tpl | 4 ++++ .../templates/k8s-workload-registrar-configmap.yaml | 2 +- .../templates/k8s-workload-registrar-roles.yaml | 12 ++++++------ .../charts/spire-server/templates/statefulset.yaml | 2 +- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index c6de0809..726f40ed 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -84,3 +84,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} {{- end }} + +{{- define "spire-k8s-workload-registrar.fullname" -}} +{{ include "spire-server.fullname" . | trimSuffix "-server" }}-k8s-workload-registrar +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-configmap.yaml b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-configmap.yaml index 17ffead0..5cdcc86b 100644 --- a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-configmap.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} namespace: {{ .Release.Namespace }} data: workload-registrar.conf: | diff --git a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml index 7e9ff397..e4022f36 100644 --- a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml +++ b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml @@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} rules: - apiGroups: [""] resources: ["pods", "nodes", "endpoints"] @@ -13,11 +13,11 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "spire-server.serviceAccountName" . }} @@ -26,7 +26,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} namespace: {{ .Release.Namespace }} rules: - apiGroups: [""] @@ -43,11 +43,11 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} namespace: {{ .Release.Namespace }} roleRef: kind: Role - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 8e607e2c..3904a9d2 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -127,7 +127,7 @@ spec: {{- if eq (.Values.k8sWorkloadRegistrar.enabled | toString) "true" }} - name: k8s-workload-registrar-config configMap: - name: {{ include "spire-server.fullname" . }}-k8s-workload-registrar + name: {{ include "spire-k8s-workload-registrar.fullname" . }} {{- end }} volumeClaimTemplates: {{- if eq (.Values.dataStorage.enabled | toString) "true" }} From ac9e5b0e9260f94716911980e56b41de793c6beb Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 11:53:07 +0100 Subject: [PATCH 3/7] Add spire-k8s-registrar service Signed-off-by: Marco Franssen --- .../k8s-workload-registrar-service.yaml | 22 +++++++++++++++++++ .../spire-server/templates/statefulset.yaml | 4 ++++ 2 files changed, 26 insertions(+) create mode 100644 charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml diff --git a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml new file mode 100644 index 00000000..1fd54b78 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml @@ -0,0 +1,22 @@ +{{- if eq (.Values.k8sWorkloadRegistrar.enabled | toString) "true" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "spire-k8s-workload-registrar.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: 443 + targetPort: k8s-registrar + protocol: TCP + selector: + {{- include "spire-server.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 3904a9d2..c9b81f7a 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -85,6 +85,10 @@ spec: args: - -config - /run/spire/k8s-workload-registrar/config/workload-registrar.conf + ports: + - name: k8s-registrar + containerPort: 9443 + protocol: TCP resources: {{- toYaml .Values.k8sWorkloadRegistrar.resources | nindent 12 }} volumeMounts: From fc6bb77354fb566469cbf0c771149db7ab6592aa Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 11:54:55 +0100 Subject: [PATCH 4/7] Use correct helper function for upstream-ca-secret Signed-off-by: Marco Franssen --- charts/spire/charts/spire-server/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 726f40ed..e7124d69 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -78,9 +78,9 @@ Create the name of the service account to use {{- $root := . }} {{- with .Values.upstreamAuthority.disk -}} {{- if eq (.secret.create | toString) "true" -}} -{{ include "spire.fullname" $root }}-upstream-ca +{{ include "spire-server.fullname" $root }}-upstream-ca {{- else -}} -{{ default (include "spire.fullname" $root) .secret.name }} +{{ default (include "spire-server.fullname" $root) .secret.name }} {{- end -}} {{- end -}} {{- end }} From 0644253595c8c2979ac5a494f2b7b3db98bbfb97 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 11:55:44 +0100 Subject: [PATCH 5/7] Bump SPIRE Helm chart to 0.10.2 Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index db85d9c4..8bcbaabd 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.10.1 +version: 0.10.2 appVersion: "1.5.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 76f12766..489c9557 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.10.1](https://img.shields.io/badge/Version-0.10.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square) +![Version: 0.10.2](https://img.shields.io/badge/Version-0.10.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. From c4c1113addd497945058719d56bea9ac8e26062f Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 12:38:40 +0100 Subject: [PATCH 6/7] Fix agent connectivity if deployed with different name e.g. if deploying with spire-65de556ac Signed-off-by: Marco Franssen --- charts/spire/charts/spire-agent/README.md | 1 - charts/spire/charts/spire-agent/templates/_helpers.tpl | 4 ++++ charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- charts/spire/charts/spire-agent/values.yaml | 1 - charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- 6 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 1b44df87..07c3ef9a 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,7 +25,6 @@ A Helm chart to install the SPIRE agent. | podSecurityContext | object | `{}` | | | resources | object | `{}` | | | securityContext | object | `{}` | | -| server.host | string | `"spire-server"` | | | server.port | int | `8081` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index 5bb2ffe1..0a1db74d 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -72,3 +72,7 @@ Create the name of the service account to use {{- printf "%s/%s" .image.registry .image.repository -}} {{- end -}} {{- end }} + +{{- define "spire-server-service" -}} +{{ include "spire-agent.fullname" . | trimSuffix "-agent" }}-server +{{- end }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 54b2dfad..b7a8111b 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -8,7 +8,7 @@ data: agent { data_dir = "/run/spire" log_level = {{ .Values.logLevel | quote }} - server_address = {{ .Values.server.host | quote }} + server_address = {{ (include "spire-server-service" .) | quote }} server_port = {{ .Values.server.port | quote }} socket_path = {{ .Values.socketPath | quote }} trust_bundle_path = "/run/spire/bundle/bundle.crt" diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 06146907..248e8249 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -35,7 +35,7 @@ spec: # from https://github.com/vishnubob/wait-for-it image: {{ template "spire-agent.image" .Values.waitForIt }} imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }} - args: ["-t", "30", "-h", {{ .Values.server.host | quote }}, "-p", {{ .Values.server.port | quote }}] + args: ["-t", "30", "-h", "{{ .Release.Name }}-server", "-p", {{ .Values.server.port | quote }}] resources: {{- toYaml .Values.waitForIt.resources | nindent 12 }} containers: diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 31299ba9..e6367789 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -60,7 +60,6 @@ trustDomain: example.org bundleConfigMap: spire-bundle server: - host: spire-server port: 8081 waitForIt: diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 1b691483..52de7513 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -40,7 +40,7 @@ data: plugin_data { clusters = { {{ .Values.clusterName | quote }} = { - service_account_allow_list = ["{{ .Release.Namespace }}:spire-agent"] + service_account_allow_list = ["{{ .Release.Namespace }}:{{ .Release.Name }}-agent"] } } } From ce0ef370aa6d9bd2b6dae42e99eab501efd75ef4 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 17 Jan 2023 12:47:38 +0100 Subject: [PATCH 7/7] Fix RBAC permissions k8s-workload-registrar Signed-off-by: Marco Franssen --- charts/spire/charts/spire-agent/templates/_helpers.tpl | 4 ---- charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- .../spire-server/templates/k8s-workload-registrar-roles.yaml | 3 +++ 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index 0a1db74d..5bb2ffe1 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -72,7 +72,3 @@ Create the name of the service account to use {{- printf "%s/%s" .image.registry .image.repository -}} {{- end -}} {{- end }} - -{{- define "spire-server-service" -}} -{{ include "spire-agent.fullname" . | trimSuffix "-agent" }}-server -{{- end }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index b7a8111b..0f2fc85c 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -8,7 +8,7 @@ data: agent { data_dir = "/run/spire" log_level = {{ .Values.logLevel | quote }} - server_address = {{ (include "spire-server-service" .) | quote }} + server_address = "{{ .Release.Name }}-server" server_port = {{ .Values.server.port | quote }} socket_path = {{ .Values.socketPath | quote }} trust_bundle_path = "/run/spire/bundle/bundle.crt" diff --git a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml index e4022f36..ec35eabe 100644 --- a/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml +++ b/charts/spire/charts/spire-server/templates/k8s-workload-registrar-roles.yaml @@ -39,6 +39,9 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding