Skip to content

Commit

Permalink
manifest update
Browse files Browse the repository at this point in the history 
Signed-off-by: Volkan Özçelik <[email protected]>
  • Loading branch information
@v0lkan
v0lkan committed May 5, 2024
1 parent 40a835a commit 0f84f81
Showing 1 changed file with 172 additions and 169 deletions.
341 changes: 172 additions & 169 deletions k8s/0.25.2/spire.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -621,175 +621,6 @@ spec:
selector:
app: spire-server
---
# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml
# /*
# | Protect your secrets, protect your sensitive data.
# : Explore VMware Secrets Manager docs at https://vsecm.com/
# </
# <>/ keep your secrets... secret
# >/
# <>/' Copyright 2023-present VMware Secrets Manager contributors.
# >/' SPDX-License-Identifier: BSD-2-Clause
# */

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
namespace: spire-system
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
namespace: spire-system
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
priorityClassName: system-node-critical
containers:
- name: spire-agent
image: ghcr.io/spiffe/spire-agent:1.9.4
imagePullPolicy: IfNotPresent
args: ["-config", "/run/spire/config/agent.conf"]
resources:
requests:
memory: 512Mi
cpu: 50m

ports:
- containerPort: 9982
name: healthz
livenessProbe:
httpGet:
path: /live
port: healthz
initialDelaySeconds: 15
periodSeconds: 60
readinessProbe:
httpGet:
path: /ready
port: healthz
initialDelaySeconds: 10
periodSeconds: 30

volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
readOnly: true
- name: spire-token
mountPath: /var/run/secrets/tokens
- name: spire-agent-socket-dir
mountPath: /run/spire/sockets
# This is the container which runs the SPIFFE CSI driver.
- name: spiffe-csi-driver
image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
imagePullPolicy: IfNotPresent
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
resources:
requests:
memory: 128Mi
cpu: 50m
env:
# The CSI driver needs a unique node ID. The node name can be
# used for this purpose.
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
# The volume containing the SPIRE agent socket. The SPIFFE CSI
# driver will mount this directory into containers.
- mountPath: /spire-agent-socket
name: spire-agent-socket-dir
readOnly: true
# The volume that will contain the CSI driver socket shared
# with the kubelet and the driver registrar.
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
privileged: true
# This container runs the CSI Node Driver Registrar which takes care
# of all the little details required to register a CSI driver with
# the kubelet.
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
imagePullPolicy: IfNotPresent
args: [
"-csi-address", "/spiffe-csi/csi.sock",
"-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock",
]
volumeMounts:
# The registrar needs access to the SPIFFE CSI driver socket
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The registrar needs access to the Kubelet plugin registration
# directory
- name: kubelet-plugin-registration-dir
mountPath: /registration
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server

# This volume is used to share the Workload API socket between the CSI
# driver and SPIRE agent. Note, an emptyDir volume could also be used,
# however, this can lead to broken bind mounts in the workload
# containers if the agent pod is restarted (since the emptyDir
# directory on the node that was mounted into workload containers by
# the CSI driver belongs to the old pod instance and is no longer
# valid).
- name: spire-agent-socket-dir
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate

# This volume is where the socket for kubelet->driver communication lives
- name: spiffe-csi-socket-dir
hostPath:
path: /var/lib/kubelet/plugins/csi.spiffe.io
type: DirectoryOrCreate
# This volume is where the SPIFFE CSI driver mounts volumes
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: Directory
# This volume is where the node-driver-registrar registers the plugin
# with kubelet
- name: kubelet-plugin-registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
---
# Source: vsecm/charts/spire/templates/spire-server-stateful-set.yaml
# /*
# | Protect your secrets, protect your sensitive data.
Expand Down Expand Up @@ -990,3 +821,175 @@ webhooks:
operations: ["CREATE", "UPDATE"]
resources: ["clusterstaticentries"]
sideEffects: None
---
# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml
# /*
# | Protect your secrets, protect your sensitive data.
# : Explore VMware Secrets Manager docs at https://vsecm.com/
# </
# <>/ keep your secrets... secret
# >/
# <>/' Copyright 2023-present VMware Secrets Manager contributors.
# >/' SPDX-License-Identifier: BSD-2-Clause
# */

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
namespace: spire-system
labels:
app: spire-agent
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: hook-succeeded
spec:
selector:
matchLabels:
app: spire-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
namespace: spire-system
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
priorityClassName: system-node-critical
containers:
- name: spire-agent
image: ghcr.io/spiffe/spire-agent:1.9.4
imagePullPolicy: IfNotPresent
args: ["-config", "/run/spire/config/agent.conf"]
resources:
requests:
memory: 512Mi
cpu: 50m

ports:
- containerPort: 9982
name: healthz
livenessProbe:
httpGet:
path: /live
port: healthz
initialDelaySeconds: 15
periodSeconds: 60
readinessProbe:
httpGet:
path: /ready
port: healthz
initialDelaySeconds: 10
periodSeconds: 30

volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
readOnly: true
- name: spire-token
mountPath: /var/run/secrets/tokens
- name: spire-agent-socket-dir
mountPath: /run/spire/sockets
# This is the container which runs the SPIFFE CSI driver.
- name: spiffe-csi-driver
image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
imagePullPolicy: IfNotPresent
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
resources:
requests:
memory: 128Mi
cpu: 50m
env:
# The CSI driver needs a unique node ID. The node name can be
# used for this purpose.
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
# The volume containing the SPIRE agent socket. The SPIFFE CSI
# driver will mount this directory into containers.
- mountPath: /spire-agent-socket
name: spire-agent-socket-dir
readOnly: true
# The volume that will contain the CSI driver socket shared
# with the kubelet and the driver registrar.
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
privileged: true
# This container runs the CSI Node Driver Registrar which takes care
# of all the little details required to register a CSI driver with
# the kubelet.
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
imagePullPolicy: IfNotPresent
args: [
"-csi-address", "/spiffe-csi/csi.sock",
"-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock",
]
volumeMounts:
# The registrar needs access to the SPIFFE CSI driver socket
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The registrar needs access to the Kubelet plugin registration
# directory
- name: kubelet-plugin-registration-dir
mountPath: /registration
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server

# This volume is used to share the Workload API socket between the CSI
# driver and SPIRE agent. Note, an emptyDir volume could also be used,
# however, this can lead to broken bind mounts in the workload
# containers if the agent pod is restarted (since the emptyDir
# directory on the node that was mounted into workload containers by
# the CSI driver belongs to the old pod instance and is no longer
# valid).
- name: spire-agent-socket-dir
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate

# This volume is where the socket for kubelet->driver communication lives
- name: spiffe-csi-socket-dir
hostPath:
path: /var/lib/kubelet/plugins/csi.spiffe.io
type: DirectoryOrCreate
# This volume is where the SPIFFE CSI driver mounts volumes
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: Directory
# This volume is where the node-driver-registrar registers the plugin
# with kubelet
- name: kubelet-plugin-registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory

0 comments on commit 0f84f81

Please sign in to comment.