From 0f84f81bfd5f5af5341573d8713b4ef94c92986a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20O=CC=88zc=CC=A7elik?= Date: Sun, 5 May 2024 07:46:39 -0700 Subject: [PATCH] manifest update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- k8s/0.25.2/spire.yaml | 341 +++++++++++++++++++++--------------------- 1 file changed, 172 insertions(+), 169 deletions(-) diff --git a/k8s/0.25.2/spire.yaml b/k8s/0.25.2/spire.yaml index 8ab4ece0..9c4317eb 100644 --- a/k8s/0.25.2/spire.yaml +++ b/k8s/0.25.2/spire.yaml @@ -621,175 +621,6 @@ spec: selector: app: spire-server --- -# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire-system - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - updateStrategy: - type: RollingUpdate - template: - metadata: - namespace: spire-system - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - priorityClassName: system-node-critical - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.9.4 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/config/agent.conf"] - resources: - requests: - memory: 512Mi - cpu: 50m - - ports: - - containerPort: 9982 - name: healthz - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-token - mountPath: /var/run/secrets/tokens - - name: spire-agent-socket-dir - mountPath: /run/spire/sockets - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - resources: - requests: - memory: 128Mi - cpu: 50m - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - # This volume is used to share the Workload API socket between the CSI - # driver and SPIRE agent. Note, an emptyDir volume could also be used, - # however, this can lead to broken bind mounts in the workload - # containers if the agent pod is restarted (since the emptyDir - # directory on the node that was mounted into workload containers by - # the CSI driver belongs to the old pod instance and is no longer - # valid). - - name: spire-agent-socket-dir - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory ---- # Source: vsecm/charts/spire/templates/spire-server-stateful-set.yaml # /* # | Protect your secrets, protect your sensitive data. @@ -990,3 +821,175 @@ webhooks: operations: ["CREATE", "UPDATE"] resources: ["clusterstaticentries"] sideEffects: None +--- +# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + app: spire-agent + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: hook-succeeded +spec: + selector: + matchLabels: + app: spire-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + namespace: spire-system + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + priorityClassName: system-node-critical + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.9.4 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + resources: + requests: + memory: 512Mi + cpu: 50m + + ports: + - containerPort: 9982 + name: healthz + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-token + mountPath: /var/run/secrets/tokens + - name: spire-agent-socket-dir + mountPath: /run/spire/sockets + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + resources: + requests: + memory: 128Mi + cpu: 50m + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + + # This volume is used to share the Workload API socket between the CSI + # driver and SPIRE agent. Note, an emptyDir volume could also be used, + # however, this can lead to broken bind mounts in the workload + # containers if the agent pod is restarted (since the emptyDir + # directory on the node that was mounted into workload containers by + # the CSI driver belongs to the old pod instance and is no longer + # valid). + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory