diff --git a/Makefile b/Makefile index d48fdd11..c9e44865 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ ifdef VSECM_VERSION VERSION := $(VSECM_VERSION) else - VERSION := 0.26.0 + VERSION := 0.26.1 endif # Set deploySpire to false, if you want to use existing spire deployment diff --git a/dockerfiles/example/init-container.Dockerfile b/dockerfiles/example/init-container.Dockerfile index 0e6d9ad2..9c4bc40b 100644 --- a/dockerfiles/example/init-container.Dockerfile +++ b/dockerfiles/example/init-container.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o example \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/multiple-secrets.Dockerfile b/dockerfiles/example/multiple-secrets.Dockerfile index 2bff1980..808fdb0f 100644 --- a/dockerfiles/example/multiple-secrets.Dockerfile +++ b/dockerfiles/example/multiple-secrets.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sdk-go.Dockerfile b/dockerfiles/example/sdk-go.Dockerfile index 8936facd..8bb2bf84 100644 --- a/dockerfiles/example/sdk-go.Dockerfile +++ b/dockerfiles/example/sdk-go.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sidecar.Dockerfile b/dockerfiles/example/sidecar.Dockerfile index 42c254f4..8ece9ab7 100644 --- a/dockerfiles/example/sidecar.Dockerfile +++ b/dockerfiles/example/sidecar.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/inspector.Dockerfile b/dockerfiles/util/inspector.Dockerfile index 14dea237..0b2d2422 100644 --- a/dockerfiles/util/inspector.Dockerfile +++ b/dockerfiles/util/inspector.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/keygen.Dockerfile b/dockerfiles/util/keygen.Dockerfile index f1987e15..daced58c 100644 --- a/dockerfiles/util/keygen.Dockerfile +++ b/dockerfiles/util/keygen.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keygen \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile index d066addf..f0db85eb 100644 --- a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile index 157b535e..3b3c7fdd 100644 --- a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/safe.Dockerfile b/dockerfiles/vsecm-ist-fips/safe.Dockerfile index a7f819c3..ee51a62e 100644 --- a/dockerfiles/vsecm-ist-fips/safe.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/safe.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile index ecc3b849..2d6b4792 100644 --- a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile index ade7929b..ca1343b7 100644 --- a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/init-container.Dockerfile b/dockerfiles/vsecm-ist/init-container.Dockerfile index 7acc9bc6..42280ea6 100644 --- a/dockerfiles/vsecm-ist/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist/init-container.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-init-container \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/keystone.Dockerfile b/dockerfiles/vsecm-ist/keystone.Dockerfile index 5ef6f1c9..d5af8277 100644 --- a/dockerfiles/vsecm-ist/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist/keystone.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keystone \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/safe.Dockerfile b/dockerfiles/vsecm-ist/safe.Dockerfile index 3cef8603..bd5cf2bc 100644 --- a/dockerfiles/vsecm-ist/safe.Dockerfile +++ b/dockerfiles/vsecm-ist/safe.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-safe ./app/safe/cm # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sentinel.Dockerfile b/dockerfiles/vsecm-ist/sentinel.Dockerfile index 07bf2410..2c0d8056 100644 --- a/dockerfiles/vsecm-ist/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist/sentinel.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bac # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sidecar.Dockerfile b/dockerfiles/vsecm-ist/sidecar.Dockerfile index 8d42b989..bc6fdd41 100644 --- a/dockerfiles/vsecm-ist/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist/sidecar.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-sidecar ./app/side # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.26.0" +ENV APP_VERSION="0.26.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/docs/config.toml b/docs/config.toml index 97d3d852..bf5e53cb 100644 --- a/docs/config.toml +++ b/docs/config.toml @@ -22,4 +22,4 @@ smart_punctuation = true [extra] author = "VMware Secrets Manager Contributors" -version = "0.26.0" +version = "0.26.1" diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md index 5b50d41f..f44174c6 100644 --- a/docs/content/timeline/changelog.md +++ b/docs/content/timeline/changelog.md @@ -17,7 +17,7 @@ weight = 11 TBD -## [0.26.0] - 2024-06-28 +## [0.26.1] - 2024-06-28 ### Added diff --git a/docs/content/timeline/roadmap.md b/docs/content/timeline/roadmap.md index f51c6cbc..51b5a855 100644 --- a/docs/content/timeline/roadmap.md +++ b/docs/content/timeline/roadmap.md @@ -242,7 +242,7 @@ We will create new iterations from it as the time gets closer. ## Closed Iterations -### VSecM v0.26.0 (*codename: Fornax*) +### VSecM v0.26.1 (*codename: Fornax*) **Apr 25, 2024 - May 22, 2024** @@ -252,7 +252,7 @@ We also introduced a lot of flexibility such as ability to use custom namespaces, trust domains, and regex-based SPIFFEID validation. [Here is a list of issues that are candidate for VSecM vFornax -](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.26.0-candidate+). +](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.26.1-candidate+). ### VSecM v0.25.0 (*codename: Eridanus*) diff --git a/examples/multiple_secrets/k8s-eks/Deployment.yaml b/examples/multiple_secrets/k8s-eks/Deployment.yaml index a1902514..de691368 100644 --- a/examples/multiple_secrets/k8s-eks/Deployment.yaml +++ b/examples/multiple_secrets/k8s-eks/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-multiple-secrets:0.26.0 + image: vsecm/example-multiple-secrets:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/multiple_secrets/k8s-eks/image-override.yaml b/examples/multiple_secrets/k8s-eks/image-override.yaml index 1d580304..6fcd7f66 100644 --- a/examples/multiple_secrets/k8s-eks/image-override.yaml +++ b/examples/multiple_secrets/k8s-eks/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.0 + image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.1 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/multiple_secrets/k8s/Deployment.yaml b/examples/multiple_secrets/k8s/Deployment.yaml index a1902514..de691368 100644 --- a/examples/multiple_secrets/k8s/Deployment.yaml +++ b/examples/multiple_secrets/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-multiple-secrets:0.26.0 + image: vsecm/example-multiple-secrets:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/multiple_secrets/k8s/image-override.yaml b/examples/multiple_secrets/k8s/image-override.yaml index 0f2cf4d9..dddd8b82 100644 --- a/examples/multiple_secrets/k8s/image-override.yaml +++ b/examples/multiple_secrets/k8s/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.26.0 + image: localhost:5000/example-multiple-secrets:0.26.1 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/operator_decrpyt_secrets/reveal.sh b/examples/operator_decrpyt_secrets/reveal.sh index 73ecc17a..91067fda 100644 --- a/examples/operator_decrpyt_secrets/reveal.sh +++ b/examples/operator_decrpyt_secrets/reveal.sh @@ -9,7 +9,7 @@ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.26.0" +VERSION="0.26.1" docker run --rm \ -v "$(pwd)":/vsecm \ diff --git a/examples/using_init_container/k8s-eks/Deployment.yaml b/examples/using_init_container/k8s-eks/Deployment.yaml index 14d8d253..52ff8407 100644 --- a/examples/using_init_container/k8s-eks/Deployment.yaml +++ b/examples/using_init_container/k8s-eks/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.26.0 + image: vsecm/example-using-init-container:0.26.1 initContainers: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.0 + image: vsecm/vsecm-ist-init-container:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_init_container/k8s-eks/image-override.yaml b/examples/using_init_container/k8s-eks/image-override.yaml index 18270e26..4773b336 100644 --- a/examples/using_init_container/k8s-eks/image-override.yaml +++ b/examples/using_init_container/k8s-eks/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.0 + image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.1 initContainers: - name: init-container - image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.0 + image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1 diff --git a/examples/using_init_container/k8s/Deployment.yaml b/examples/using_init_container/k8s/Deployment.yaml index 14d8d253..52ff8407 100644 --- a/examples/using_init_container/k8s/Deployment.yaml +++ b/examples/using_init_container/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.26.0 + image: vsecm/example-using-init-container:0.26.1 initContainers: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.0 + image: vsecm/vsecm-ist-init-container:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_init_container/k8s/image-override.yaml b/examples/using_init_container/k8s/image-override.yaml index d787da01..2d20729c 100644 --- a/examples/using_init_container/k8s/image-override.yaml +++ b/examples/using_init_container/k8s/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.26.0 + image: localhost:5000/example-using-init-container:0.26.1 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.26.0 + image: localhost:5000/vsecm-ist-init-container:0.26.1 diff --git a/examples/using_sdk_go/k8s-eks/Deployment.yaml b/examples/using_sdk_go/k8s-eks/Deployment.yaml index 7812a531..c20ae6de 100644 --- a/examples/using_sdk_go/k8s-eks/Deployment.yaml +++ b/examples/using_sdk_go/k8s-eks/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.26.0 + image: vsecm/example-using-sdk-go:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_sdk_go/k8s-eks/image-override.yaml b/examples/using_sdk_go/k8s-eks/image-override.yaml index 97ecb117..cecf022c 100644 --- a/examples/using_sdk_go/k8s-eks/image-override.yaml +++ b/examples/using_sdk_go/k8s-eks/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.0 + image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.1 diff --git a/examples/using_sdk_go/k8s/Deployment.yaml b/examples/using_sdk_go/k8s/Deployment.yaml index 7812a531..c20ae6de 100644 --- a/examples/using_sdk_go/k8s/Deployment.yaml +++ b/examples/using_sdk_go/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.26.0 + image: vsecm/example-using-sdk-go:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_sdk_go/k8s/image-override.yaml b/examples/using_sdk_go/k8s/image-override.yaml index de6f991b..8721332a 100644 --- a/examples/using_sdk_go/k8s/image-override.yaml +++ b/examples/using_sdk_go/k8s/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk-go:0.26.0 + image: localhost:5000/example-using-sdk-go:0.26.1 diff --git a/examples/using_sidecar/k8s-eks/Deployment.yaml b/examples/using_sidecar/k8s-eks/Deployment.yaml index 85c66877..59f1fdf3 100644 --- a/examples/using_sidecar/k8s-eks/Deployment.yaml +++ b/examples/using_sidecar/k8s-eks/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.26.0 + image: vsecm/example-using-sidecar:0.26.1 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.26.0 + image: vsecm/vsecm-ist-sidecar:0.26.1 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/using_sidecar/k8s-eks/image-override.yaml b/examples/using_sidecar/k8s-eks/image-override.yaml index 42bc26a0..47304496 100644 --- a/examples/using_sidecar/k8s-eks/image-override.yaml +++ b/examples/using_sidecar/k8s-eks/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.0 + image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.1 - name: sidecar - image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.0 + image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.1 diff --git a/examples/using_sidecar/k8s/Deployment.yaml b/examples/using_sidecar/k8s/Deployment.yaml index 85c66877..59f1fdf3 100644 --- a/examples/using_sidecar/k8s/Deployment.yaml +++ b/examples/using_sidecar/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.26.0 + image: vsecm/example-using-sidecar:0.26.1 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.26.0 + image: vsecm/vsecm-ist-sidecar:0.26.1 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/using_sidecar/k8s/image-override.yaml b/examples/using_sidecar/k8s/image-override.yaml index a51ba241..d9284f26 100644 --- a/examples/using_sidecar/k8s/image-override.yaml +++ b/examples/using_sidecar/k8s/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.26.0 + image: localhost:5000/example-using-sidecar:0.26.1 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.26.0 + image: localhost:5000/vsecm-ist-sidecar:0.26.1 diff --git a/examples/using_vsecm_inspector/Deployment.yaml b/examples/using_vsecm_inspector/Deployment.yaml index 0cbc4093..de31023e 100644 --- a/examples/using_vsecm_inspector/Deployment.yaml +++ b/examples/using_vsecm_inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.26.0 + image: localhost:5000/vsecm-inspector:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_aegis/init-container/Deployment.yaml b/examples/workshop_aegis/init-container/Deployment.yaml index 2a91bf67..ef4adb2d 100644 --- a/examples/workshop_aegis/init-container/Deployment.yaml +++ b/examples/workshop_aegis/init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.26.0 + image: vsecm/example-using-init-container:0.26.1 env: - name: SECRET valueFrom: @@ -50,7 +50,7 @@ spec: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.0 + image: vsecm/vsecm-ist-init-container:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/init-container/image-override.yaml b/examples/workshop_aegis/init-container/image-override.yaml index d787da01..2d20729c 100644 --- a/examples/workshop_aegis/init-container/image-override.yaml +++ b/examples/workshop_aegis/init-container/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.26.0 + image: localhost:5000/example-using-init-container:0.26.1 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.26.0 + image: localhost:5000/vsecm-ist-init-container:0.26.1 diff --git a/examples/workshop_aegis/inspector/Deployment.yaml b/examples/workshop_aegis/inspector/Deployment.yaml index 566c42e8..9ec12f3d 100644 --- a/examples/workshop_aegis/inspector/Deployment.yaml +++ b/examples/workshop_aegis/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.26.0 + image: vsecm/example-multiple-secrets:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/inspector/image-override.yaml b/examples/workshop_aegis/inspector/image-override.yaml index dbd6e878..91492db5 100644 --- a/examples/workshop_aegis/inspector/image-override.yaml +++ b/examples/workshop_aegis/inspector/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.26.0 + image: localhost:5000/example-multiple-secrets:0.26.1 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/workshop_aegis/sdk/Deployment.yaml b/examples/workshop_aegis/sdk/Deployment.yaml index 7812a531..c20ae6de 100644 --- a/examples/workshop_aegis/sdk/Deployment.yaml +++ b/examples/workshop_aegis/sdk/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.26.0 + image: vsecm/example-using-sdk-go:0.26.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/sdk/image-override.yaml b/examples/workshop_aegis/sdk/image-override.yaml index 03869f62..5707664f 100644 --- a/examples/workshop_aegis/sdk/image-override.yaml +++ b/examples/workshop_aegis/sdk/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk:0.26.0 + image: localhost:5000/example-using-sdk:0.26.1 diff --git a/examples/workshop_aegis/sidecar/Deployment.yaml b/examples/workshop_aegis/sidecar/Deployment.yaml index 95255537..7deb40dd 100644 --- a/examples/workshop_aegis/sidecar/Deployment.yaml +++ b/examples/workshop_aegis/sidecar/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.26.0 + image: vsecm/example-using-sidecar:0.26.1 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.26.0 + image: vsecm/vsecm-ist-sidecar:0.26.1 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/workshop_aegis/sidecar/image-override.yaml b/examples/workshop_aegis/sidecar/image-override.yaml index a51ba241..d9284f26 100644 --- a/examples/workshop_aegis/sidecar/image-override.yaml +++ b/examples/workshop_aegis/sidecar/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.26.0 + image: localhost:5000/example-using-sidecar:0.26.1 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.26.0 + image: localhost:5000/vsecm-ist-sidecar:0.26.1 diff --git a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml index 1dcb96bf..327b7947 100644 --- a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:32000/example-multiple-secrets:0.26.0 + image: localhost:32000/example-multiple-secrets:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml index 60245a6b..a0dd80d5 100644 --- a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-sentinel containers: - name: main - image: localhost:32000/vsecm-ist-sentinel:0.26.0 + image: localhost:32000/vsecm-ist-sentinel:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml index c323230e..57a57a81 100644 --- a/examples/workshop_federation/cluster-2/safe/Deployment.yaml +++ b/examples/workshop_federation/cluster-2/safe/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-safe containers: - name: main - image: localhost:32000/vsecm-ist-safe:0.26.0 + image: localhost:32000/vsecm-ist-safe:0.26.1 ports: - containerPort: 8443 volumeMounts: diff --git a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml index 0cbc4093..de31023e 100644 --- a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml +++ b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.26.0 + image: localhost:5000/vsecm-inspector:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/hack/015-reveal-secrets.sh b/examples/workshop_vsecm/hack/015-reveal-secrets.sh index d263826f..11dde923 100644 --- a/examples/workshop_vsecm/hack/015-reveal-secrets.sh +++ b/examples/workshop_vsecm/hack/015-reveal-secrets.sh @@ -10,7 +10,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.26.0" +VERSION="0.26.1" eval "$(minikube docker-env -u)" diff --git a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml index 6ba66049..f6fb1bb3 100644 --- a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.26.0 + image: vsecm/example-using-init-container:0.26.1 env: - name: SECRET valueFrom: @@ -53,7 +53,7 @@ spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.0 + image: vsecm/vsecm-ist-init-container:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml index 8488a8e9..1f6ba8db 100644 --- a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.26.0 + image: vsecm/example-multiple-secrets:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml index ebc55d55..c55ca79e 100644 --- a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml @@ -21,7 +21,7 @@ spec: spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.0 + image: vsecm/vsecm-ist-init-container:0.26.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/hack/create-custom-manifest.sh b/hack/create-custom-manifest.sh index a7fa2688..5bf4d806 100755 --- a/hack/create-custom-manifest.sh +++ b/hack/create-custom-manifest.sh @@ -10,5 +10,5 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -cp ./helm-charts/0.26.0/values-custom.yaml ./helm-charts/0.26.0/values.yaml -make k8s-manifests-update VERSION=0.26.0 +cp ./helm-charts/0.26.1/values-custom.yaml ./helm-charts/0.26.1/values.yaml +make k8s-manifests-update VERSION=0.26.1 diff --git a/hack/tag-docker.sh b/hack/tag-docker.sh index 82094a37..46a6670d 100755 --- a/hack/tag-docker.sh +++ b/hack/tag-docker.sh @@ -15,7 +15,7 @@ # and we should not need to pull the images and sign them again. # So we'd rarely (if ever) need to use this script. -VERSION="0.26.0" +VERSION="0.26.1" export DOCKER_CONTENT_TRUST=0 diff --git a/helm-charts-playground/README.md b/helm-charts-playground/README.md new file mode 100644 index 00000000..2057cb5a --- /dev/null +++ b/helm-charts-playground/README.md @@ -0,0 +1,26 @@ +```text +| Protect your secrets, protect your sensitive data. +: Explore VMware Secrets Manager docs at https://vsecm.com/ +/ keep your secrets... secret +``` + +## About + +This is a temporary folder aimed as a playground to align the behavior of +the official SPIFFE `helm-charts-hardened` SPIRE helm charts with the +VMware Secrets Manager-managed SPIRE helm charts. + +Once we establish the alignment, we will delete this folder. + +## To Do + +- Create a script to parse `k8s/$version/spire.yaml` and `k8s/$version/crds/*` + to create `vsecm-manifests/spire/*` files automatically. This will make + diffing easier and reduce human errors. +- Do the same for the generated `spire-manifests.openshift.yaml` and + `spire-manifefest-no-openshift.yaml` files. +- Create issues based on the delta you find between the two sets of manifests. +- We may decide to keep this folder, since it's a good way to keep track of + the changes we make to the official SPIFFE helm charts. + diff --git a/helm-charts-playground/create-manifests-no-openshift.sh b/helm-charts-playground/create-manifests-no-openshift.sh new file mode 100755 index 00000000..b9b58fe6 --- /dev/null +++ b/helm-charts-playground/create-manifests-no-openshift.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +helm template -n spire-server spire-crds spire-crds \ + --repo https://spiffe.github.io/helm-charts-hardened/ \ + -f values-no-openshift.yaml \ + --create-namespace > spire-crds-manifest-no-openshift.yaml + +helm template -n spire-server spire spire \ + --repo https://spiffe.github.io/helm-charts-hardened/ \ + -f values-no-openshift.yaml \ + --create-namespace > spire-manifest-no-openshift.yaml diff --git a/helm-charts-playground/create-manifests.sh b/helm-charts-playground/create-manifests.sh new file mode 100755 index 00000000..f719bf63 --- /dev/null +++ b/helm-charts-playground/create-manifests.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +helm template -n spire-server spire-crds spire-crds \ + --repo https://spiffe.github.io/helm-charts-hardened/ \ + -f values.yaml \ + --create-namespace > spire-crds-manifest.yaml + +helm template -n spire-server spire spire \ + --repo https://spiffe.github.io/helm-charts-hardened/ \ + -f values.yaml \ + --create-namespace > spire-manifest.yaml diff --git a/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..15802257 --- /dev/null +++ b/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,340 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set the class of controller to handle this object. + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterstaticentries.yaml b/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 00000000..c19df220 --- /dev/null +++ b/helm-charts-playground/helm-charts-manifests/crds/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,103 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/helm-charts-playground/helm-charts-manifests/spire/namespace.yaml b/helm-charts-playground/helm-charts-manifests/spire/namespace.yaml new file mode 100644 index 00000000..16b78014 --- /dev/null +++ b/helm-charts-playground/helm-charts-manifests/spire/namespace.yaml @@ -0,0 +1,21 @@ +# Source: spire/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + security.openshift.io/scc.podSecurityLabelSync: "false" # !!! +--- +# Source: spire/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: restricted + security.openshift.io/scc.podSecurityLabelSync: "false" # !!! \ No newline at end of file diff --git a/helm-charts-playground/helm-charts-manifests/spire/spifee-csi-driver-serviceaccount.yaml b/helm-charts-playground/helm-charts-manifests/spire/spifee-csi-driver-serviceaccount.yaml new file mode 100644 index 00000000..8da15f48 --- /dev/null +++ b/helm-charts-playground/helm-charts-manifests/spire/spifee-csi-driver-serviceaccount.yaml @@ -0,0 +1,12 @@ +# Source: spire/charts/spiffe-csi-driver/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spiffe-csi-driver-0.1.0 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm \ No newline at end of file diff --git a/helm-charts-playground/spire-crds-manifest-no-openshift.yaml b/helm-charts-playground/spire-crds-manifest-no-openshift.yaml new file mode 100644 index 00000000..7e5b98ea --- /dev/null +++ b/helm-charts-playground/spire-crds-manifest-no-openshift.yaml @@ -0,0 +1,445 @@ +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set the class of controller to handle this object. + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/helm-charts-playground/spire-manifest-no-openshift.yaml b/helm-charts-playground/spire-manifest-no-openshift.yaml new file mode 100644 index 00000000..834d8d45 --- /dev/null +++ b/helm-charts-playground/spire-manifest-no-openshift.yaml @@ -0,0 +1,1988 @@ +--- +# Source: spire/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged +--- +# Source: spire/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted +--- +# Source: spire/charts/spiffe-csi-driver/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spiffe-csi-driver-0.1.0 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-agent/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server +data: + oidc-discovery-provider.conf: | + { + "domains": [ + "spire-spiffe-oidc-discovery-provider", + "spire-spiffe-oidc-discovery-provider.spire-server", + "spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local", + "oidc-discovery.aegis.ist" + ], + "health_checks": { + "bind_port": "8008", + "live_path": "/live", + "ready_path": "/ready" + }, + "log_level": "info", + "serving_cert_file": { + "addr": ":8443", + "cert_file_path": "/certs/tls.crt", + "key_file_path": "/certs/tls.key" + }, + "workload_api": { + "socket_path": "/spiffe-workload-api/spire-agent.sock", + "trust_domain": "aegis.ist" + } + } + spiffe-helper.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" +--- +# Source: spire/charts/spire-agent/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire-system +data: + agent.conf: | + { + "agent": { + "data_dir": "/run/spire", + "log_level": "info", + "retry_bootstrap": true, + "server_address": "spire-server.spire-server", + "server_port": "443", + "socket_path": "/tmp/spire-agent/public/spire-agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "aegis.ist" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "disable_container_selectors": false, + "skip_kubelet_verification": true, + "use_new_container_locator": false, + "verbose_container_locator_logs": false + } + } + } + ] + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: spire/charts/spire-server/templates/bundle-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire-system +--- +# Source: spire/charts/spire-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire-server +data: + server.conf: | + { + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "connection_string": "/run/spire/data/datastore.sqlite3", + "database_type": "sqlite3" + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/data/keys.json" + } + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": [ + { + "vsecm-cluster": { + "allowed_node_label_keys": [], + "allowed_pod_label_keys": [], + "audience": [ + "spire-server" + ], + "service_account_allow_list": [ + "spire-system:spire-agent" + ] + } + } + ] + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "spire-system" + } + } + } + ] + }, + "server": { + "audit_log_enabled": false, + "bind_address": "0.0.0.0", + "bind_port": "8081", + "ca_key_type": "rsa-2048", + "ca_subject": [ + { + "common_name": "aegist.ist", + "country": [ + "US" + ], + "organization": [ + "aegis.ist" + ] + } + ], + "ca_ttl": "24h", + "data_dir": "/run/spire/data", + "default_jwt_svid_ttl": "1h", + "default_x509_svid_ttl": "4h", + "jwt_issuer": "https://oidc-discovery.aegis.ist", + "log_level": "info", + "trust_domain": "aegis.ist" + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: spire/charts/spire-server/templates/controller-manager-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager + namespace: spire-server +data: + controller-manager-config.yaml: | + + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: spire-controller-manager + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + metrics: + bindAddress: 0.0.0.0:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: 6f304bd2.spiffe.io + resourceNamespace: spire-server + validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook + entryIDPrefix: vsecm-cluster + clusterName: vsecm-cluster + trustDomain: aegis.ist + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system + spireServerSocketPath: "/tmp/spire-server/private/api.sock" + className: "spire-server-spire" + watchClassless: false + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" + reconcile: + clusterSPIFFEIDs: true + clusterStaticEntries: true + clusterFederatedTrustDomains: true +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - nodes/proxy + verbs: ["get"] +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-spire-controller-manager +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# ClusterRole to allow spire-server node attestor to query Token Review API +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server +rules: + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: + - get + - watch + - list + - create + - apiGroups: [""] + resources: [nodes, pods] + verbs: + - get + - list +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire-system +roleRef: + kind: ClusterRole + name: spire-agent + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server-spire-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server-spire-controller-manager + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-spire-server + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Role to be able to push certificate bundles to a configmap +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +rules: + - apiGroups: [""] + resources: [configmaps] + resourceNames: [spire-bundle] + verbs: + - get + - patch +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: spire-controller-manager-leader-election + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: spire/charts/spire-server/templates/roles.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: Role + name: spire-bundle + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spire-server/templates/controller-manager-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spire-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spiffe-csi-driver/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spiffe-csi-driver-0.1.0 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + spec: + serviceAccountName: spire-spiffe-csi-driver + + priorityClassName: system-node-critical + containers: + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-plugin-name", "csi.spiffe.io", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + privileged: true + resources: + {} + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.4 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + "-health-port", "9809" + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + ports: + - containerPort: 9809 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + {} + volumes: + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- +# Source: spire/charts/spire-agent/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-agent + checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 + labels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + priorityClassName: system-node-critical + initContainers: + - name: ensure-alternate-names + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + imagePullPolicy: Always + command: ["bash", "-xc"] + args: + - | + cd /run/spire/agent-sockets + L=`readlink socket` + [ "x$L" != "xspire-agent.sock" ] && rm -f socket + [ ! -L socket ] && ln -s spire-agent.sock socket + L=`readlink api.sock` + [ "x$L" != "xspire-agent.sock" ] && rm -f api.sock + [ ! -L api.sock ] && ln -s spire-agent.sock api.sock + [ -L spire-agent.sock ] && rm -f spire-agent.sock + exit 0 + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + securityContext: + runAsUser: 0 + runAsGroup: 0 + - name: fsgroupfix + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + imagePullPolicy: Always + command: ["bash", "-c"] + args: + - "chown -R 1000:1000 /run/spire/agent-sockets /tmp/spire-agent/private" + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private + securityContext: + runAsUser: 0 + runAsGroup: 0 + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.9.6 + imagePullPolicy: IfNotPresent + args: ["-config", "/opt/spire/conf/agent/agent.conf"] + securityContext: + {} + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - containerPort: 9982 + name: healthz + - containerPort: 9988 + name: prom + volumeMounts: + - name: spire-config + mountPath: /opt/spire/conf/agent + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /tmp/spire-agent/public + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + {} + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-agent-admin-socket-dir + emptyDir: {} + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + template: + metadata: + annotations: + checksum/config: 856b450a332226fc0b9ea4c2145d8234ebce9220ad5239134629ac0c1cbb63ba + labels: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + release: spire + release-namespace: spire-server + component: oidc-discovery-provider + spec: + serviceAccountName: spire-spiffe-oidc-discovery-provider + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: init + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + resources: + {} + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: IfNotPresent + args: + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + containers: + - name: spiffe-oidc-discovery-provider + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/oidc-discovery-provider:1.9.6 + imagePullPolicy: IfNotPresent + args: + - -config + - /run/spire/oidc/config/oidc-discovery-provider.conf + ports: + - containerPort: 8008 + name: healthz + - containerPort: 8443 + name: https + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-sockets + mountPath: /run/spire/oidc-sockets + readOnly: false + - name: spire-oidc-config + mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf + subPath: oidc-discovery-provider.conf + readOnly: true + - name: certdir + mountPath: /certs + readOnly: true + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + - name: spiffe-helper + resources: + {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: IfNotPresent + args: + - -config + - /etc/spiffe-helper.conf + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + volumes: + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: spire-oidc-sockets + emptyDir: {} + - name: spire-oidc-config + configMap: + name: spire-spiffe-oidc-discovery-provider + - name: nginx-tmp + emptyDir: {} + - name: certdir + emptyDir: {} +--- +# Source: spire/charts/spire-server/templates/server-resource.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: server +spec: + replicas: 1 + serviceName: spire-server + selector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-server + checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 + checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 + checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + component: server + release: spire + release-namespace: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + priorityClassName: system-cluster-critical + containers: + - name: spire-server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spire-server:1.9.6 + imagePullPolicy: IfNotPresent + args: + - -expandEnv + - -config + - /run/spire/config/server.conf + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - name: grpc + containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + - containerPort: 9988 + name: prom + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: server-tmp + mountPath: /tmp + readOnly: false + + - name: spire-controller-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spire-controller-manager:0.5.0 + imagePullPolicy: IfNotPresent + args: + - --config=controller-manager-config.yaml + env: + - name: ENABLE_WEBHOOKS + value: "true" + ports: + - name: https + containerPort: 9443 + protocol: TCP + - containerPort: 8083 + name: healthz + - containerPort: 8082 + name: prom-cm + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + - name: spire-controller-manager-tmp + mountPath: /tmp + subPath: spire-controller-manager + readOnly: false + volumes: + - name: server-tmp + emptyDir: {} + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-tmp + emptyDir: {} + - name: controller-manager-config + configMap: + name: spire-controller-manager + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-default +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - spire-server + - spire-system +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-oidc-discovery-provider +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: oidc-discovery-provider + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system + dnsNameTemplates: + - oidc-discovery.{{ .TrustDomain }} + autoPopulateDNSNames: true +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-test-keys +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: test-keys + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system +--- +# Source: spire/charts/spire-server/templates/controller-manager-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-server-spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-install + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-install + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-pre-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-pre-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: ["spire-spiffe-oidc-discovery-provider"] + verbs: ["get", "delete"] +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server +roleRef: + kind: Role + name: spire-spiffe-oidc-discovery-provider-pre-delete + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-spiffe-oidc-discovery-provider-test-connection" + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: curl-service-name + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: curl-service-name-namespace + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider.spire-server:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: curl-service-name-namespace-svc-cluster-local + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: Never +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-spiffe-oidc-discovery-provider-test-keys" + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + release: spire + release-namespace: spire-server + component: test-keys + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + serviceAccountName: spire-spiffe-oidc-discovery-provider + initContainers: + - name: static-busybox + image: busybox:1.36.1-uclibc + command: + - sh + - -c + - | + cp /bin/busybox /data/busybox + chmod +x /data/busybox + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: install-step + image: docker.io/smallstep/step-cli:0.26.1 + workingDir: /data + command: + - sh + - -c + - | + cp /usr/local/bin/step /data/step + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: gettoken + image: ghcr.io/spiffe/spire-agent:1.9.6 + command: + - /data/busybox + - sh + - -c + - | + while true; do + /opt/spire/bin/spire-agent api fetch jwt -audience foo -format json -socketPath /spire-agent/spire-agent.sock -timeout 5s > /data/token.svid + [ $? -eq 0 ] && break + sleep 1 + done + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: spire-api + mountPath: /spire-agent + readOnly: true + containers: + - name: verify-keys + image: cgr.dev/chainguard/min-toolkit-debug:latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c + command: + - bash + workingDir: /data + env: + - name: TMPDIR + value: /data + args: + - -cx + - | + URL=https://spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local:443 + + cat /data/token.svid + JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs) + KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid') + # Retrieve public key from JWK set, match kid from JWT to locate the correct one + curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem + # Verify JWT with public pem + echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data-volume + restartPolicy: Never + volumes: + - csi: + driver: csi.spiffe.io + readOnly: true + name: spire-api + - name: data-volume + emptyDir: {} +--- +# Source: spire/charts/spire-server/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-server-test-connection" + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: test + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: curl + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['bash'] + args: + - -c + - | + curl -f -s 'https://spire-server:443' + NOCA=$? + curl -k -f -s 'https://spire-server:443' + IGNORECA=$? + echo $NOCA $IGNORECA + if [ $NOCA -eq 60 -a $IGNORECA -eq 22 ]; then + # We were able to connect to the server but didn't recognize the ca (60) and the page not found (22) because we're not using grpc + exit 0 + fi + exit 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: Never +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + spec: + restartPolicy: Never + serviceAccountName: spire-spiffe-oidc-discovery-provider-pre-delete + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: pre-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - delete + - -n + - spire-server + - deployment + - spire-spiffe-oidc-discovery-provider + - --wait +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-install + spec: + restartPolicy: Never + serviceAccountName: spire-server-post-install + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-upgrade + spec: + restartPolicy: Never + serviceAccountName: spire-server-post-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-upgrade-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-pre-upgrade + spec: + restartPolicy: Never + serviceAccountName: spire-server-pre-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Ignore" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Ignore" + } + ] + } diff --git a/helm-charts-playground/spire-manifest.yaml b/helm-charts-playground/spire-manifest.yaml new file mode 100644 index 00000000..4ce7e15c --- /dev/null +++ b/helm-charts-playground/spire-manifest.yaml @@ -0,0 +1,2032 @@ + +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-agent/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spire-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server +data: + oidc-discovery-provider.conf: | + { + "domains": [ + "spire-spiffe-oidc-discovery-provider", + "spire-spiffe-oidc-discovery-provider.spire-server", + "spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local", + "oidc-discovery.aegis.ist" + ], + "health_checks": { + "bind_port": "8008", + "live_path": "/live", + "ready_path": "/ready" + }, + "log_level": "info", + "serving_cert_file": { + "addr": ":8443", + "cert_file_path": "/certs/tls.crt", + "key_file_path": "/certs/tls.key" + }, + "workload_api": { + "socket_path": "/spiffe-workload-api/spire-agent.sock", + "trust_domain": "aegis.ist" + } + } + spiffe-helper.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" +--- +# Source: spire/charts/spire-agent/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire-system +data: + agent.conf: | + { + "agent": { + "data_dir": "/run/spire", + "log_level": "info", + "retry_bootstrap": true, + "server_address": "spire-server.spire-server", + "server_port": "443", + "socket_path": "/tmp/spire-agent/public/spire-agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "aegis.ist" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "disable_container_selectors": false, + "skip_kubelet_verification": true, + "use_new_container_locator": false, + "verbose_container_locator_logs": false + } + } + } + ] + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: spire/charts/spire-server/templates/bundle-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire-system +--- +# Source: spire/charts/spire-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire-server +data: + server.conf: | + { + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "connection_string": "/run/spire/data/datastore.sqlite3", + "database_type": "sqlite3" + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/data/keys.json" + } + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": [ + { + "vsecm-cluster": { + "allowed_node_label_keys": [], + "allowed_pod_label_keys": [], + "audience": [ + "spire-server" + ], + "service_account_allow_list": [ + "spire-system:spire-agent" + ] + } + } + ] + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "spire-system" + } + } + } + ] + }, + "server": { + "audit_log_enabled": false, + "bind_address": "0.0.0.0", + "bind_port": "8081", + "ca_key_type": "rsa-2048", + "ca_subject": [ + { + "common_name": "aegist.ist", + "country": [ + "US" + ], + "organization": [ + "aegis.ist" + ] + } + ], + "ca_ttl": "24h", + "data_dir": "/run/spire/data", + "default_jwt_svid_ttl": "1h", + "default_x509_svid_ttl": "4h", + "jwt_issuer": "https://oidc-discovery.aegis.ist", + "log_level": "info", + "trust_domain": "aegis.ist" + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: spire/charts/spire-server/templates/controller-manager-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager + namespace: spire-server +data: + controller-manager-config.yaml: | + + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: spire-controller-manager + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + metrics: + bindAddress: 0.0.0.0:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: 6f304bd2.spiffe.io + resourceNamespace: spire-server + validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook + entryIDPrefix: vsecm-cluster + clusterName: vsecm-cluster + trustDomain: aegis.ist + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system + spireServerSocketPath: "/tmp/spire-server/private/api.sock" + className: "spire-server-spire" + watchClassless: false + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" + reconcile: + clusterSPIFFEIDs: true + clusterStaticEntries: true + clusterFederatedTrustDomains: true +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - nodes/proxy + verbs: ["get"] +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-spire-controller-manager +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# ClusterRole to allow spire-server node attestor to query Token Review API +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server +rules: + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: + - get + - watch + - list + - create + - apiGroups: [""] + resources: [nodes, pods] + verbs: + - get + - list +--- +# Source: spire/charts/spire-agent/templates/roles.yaml +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire-system +roleRef: + kind: ClusterRole + name: spire-agent + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server-spire-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server-spire-controller-manager + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-spire-server + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: spire/charts/spire-server/templates/roles.yaml +# Role to be able to push certificate bundles to a configmap +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +rules: + - apiGroups: [""] + resources: [configmaps] + resourceNames: [spire-bundle] + verbs: + - get + - patch +--- +# Source: spire/charts/spire-server/templates/controller-manager-roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: spire-controller-manager-leader-election + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: spire/charts/spire-server/templates/roles.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system + +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: Role + name: spire-bundle + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spire-server/templates/controller-manager-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spire-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: spire/charts/spiffe-csi-driver/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spiffe-csi-driver-0.1.0 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + spec: + serviceAccountName: spire-spiffe-csi-driver + + priorityClassName: system-node-critical + initContainers: + - name: set-context + command: + - chcon + - '-Rvt' + - container_file_t + - spire-agent-socket/ + image: registry.access.redhat.com/ubi9:latest + imagePullPolicy: Always + securityContext: + capabilities: + drop: + - all + privileged: true + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /spire-agent-socket + terminationMessagePolicy: File + terminationMessagePath: /dev/termination-log + containers: + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-plugin-name", "csi.spiffe.io", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + privileged: true + resources: + {} + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.4 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + "-health-port", "9809" + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + ports: + - containerPort: 9809 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + {} + volumes: + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- +# Source: spire/charts/spire-agent/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-agent-0.1.0 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-agent + checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 + labels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + securityContext: + fsGroupChangePolicy: OnRootMismatch + + priorityClassName: system-node-critical + initContainers: + - name: ensure-alternate-names + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + imagePullPolicy: Always + command: ["bash", "-xc"] + args: + - | + cd /run/spire/agent-sockets + L=`readlink socket` + [ "x$L" != "xspire-agent.sock" ] && rm -f socket + [ ! -L socket ] && ln -s spire-agent.sock socket + L=`readlink api.sock` + [ "x$L" != "xspire-agent.sock" ] && rm -f api.sock + [ ! -L api.sock ] && ln -s spire-agent.sock api.sock + [ -L spire-agent.sock ] && rm -f spire-agent.sock + exit 0 + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + securityContext: + runAsUser: 0 + runAsGroup: 0 + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.9.6 + imagePullPolicy: IfNotPresent + args: ["-config", "/opt/spire/conf/agent/agent.conf"] + securityContext: + {} + env: + - name: PATH + value: "/opt/spire/bin:/bin" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + ports: + - containerPort: 9982 + name: healthz + - containerPort: 9988 + name: prom + volumeMounts: + - name: spire-config + mountPath: /opt/spire/conf/agent + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /tmp/spire-agent/public + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + {} + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-agent-admin-socket-dir + emptyDir: {} + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spire-spiffe-oidc-discovery-provider + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + template: + metadata: + annotations: + checksum/config: 856b450a332226fc0b9ea4c2145d8234ebce9220ad5239134629ac0c1cbb63ba + labels: + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + release: spire + release-namespace: spire-server + component: oidc-discovery-provider + spec: + serviceAccountName: spire-spiffe-oidc-discovery-provider + securityContext: + fsGroupChangePolicy: OnRootMismatch + initContainers: + - name: init + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + resources: + {} + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: IfNotPresent + args: + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + containers: + - name: spiffe-oidc-discovery-provider + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/oidc-discovery-provider:1.9.6 + imagePullPolicy: IfNotPresent + args: + - -config + - /run/spire/oidc/config/oidc-discovery-provider.conf + ports: + - containerPort: 8008 + name: healthz + - containerPort: 8443 + name: https + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-sockets + mountPath: /run/spire/oidc-sockets + readOnly: false + - name: spire-oidc-config + mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf + subPath: oidc-discovery-provider.conf + readOnly: true + - name: certdir + mountPath: /certs + readOnly: true + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + - name: spiffe-helper + resources: + {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: IfNotPresent + args: + - -config + - /etc/spiffe-helper.conf + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + volumes: + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: spire-oidc-sockets + emptyDir: {} + - name: spire-oidc-config + configMap: + name: spire-spiffe-oidc-discovery-provider + - name: nginx-tmp + emptyDir: {} + - name: certdir + emptyDir: {} +--- +# Source: spire/charts/spire-server/templates/server-resource.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: server +spec: + replicas: 1 + serviceName: spire-server + selector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-server + checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 + checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 + checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + component: server + release: spire + release-namespace: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + securityContext: + fsGroupChangePolicy: OnRootMismatch + + priorityClassName: system-cluster-critical + containers: + - name: spire-server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spire-server:1.9.6 + imagePullPolicy: IfNotPresent + args: + - -expandEnv + - -config + - /run/spire/config/server.conf + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - name: grpc + containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + - containerPort: 9988 + name: prom + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: server-tmp + mountPath: /tmp + readOnly: false + + - name: spire-controller-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: ghcr.io/spiffe/spire-controller-manager:0.5.0 + imagePullPolicy: IfNotPresent + args: + - --config=controller-manager-config.yaml + env: + - name: ENABLE_WEBHOOKS + value: "true" + ports: + - name: https + containerPort: 9443 + protocol: TCP + - containerPort: 8083 + name: healthz + - containerPort: 8082 + name: prom-cm + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + - name: spire-controller-manager-tmp + mountPath: /tmp + subPath: spire-controller-manager + readOnly: false + volumes: + - name: server-tmp + emptyDir: {} + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-tmp + emptyDir: {} + - name: controller-manager-config + configMap: + name: spire-controller-manager + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + labels: + security.openshift.io/csi-ephemeral-volume-profile: restricted + +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-default +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - spire-server + - spire-system +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-oidc-discovery-provider +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: oidc-discovery-provider + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system + dnsNameTemplates: + - oidc-discovery.{{ .TrustDomain }} + autoPopulateDNSNames: true +--- +# Source: spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-test-keys +spec: + className: "spire-server-spire" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: test-keys + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system +--- +# Source: spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: spire-spiffe-csi-driver +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:spire-system:spire-spiffe-csi-driver +volumes: + - configmap + - hostPath + - secret +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: spire-spiffe-oidc-discovery-provider +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider + - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider-pre-delete +volumes: + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - hostPath + - projected + - secret +allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +seccompProfiles: + - '*' +--- +# Source: spire/charts/spire-agent/templates/scc-spire-agent.yaml +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: spire-agent +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:spire-system:spire-agent +volumes: + - configMap + - hostPath + - projected + - secret + - emptyDir +allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +--- +# Source: spire/charts/spire-server/templates/controller-manager-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-server-spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-install + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-install + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-pre-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-pre-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: ["spire-spiffe-oidc-discovery-provider"] + verbs: ["get", "delete"] +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server +roleRef: + kind: Role + name: spire-spiffe-oidc-discovery-provider-pre-delete + apiGroup: rbac.authorization.k8s.io +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-spiffe-oidc-discovery-provider-test-connection" + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: curl-service-name + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: curl-service-name-namespace + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider.spire-server:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: curl-service-name-namespace-svc-cluster-local + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['curl'] + args: ['-s', '-f', '-k', 'https://spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local:443/.well-known/openid-configuration'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: Never +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-spiffe-oidc-discovery-provider-test-keys" + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + release: spire + release-namespace: spire-server + component: test-keys + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: spire-spiffe-oidc-discovery-provider + initContainers: + - name: static-busybox + image: busybox:1.36.1-uclibc + command: + - sh + - -c + - | + cp /bin/busybox /data/busybox + chmod +x /data/busybox + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: install-step + image: docker.io/smallstep/step-cli:0.26.1 + workingDir: /data + command: + - sh + - -c + - | + cp /usr/local/bin/step /data/step + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: gettoken + image: ghcr.io/spiffe/spire-agent:1.9.6 + command: + - /data/busybox + - sh + - -c + - | + while true; do + /opt/spire/bin/spire-agent api fetch jwt -audience foo -format json -socketPath /spire-agent/spire-agent.sock -timeout 5s > /data/token.svid + [ $? -eq 0 ] && break + sleep 1 + done + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: data-volume + mountPath: /data + - name: spire-api + mountPath: /spire-agent + readOnly: true + containers: + - name: verify-keys + image: cgr.dev/chainguard/min-toolkit-debug:latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c + command: + - bash + workingDir: /data + env: + - name: TMPDIR + value: /data + args: + - -cx + - | + URL=https://spire-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local:443 + + cat /data/token.svid + JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs) + KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid') + # Retrieve public key from JWK set, match kid from JWT to locate the correct one + curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem + # Verify JWT with public pem + echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data-volume + restartPolicy: Never + volumes: + - csi: + driver: csi.spiffe.io + readOnly: true + name: spire-api + - name: data-volume + emptyDir: {} +--- +# Source: spire/charts/spire-server/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "spire-server-test-connection" + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: test + annotations: + "helm.sh/hook": test +spec: + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: curl + image: cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + command: ['bash'] + args: + - -c + - | + curl -f -s 'https://spire-server:443' + NOCA=$? + curl -k -f -s 'https://spire-server:443' + IGNORECA=$? + echo $NOCA $IGNORECA + if [ $NOCA -eq 60 -a $IGNORECA -eq 22 ]; then + # We were able to connect to the server but didn't recognize the ca (60) and the page not found (22) because we're not using grpc + exit 0 + fi + exit 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: Never +--- +# Source: spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + namespace: spire-server + labels: + helm.sh/chart: spiffe-oidc-discovery-provider-0.1.0 + app.kubernetes.io/name: spiffe-oidc-discovery-provider + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-spiffe-oidc-discovery-provider-pre-delete + spec: + restartPolicy: Never + serviceAccountName: spire-spiffe-oidc-discovery-provider-pre-delete + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: pre-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - delete + - -n + - spire-server + - deployment + - spire-spiffe-oidc-discovery-provider + - --wait +--- +# Source: spire/charts/spire-server/templates/post-install-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-install + spec: + restartPolicy: Never + serviceAccountName: spire-server-post-install + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: spire/charts/spire-server/templates/post-upgrade-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-upgrade + spec: + restartPolicy: Never + serviceAccountName: spire-server-post-upgrade + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: post-upgrade-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: spire/charts/spire-server/templates/pre-upgrade-hook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-server-0.1.0 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-pre-upgrade + spec: + restartPolicy: Never + serviceAccountName: spire-server-pre-upgrade + securityContext: + fsGroupChangePolicy: OnRootMismatch + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: docker.io/rancher/kubectl:v1.28.0 + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Ignore" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Ignore" + } + ] + } diff --git a/helm-charts-playground/values-no-openshift.yaml b/helm-charts-playground/values-no-openshift.yaml new file mode 100644 index 00000000..ea6a0082 --- /dev/null +++ b/helm-charts-playground/values-no-openshift.yaml @@ -0,0 +1,15 @@ +global: + openshift: false + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" + # Update these + clusterName: vsecm-cluster + trustDomain: aegis.ist + caSubject: + country: US + organization: aegis.ist + commonName: aegist.ist diff --git a/helm-charts-playground/values.yaml b/helm-charts-playground/values.yaml new file mode 100644 index 00000000..4395d717 --- /dev/null +++ b/helm-charts-playground/values.yaml @@ -0,0 +1,15 @@ +global: + openshift: true + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" + # Update these + clusterName: vsecm-cluster + trustDomain: aegis.ist + caSubject: + country: US + organization: aegis.ist + commonName: aegist.ist diff --git a/k8s/0.26.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml similarity index 100% rename from k8s/0.26.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml rename to helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml diff --git a/k8s/0.26.0/crds/spire.spiffe.io_clusterspiffeids.yaml b/helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterspiffeids.yaml similarity index 100% rename from k8s/0.26.0/crds/spire.spiffe.io_clusterspiffeids.yaml rename to helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterspiffeids.yaml diff --git a/k8s/0.26.0/crds/spire.spiffe.io_clusterstaticentries.yaml b/helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterstaticentries.yaml similarity index 100% rename from k8s/0.26.0/crds/spire.spiffe.io_clusterstaticentries.yaml rename to helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_clusterstaticentries.yaml diff --git a/k8s/0.26.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_controllermanagerconfigs.yaml similarity index 100% rename from k8s/0.26.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml rename to helm-charts-playground/vsecm-manifests/crds/spire.spiffe.io_controllermanagerconfigs.yaml diff --git a/helm-charts-playground/vsecm-manifests/spire/agent-clusterrole.yaml b/helm-charts-playground/vsecm-manifests/spire/agent-clusterrole.yaml new file mode 100644 index 00000000..86f23a67 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/agent-clusterrole.yaml @@ -0,0 +1,10 @@ +# Source: vsecm/charts/spire/templates/spire-agent-cluster-role.yaml +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: + - apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/agent-clusterrolebinding.yaml b/helm-charts-playground/vsecm-manifests/spire/agent-clusterrolebinding.yaml new file mode 100644 index 00000000..49951ded --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/agent-clusterrolebinding.yaml @@ -0,0 +1,14 @@ +# Source: vsecm/charts/spire/templates/spire-agent-cluster-role-binding.yaml +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire-system +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/agent-configmap.yaml b/helm-charts-playground/vsecm-manifests/spire/agent-configmap.yaml new file mode 100644 index 00000000..e5535d87 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/agent-configmap.yaml @@ -0,0 +1,46 @@ +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire-system +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server.spire-server.svc.cluster.local" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "vsecm.com" + } + + health_checks { + bind_address = "0.0.0.0" + bind_port = "9982" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "vsecm-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + } \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/agent-daemonset.yaml b/helm-charts-playground/vsecm-manifests/spire/agent-daemonset.yaml new file mode 100644 index 00000000..bd994989 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/agent-daemonset.yaml @@ -0,0 +1,171 @@ +# Source: vsecm/charts/spire/templates/spire-agent-daemonset.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + app: spire-agent + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: hook-succeeded +spec: + selector: + matchLabels: + app: spire-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + namespace: spire-system + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + priorityClassName: system-node-critical + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.9.4 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + resources: + requests: + memory: 512Mi + cpu: 50m + + ports: + - containerPort: 9982 + name: healthz + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-token + mountPath: /var/run/secrets/tokens + - name: spire-agent-socket-dir + mountPath: /run/spire/sockets + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + resources: + requests: + memory: 128Mi + cpu: 50m + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + + # This volume is used to share the Workload API socket between the CSI + # driver and SPIRE agent. Note, an emptyDir volume could also be used, + # however, this can lead to broken bind mounts in the workload + # containers if the agent pod is restarted (since the emptyDir + # directory on the node that was mounted into workload containers by + # the CSI driver belongs to the old pod instance and is no longer + # valid). + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/bundle-configmap.yaml b/helm-charts-playground/vsecm-manifests/spire/bundle-configmap.yaml new file mode 100644 index 00000000..444f43d2 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/bundle-configmap.yaml @@ -0,0 +1,20 @@ +# Source: vsecm/charts/spire/templates/spire-server-bundle-config-map.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ConfigMap containing the latest trust bundle for the trust domain. It is +# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount +# this config map and use the certificate to bootstrap trust with the SPIRE +# server during attestation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire-system \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/controllermanager-configmap.yaml b/helm-charts-playground/vsecm-manifests/spire/controllermanager-configmap.yaml new file mode 100644 index 00000000..96f3afaf --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/controllermanager-configmap.yaml @@ -0,0 +1,55 @@ +--- +# Source: vsecm/charts/spire/templates/spire-controller-manager-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager-config + namespace: spire-server +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: spire-server + clusterName: vsecm-cluster + trustDomain: vsecm.com + ignoreNamespaces: + - kube-system + - kube-public + - spire-system + - spire-server + - local-path-storage + # - do not ignore vsecm-system! + # - vsecm-system + - kube-node-lease + - kube-public + - kubernetes-dashboard + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook-service.yaml b/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook-service.yaml new file mode 100644 index 00000000..7d93d299 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook-service.yaml @@ -0,0 +1,14 @@ +# Source: vsecm/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml +# Service definition for SPIRE controller manager webhook +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: spire-server +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook.yaml b/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook.yaml new file mode 100644 index 00000000..2bd14d5e --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/controllermanager-webhook.yaml @@ -0,0 +1,48 @@ +# Source: vsecm/charts/spire/templates/spire-controller-manager-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry + failurePolicy: Fail + name: clusterstaticentry.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterstaticentries"] + sideEffects: None \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/leader-election-role.yaml b/helm-charts-playground/vsecm-manifests/spire/leader-election-role.yaml new file mode 100644 index 00000000..5ad3a122 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/leader-election-role.yaml @@ -0,0 +1,17 @@ +# Source: vsecm/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: spire-server +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/leader-election-rolebinding.yaml b/helm-charts-playground/vsecm-manifests/spire/leader-election-rolebinding.yaml new file mode 100644 index 00000000..6597bdcf --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/leader-election-rolebinding.yaml @@ -0,0 +1,14 @@ +# Source: vsecm/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding + namespace: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/manager-clusterrole.yaml b/helm-charts-playground/vsecm-manifests/spire/manager-clusterrole.yaml new file mode 100644 index 00000000..7c89a21e --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/manager-clusterrole.yaml @@ -0,0 +1,48 @@ +# Source: vsecm/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [ "" ] + resources: [ "endpoints" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/manager-clusterrolebinding.yaml b/helm-charts-playground/vsecm-manifests/spire/manager-clusterrolebinding.yaml new file mode 100644 index 00000000..d9bb5329 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/manager-clusterrolebinding.yaml @@ -0,0 +1,13 @@ +# Source: vsecm/charts/spire/templates/crd-rbac/role_binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/namespace.yaml b/helm-charts-playground/vsecm-manifests/spire/namespace.yaml new file mode 100644 index 00000000..268ff2d2 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/namespace.yaml @@ -0,0 +1,12 @@ +--- +# Source: vsecm/charts/spire/templates/hook-preinstall_spire-namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system +--- +# Source: vsecm/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-bundle-endpoint.yaml b/helm-charts-playground/vsecm-manifests/spire/server-bundle-endpoint.yaml new file mode 100644 index 00000000..ae2ac2ec --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-bundle-endpoint.yaml @@ -0,0 +1,25 @@ +# Source: vsecm/charts/spire/templates/spire-server-bundle-endpoint.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Service definition for SPIRE server bundle endpoint +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: spire-server +spec: + type: ClusterIP + ports: + - name: api + port: 8443 + protocol: TCP + selector: + app: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-clusterrole.yaml b/helm-charts-playground/vsecm-manifests/spire/server-clusterrole.yaml new file mode 100644 index 00000000..09e65592 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-clusterrole.yaml @@ -0,0 +1,15 @@ +# Source: vsecm/charts/spire/templates/spire-server-cluster-role.yaml +# Required cluster role to allow spire-server to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-clusterrolebinding.yaml b/helm-charts-playground/vsecm-manifests/spire/server-clusterrolebinding.yaml new file mode 100644 index 00000000..7be24900 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +# Source: vsecm/charts/spire/templates/spire-server-cluster-role-binding.yaml +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding + namespace: spire-server +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-configmap.yaml b/helm-charts-playground/vsecm-manifests/spire/server-configmap.yaml new file mode 100644 index 00000000..7f4bfb74 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-configmap.yaml @@ -0,0 +1,71 @@ +# Source: vsecm/charts/spire/templates/spire-server-config-map.yaml +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire-server +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "vsecm.com" + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + } + + } + + health_checks { + bind_address = "0.0.0.0" + bind_port = "8080" + listener_enabled = true + live_path = "/live" + ready_path = "/ready" + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/server/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "vsecm-cluster" = { + service_account_allow_list = ["spire-system:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/server/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + config_map = "spire-bundle" + namespace = "spire-system" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-role.yaml b/helm-charts-playground/vsecm-manifests/spire/server-role.yaml new file mode 100644 index 00000000..9c42a250 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-role.yaml @@ -0,0 +1,18 @@ +# Source: vsecm/charts/spire/templates/spire-server-role.yaml +# Role for the SPIRE server +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role + namespace: spire-system +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap below) + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/server-rolebinding.yaml b/helm-charts-playground/vsecm-manifests/spire/server-rolebinding.yaml new file mode 100644 index 00000000..32619ba8 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/server-rolebinding.yaml @@ -0,0 +1,16 @@ +# Source: vsecm/charts/spire/templates/spire-server-role-binding.yaml +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: spire-system +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/serviceaccount.yaml b/helm-charts-playground/vsecm-manifests/spire/serviceaccount.yaml new file mode 100644 index 00000000..1fd9965b --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/serviceaccount.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/spiffe-csi-driver.yaml b/helm-charts-playground/vsecm-manifests/spire/spiffe-csi-driver.yaml new file mode 100644 index 00000000..b324459b --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/spiffe-csi-driver.yaml @@ -0,0 +1,35 @@ +# Source: vsecm/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + annotations: + "helm.sh/hook": pre-install +spec: + # We only support ephemeral, inline volumes. We don't need a controller to + # provision and attach volumes. + attachRequired: false + + # We want the pod information so that the CSI driver can verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # We don't want (or need) K8s to change ownership on the contents of the mount + # when it is mounted into the pod, since the Workload API is completely open + # (i.e. 0777). + # Note, this was added in Kubernetes 1.19, so omit + fsGroupPolicy: None + + # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 + volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta + - Ephemeral \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/spire-server-service.yaml b/helm-charts-playground/vsecm-manifests/spire/spire-server-service.yaml new file mode 100644 index 00000000..f9b1e8c7 --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/spire-server-service.yaml @@ -0,0 +1,16 @@ +# Source: vsecm/charts/spire/templates/spire-server-service.yaml +# ServiceAccount used by the SPIRE server. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire-server +spec: + type: ClusterIP + ports: + - name: api + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server \ No newline at end of file diff --git a/helm-charts-playground/vsecm-manifests/spire/spire-server-statefulset.yaml b/helm-charts-playground/vsecm-manifests/spire/spire-server-statefulset.yaml new file mode 100644 index 00000000..a38ba2ce --- /dev/null +++ b/helm-charts-playground/vsecm-manifests/spire/spire-server-statefulset.yaml @@ -0,0 +1,96 @@ +# Source: vsecm/charts/spire/templates/spire-server-stateful-set.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire-server + labels: + app: spire-server + app.kubernetes.io/component: server +spec: + serviceName: spire-server + replicas: 1 + selector: + matchLabels: + app: spire-server + template: + metadata: + namespace: spire-server + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + + priorityClassName: system-cluster-critical + + containers: + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.9.4 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/server/config/server.conf"] + resources: + requests: + memory: 512Mi + cpu: 50m + ports: + - containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + + volumeMounts: + - name: spire-config + mountPath: /run/spire/server/config + readOnly: true + - name: spire-server-socket + mountPath: /tmp/spire-server/private + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:0.5.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + - containerPort: 8083 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + + args: + - "--config=spire-controller-manager-config.yaml" + volumeMounts: + - name: spire-server-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config \ No newline at end of file diff --git a/helm-charts/0.26.1/README.md b/helm-charts/0.26.1/README.md index f9bd643c..b1eba355 100644 --- a/helm-charts/0.26.1/README.md +++ b/helm-charts/0.26.1/README.md @@ -5,7 +5,7 @@ that your sensitive data is always secure and protected. VSecM is perfect for securely storing arbitrary configuration information at a central location and securely dispatching it to workloads. -![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) +![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.1](https://img.shields.io/badge/AppVersion-0.26.1-informational?style=flat-square) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) @@ -97,10 +97,10 @@ The sections below are autogenerated from chart source code: | Repository | Name | Version | |------------|------|---------| -| file://charts/keystone | keystone | 0.26.0 | -| file://charts/safe | safe | 0.26.0 | -| file://charts/sentinel | sentinel | 0.26.0 | -| file://charts/spire | spire | 0.26.0 | +| file://charts/keystone | keystone | 0.26.1 | +| file://charts/safe | safe | 0.26.1 | +| file://charts/sentinel | sentinel | 0.26.1 | +| file://charts/spire | spire | 0.26.1 | ## Values @@ -111,7 +111,7 @@ The sections below are autogenerated from chart source code: | global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. | | global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | | global.deploySpireControllerManager | bool | `true` | Deploy SPIRE Controller Manager. SPIRE Controller Manager is required for ClusterSPIFFEIDs to function. If something else on your system assigns ClusterSPIFFEIDs to your workloads, or if you want to manually manage your SPIRE Server registration entries, you can set this flag to `false`. | -| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.26.0"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.26.0"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.26.0"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.26.0"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.4"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.4"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | +| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.26.1"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.26.1"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.26.1"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.26.1"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.4"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.4"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | | global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | | global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | | global.images.spireAgent | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.4"}` | Container registry details of SPIRE Agent. | diff --git a/helm-charts/0.26.1/charts/keystone/Chart.yaml b/helm-charts/0.26.1/charts/keystone/Chart.yaml index 17b01179..b8b03a2d 100644 --- a/helm-charts/0.26.1/charts/keystone/Chart.yaml +++ b/helm-charts/0.26.1/charts/keystone/Chart.yaml @@ -25,10 +25,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.26.0 +version: 0.26.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.26.0" +appVersion: "0.26.1" diff --git a/helm-charts/0.26.1/charts/keystone/README.md b/helm-charts/0.26.1/charts/keystone/README.md index 4894ff2f..7d87d537 100644 --- a/helm-charts/0.26.1/charts/keystone/README.md +++ b/helm-charts/0.26.1/charts/keystone/README.md @@ -1,6 +1,6 @@ # keystone -![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) +![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.1](https://img.shields.io/badge/AppVersion-0.26.1-informational?style=flat-square) Helm chart for keystone diff --git a/helm-charts/0.26.1/charts/safe/README.md b/helm-charts/0.26.1/charts/safe/README.md index 3fa46006..107a5139 100644 --- a/helm-charts/0.26.1/charts/safe/README.md +++ b/helm-charts/0.26.1/charts/safe/README.md @@ -1,6 +1,6 @@ # safe -![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) +![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.1](https://img.shields.io/badge/AppVersion-0.26.1-informational?style=flat-square) Helm chart for VMware Secrets Manager (VSecM) Safe diff --git a/helm-charts/0.26.1/charts/sentinel/README.md b/helm-charts/0.26.1/charts/sentinel/README.md index 4241b556..f4943d14 100644 --- a/helm-charts/0.26.1/charts/sentinel/README.md +++ b/helm-charts/0.26.1/charts/sentinel/README.md @@ -1,6 +1,6 @@ # sentinel -![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) +![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.1](https://img.shields.io/badge/AppVersion-0.26.1-informational?style=flat-square) Helm chart for sentinel diff --git a/helm-charts/0.26.1/charts/spire/README.md b/helm-charts/0.26.1/charts/spire/README.md index fb88ec0d..a8f814f7 100644 --- a/helm-charts/0.26.1/charts/spire/README.md +++ b/helm-charts/0.26.1/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) +![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.1](https://img.shields.io/badge/AppVersion-0.26.1-informational?style=flat-square) Helm chart for spire diff --git a/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-namespace.yaml b/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-namespace.yaml index 10d2824a..0eabbc7c 100644 --- a/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-namespace.yaml +++ b/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-namespace.yaml @@ -12,3 +12,7 @@ apiVersion: v1 kind: Namespace metadata: name: {{ .Values.global.spire.namespace }} + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml b/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml index 4722f91f..35849055 100644 --- a/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml +++ b/helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml @@ -12,3 +12,7 @@ apiVersion: v1 kind: Namespace metadata: name: {{ .Values.global.spire.serverNamespace }} + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/helm-charts/0.26.1/values-custom.yaml b/helm-charts/0.26.1/values-custom.yaml index 1b164505..4e1fda06 100644 --- a/helm-charts/0.26.1/values-custom.yaml +++ b/helm-charts/0.26.1/values-custom.yaml @@ -48,21 +48,21 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent initContainer: repository: vsecm-ist-init-container - tag: 0.26.0 + tag: 0.26.1 spireAgent: repository: ghcr.io/spiffe/spire-agent tag: 1.9.4 diff --git a/helm-charts/0.26.1/values.yaml b/helm-charts/0.26.1/values.yaml index df1e11ad..6461ee40 100644 --- a/helm-charts/0.26.1/values.yaml +++ b/helm-charts/0.26.1/values.yaml @@ -47,24 +47,24 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent # - Container registry details for VSecM Safe. safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent # - Container registry details for VSecM Sentinel. sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.26.0 + tag: 0.26.1 pullPolicy: IfNotPresent # - Container registry details of VSecM Init Container. initContainer: repository: vsecm-ist-init-container - tag: 0.26.0 + tag: 0.26.1 # -- Container registry details of SPIRE Agent. spireAgent: diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..e547e8a9 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,99 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml new file mode 100644 index 00000000..b02ef2e7 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml @@ -0,0 +1,234 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 00000000..6fc92d5f --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,100 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml new file mode 100644 index 00000000..538ac974 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml @@ -0,0 +1,68 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to deletion/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/k8s/0.26.0/eks/vsecm-distroless-fips.yaml b/k8s/0.26.1/eks/vsecm-distroless-fips.yaml similarity index 96% rename from k8s/0.26.0/eks/vsecm-distroless-fips.yaml rename to k8s/0.26.1/eks/vsecm-distroless-fips.yaml index 605f2afb..990c5702 100644 --- a/k8s/0.26.0/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.26.1/eks/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/eks/vsecm-distroless.yaml b/k8s/0.26.1/eks/vsecm-distroless.yaml similarity index 96% rename from k8s/0.26.0/eks/vsecm-distroless.yaml rename to k8s/0.26.1/eks/vsecm-distroless.yaml index d45e2df1..125b7810 100644 --- a/k8s/0.26.0/eks/vsecm-distroless.yaml +++ b/k8s/0.26.1/eks/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.26.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/local/vsecm-distroless-fips.yaml b/k8s/0.26.1/local/vsecm-distroless-fips.yaml similarity index 96% rename from k8s/0.26.0/local/vsecm-distroless-fips.yaml rename to k8s/0.26.1/local/vsecm-distroless-fips.yaml index 24b6181c..d57543ee 100644 --- a/k8s/0.26.0/local/vsecm-distroless-fips.yaml +++ b/k8s/0.26.1/local/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.26.0" + image: "localhost:5000/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.26.0" + image: "localhost:5000/vsecm-ist-fips-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.26.0" + image: "localhost:5000/vsecm-ist-fips-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.26.0" + image: "localhost:5000/vsecm-ist-fips-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/local/vsecm-distroless.yaml b/k8s/0.26.1/local/vsecm-distroless.yaml similarity index 96% rename from k8s/0.26.0/local/vsecm-distroless.yaml rename to k8s/0.26.1/local/vsecm-distroless.yaml index 1e866bef..4f797042 100644 --- a/k8s/0.26.0/local/vsecm-distroless.yaml +++ b/k8s/0.26.1/local/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.26.0" + image: "localhost:5000/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-keystone:0.26.0" + image: "localhost:5000/vsecm-ist-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.26.0" + image: "localhost:5000/vsecm-ist-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-safe:0.26.0" + image: "localhost:5000/vsecm-ist-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/remote/vsecm-distroless-fips.yaml b/k8s/0.26.1/remote/vsecm-distroless-fips.yaml similarity index 96% rename from k8s/0.26.0/remote/vsecm-distroless-fips.yaml rename to k8s/0.26.1/remote/vsecm-distroless-fips.yaml index 26f77233..be5da200 100644 --- a/k8s/0.26.0/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.26.1/remote/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.26.0" + image: "vsecm/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.26.0" + image: "vsecm/vsecm-ist-fips-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.26.0" + image: "vsecm/vsecm-ist-fips-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-safe:0.26.0" + image: "vsecm/vsecm-ist-fips-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/remote/vsecm-distroless.yaml b/k8s/0.26.1/remote/vsecm-distroless.yaml similarity index 96% rename from k8s/0.26.0/remote/vsecm-distroless.yaml rename to k8s/0.26.1/remote/vsecm-distroless.yaml index 6edae87a..3adef124 100644 --- a/k8s/0.26.0/remote/vsecm-distroless.yaml +++ b/k8s/0.26.1/remote/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- @@ -82,11 +82,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -107,11 +107,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -136,11 +136,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm type: Opaque @@ -279,11 +279,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -314,11 +314,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -342,7 +342,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.26.0" + image: "vsecm/vsecm-ist-init-container:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -415,7 +415,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-keystone:0.26.0" + image: "vsecm/vsecm-ist-keystone:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -463,11 +463,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -491,7 +491,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-sentinel:0.26.0" + image: "vsecm/vsecm-ist-sentinel:0.26.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -656,11 +656,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -685,7 +685,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-safe:0.26.0" + image: "vsecm/vsecm-ist-safe:0.26.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -905,11 +905,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.26.0 + helm.sh/chart: keystone-0.26.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -937,11 +937,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.26.0 + helm.sh/chart: safe-0.26.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} @@ -969,11 +969,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.26.0 + helm.sh/chart: sentinel-0.26.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.26.0" + app.kubernetes.io/version: "0.26.1" app.kubernetes.io/managed-by: Helm spec: spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} diff --git a/k8s/0.26.0/spire.yaml b/k8s/0.26.1/spire.yaml similarity index 98% rename from k8s/0.26.0/spire.yaml rename to k8s/0.26.1/spire.yaml index ac92a317..9e3679e9 100644 --- a/k8s/0.26.0/spire.yaml +++ b/k8s/0.26.1/spire.yaml @@ -14,6 +14,10 @@ apiVersion: v1 kind: Namespace metadata: name: spire-system + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged --- # Source: vsecm/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml # /* @@ -30,6 +34,10 @@ apiVersion: v1 kind: Namespace metadata: name: spire-server + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged --- # Source: vsecm/charts/spire/templates/spire-agent-service-account.yaml # /*