Skip to content

Commit

Permalink
add spire-controller-manager resources, update spire-server statefulset
Browse files Browse the repository at this point in the history 
Signed-off-by: Batuhan Apaydın <[email protected]>
  • Loading branch information
@developer-guy
developer-guy committed Nov 14, 2022
1 parent 65be43b commit e7331de
Show file tree
Hide file tree
Showing 10 changed files with 109 additions and 46 deletions.
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ description: |
- --service-account-signing-key-file=/run/config/pki/sa.key
```
type: application
version: 0.6.2
version: 0.7.0
appVersion: "1.5.1"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
home: https://github.com/philips-labs/helm-charts/charts/spire
Expand Down
12 changes: 6 additions & 6 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. -->

![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)

A Helm chart for deploying spire-server and spire-agent.

Expand Down Expand Up @@ -57,6 +57,11 @@ Kubernetes: `>=1.21.0-0`
| agent.image.version | string | `""` | |
| agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| agent.resources | object | `{}` | |
| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | |
| controllerManager.image.registry | string | `"ghcr.io"` | |
| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | |
| controllerManager.image.version | string | `"0.2.1"` | |
| controllerManager.resources | object | `{}` | |
| csiDriver.image.pullPolicy | string | `"IfNotPresent"` | |
| csiDriver.image.registry | string | `"ghcr.io"` | |
| csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | |
Expand Down Expand Up @@ -127,8 +132,3 @@ Kubernetes: `>=1.21.0-0`
| waitForIt.image.registry | string | `"gcr.io"` | |
| waitForIt.image.repository | string | `"spiffe-io/wait-for-it"` | |
| waitForIt.image.version | string | `""` | |
| workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | |
| workloadRegistrar.image.registry | string | `"gcr.io"` | |
| workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | |
| workloadRegistrar.image.version | string | `""` | |
| workloadRegistrar.resources | object | `{}` | |
24 changes: 22 additions & 2 deletions charts/spire/templates/server-cluster-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,32 @@ rules:
resources: ["tokenreviews"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods", "nodes"]
resources: ["pods", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "update", "delete", "get", "list", "watch"]

- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/status"]
verbs: ["get", "patch", "update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/status"]
verbs: ["get", "patch", "update"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
Expand Down
6 changes: 1 addition & 5 deletions charts/spire/templates/server-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,7 @@ rules:
verbs: ["get", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["spire-k8s-registrar-leader-election"]
verbs: ["update", "get"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
Expand Down
22 changes: 10 additions & 12 deletions charts/spire/templates/server-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,24 +75,22 @@ spec:
periodSeconds: 5
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
- name: {{ .Chart.Name }}-workload-registrar
- name: {{ .Chart.Name }}-controller-manager
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.workloadRegistrar.image) }}
imagePullPolicy: {{ .Values.workloadRegistrar.image.pullPolicy }}
image: {{ template "spire.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }}
imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }}
args:
- -config
- /run/spire/k8s-workload-registrar/config/workload-registrar.conf
- "--config=spire-controller-manager-config.yaml"
ports:
- containerPort: 8443
name: registrar-port
- containerPort: 9443
volumeMounts:
- name: spire-server-socket
mountPath: /run/spire/server-sockets
readOnly: true
- name: spire-workload-registrar-config
mountPath: /run/spire/k8s-workload-registrar/config
readOnly: true
- name: spire-controller-manager-config
mountPath: /spire-controller-manager-config.yaml
subPath: spire-controller-manager-config.yaml
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -106,9 +104,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spire-workload-registrar-config
- name: spire-controller-manager-config
configMap:
name: {{ include "spire.fullname" . }}-workload-registrar
name: {{ include "spire.fullname" . }}-controller-manager-config
- name: spire-config
configMap:
name: {{ include "spire.fullname" . }}-server
Expand Down
30 changes: 30 additions & 0 deletions charts/spire/templates/spire-controller-manager-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire.fullname" . }}-controller-manager-config
namespace: {{ .Release.Namespace }}
data:
spire-controller-manager-config.yaml: |-
apiVersion: spire.spiffe.io/v1alpha1
kind: ControllerManagerConfig
metadata:
name: {{ include "spire.fullname" . }}-controller-manager-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "spire.server.labels" . | nindent 4 }}
metrics:
bindAddress: 127.0.0.1:8082
healthProbe:
bindAddress: 127.0.0.1:8083
leaderElection:
leaderElect: true
resourceName: 98c9c988.spiffe.io
resourceNamespace: {{ .Release.Namespace }}
clusterName: {{ .Values.spire.clusterName }}
trustDomain: {{ .Values.spire.trustDomain }}
ignoreNamespaces:
- kube-system
- kube-public
- spire-system
- local-path-storage
spireServerSocketPath: "/run/spire/server-sockets/registration.sock"
33 changes: 33 additions & 0 deletions charts/spire/templates/spire-controller-manager-webhook
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: spire-controller-manager-webhook
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: spire-controller-manager-webhook-service
namespace: spire-system
path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain
failurePolicy: Fail
name: vclusterfederatedtrustdomain.kb.io
rules:
- apiGroups: ["spire.spiffe.io"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["clusterfederatedtrustdomains"]
sideEffects: None
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: spire-controller-manager-webhook-service
namespace: spire-system
path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
failurePolicy: Fail
name: vclusterspiffeid.kb.io
rules:
- apiGroups: ["spire.spiffe.io"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["clusterspiffeids"]
sideEffects: None
4 changes: 2 additions & 2 deletions ...templates/workload-registrar-service.yaml → ...e-controller-manager-webhook-service.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "spire.fullname" . }}-k8s-workload-registrar
name: {{ include "spire.fullname" . }}-controller-manager
namespace: {{ .Release.Namespace }}
labels:
{{- include "spire.server.labels" . | nindent 4 }}
Expand All @@ -10,7 +10,7 @@ spec:
ports:
- name: https
port: 443
targetPort: registrar-port
targetPort: 9443
protocol: TCP
selector:
{{- include "spire.server.selectorLabels" . | nindent 4 }}
14 changes: 0 additions & 14 deletions charts/spire/templates/workload-registrar-configmap.yaml
View file

This file was deleted.

8 changes: 4 additions & 4 deletions charts/spire/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ waitForIt:
pullPolicy: IfNotPresent
version: ""

workloadRegistrar:
controllerManager:
image:
registry: gcr.io
repository: spiffe-io/k8s-workload-registrar
registry: ghcr.io
repository: spiffe/spire-controller-manager
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
version: ""
version: "0.2.1"

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
Expand Down

0 comments on commit e7331de

Please sign in to comment.