From 16f26e1d8c3bc3b65977c7f3a628c7f16b164c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Thu, 3 Oct 2024 23:39:28 -0700 Subject: [PATCH] rename (#1161) --- Makefile | 2 +- dockerfiles/example/init-container.Dockerfile | 2 +- .../example/multiple-secrets.Dockerfile | 2 +- dockerfiles/example/sdk-go.Dockerfile | 2 +- dockerfiles/example/sidecar.Dockerfile | 2 +- dockerfiles/util/inspector.Dockerfile | 2 +- dockerfiles/util/keygen.Dockerfile | 2 +- .../vsecm-ist-fips/init-container.Dockerfile | 2 +- .../vsecm-ist-fips/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/safe.Dockerfile | 2 +- .../vsecm-ist-fips/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/sidecar.Dockerfile | 2 +- .../vsecm-ist/init-container.Dockerfile | 2 +- dockerfiles/vsecm-ist/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist/safe.Dockerfile | 2 +- dockerfiles/vsecm-ist/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist/sidecar.Dockerfile | 2 +- docs/config.toml | 2 +- examples/operator_decrpyt_secrets/reveal.sh | 2 +- .../init-container/Deployment.yaml | 4 +- .../init-container/image-override.yaml | 4 +- .../workshop_aegis/inspector/Deployment.yaml | 2 +- .../inspector/image-override.yaml | 2 +- examples/workshop_aegis/sdk/Deployment.yaml | 2 +- .../workshop_aegis/sdk/image-override.yaml | 2 +- .../workshop_aegis/sidecar/Deployment.yaml | 4 +- .../sidecar/image-override.yaml | 4 +- .../cluster-1/inspector/Deployment.yaml | 2 +- .../cluster-1/sentinel/Deployment.yaml | 2 +- .../cluster-2/safe/Deployment.yaml | 2 +- .../k8s/Deployment.yaml | 2 +- .../spire-controller-manager-config.yaml | 2 +- .../clusters/azmodan/k8s/spire/spire.yaml | 28 +- .../spire-controller-manager-config.yaml | 2 +- .../clusters/baal/k8s/spire/spire.yaml | 28 +- .../spire-controller-manager-config.yaml | 2 +- .../clusters/diablo/k8s/spire/spire.yaml | 28 +- .../spire-controller-manager-config.yaml | 2 +- .../clusters/mephisto/k8s/spire/spire.yaml | 28 +- .../workshop_vsecm/hack/015-reveal-secrets.sh | 2 +- .../example-init-container/Deployment.yaml | 4 +- .../workloads/inspector/Deployment.yaml | 2 +- .../workloads/keycloak/Deployment.yaml | 2 +- hack/create-custom-manifest.sh | 4 +- hack/tag-docker.sh | 2 +- helm-charts-playground/app/main.go | 4 +- helm-charts/0.27.3/Chart.yaml | 69 - helm-charts/0.27.3/README.md | 150 -- helm-charts/0.27.3/README.md.gotmpl | 104 - .../0.27.3/charts/keystone/.helmignore | 23 - helm-charts/0.27.3/charts/keystone/Chart.yaml | 34 - helm-charts/0.27.3/charts/keystone/README.md | 37 - .../charts/keystone/templates/Deployment.yaml | 156 -- .../charts/keystone/templates/Identity.yaml | 26 - .../keystone/templates/ServiceAccount.yaml | 28 - .../charts/keystone/templates/_helpers.tpl | 86 - .../0.27.3/charts/keystone/values.yaml | 108 - helm-charts/0.27.3/charts/safe/.helmignore | 23 - helm-charts/0.27.3/charts/safe/Chart.yaml | 34 - helm-charts/0.27.3/charts/safe/README.md | 59 - .../charts/safe/templates/Identity.yaml | 26 - .../charts/safe/templates/RoleBinding.yaml | 44 - .../0.27.3/charts/safe/templates/Secret.yaml | 28 - .../0.27.3/charts/safe/templates/Service.yaml | 26 - .../charts/safe/templates/ServiceAccount.yaml | 32 - .../charts/safe/templates/StatefulSet.yaml | 195 -- .../0.27.3/charts/safe/templates/_helpers.tpl | 86 - .../templates/hook-preinstall-namespace.yaml | 16 - .../safe/templates/hook-preinstall-role.yaml | 72 - helm-charts/0.27.3/charts/safe/values.yaml | 191 -- .../0.27.3/charts/sentinel/.helmignore | 23 - helm-charts/0.27.3/charts/sentinel/Chart.yaml | 34 - helm-charts/0.27.3/charts/sentinel/README.md | 45 - .../charts/sentinel/templates/Deployment.yaml | 157 -- .../charts/sentinel/templates/Identity.yaml | 26 - .../charts/sentinel/templates/Role.yaml | 22 - .../sentinel/templates/RoleBinding.yaml | 23 - .../charts/sentinel/templates/Secret.yaml | 29 - .../sentinel/templates/ServiceAccount.yaml | 32 - .../charts/sentinel/templates/_helpers.tpl | 86 - .../0.27.3/charts/sentinel/values.yaml | 163 -- helm-charts/0.27.3/charts/spire/.helmignore | 23 - helm-charts/0.27.3/charts/spire/Chart.yaml | 34 - helm-charts/0.27.3/charts/spire/README.md | 37 - .../charts/spire/templates/_helpers.tpl | 61 - .../templates/clusterrole-spire-agent.yaml | 22 - ...spire-server-spire-controller-manager.yaml | 57 - ...clusterrole-spire-server-spire-server.yaml | 31 - .../clusterrolebinding-spire-agent.yaml | 23 - ...spire-server-spire-controller-manager.yaml | 22 - ...rolebinding-spire-server-spire-server.yaml | 24 - ...erspiffeid-spire-server-spire-default.yaml | 27 - ...spiffeid-spire-server-spire-test-keys.yaml | 30 - .../templates/configmap-spire-agent.yaml | 76 - .../templates/configmap-spire-bundle.yaml | 15 - .../configmap-spire-controller-manager.yaml | 76 - .../templates/configmap-spire-server.yaml | 118 -- .../templates/daemonset-spire-agent.yaml | 170 -- .../daemonset-spire-spiffe-csi-driver.yaml | 155 -- ...clusterrole-spire-server-post-install.yaml | 22 - ...clusterrole-spire-server-post-upgrade.yaml | 22 - ...-clusterrole-spire-server-pre-upgrade.yaml | 22 - ...rolebinding-spire-server-post-install.yaml | 25 - ...rolebinding-spire-server-post-upgrade.yaml | 25 - ...rrolebinding-spire-server-pre-upgrade.yaml | 25 - .../hook-job-spire-server-post-install.yaml | 78 - .../hook-job-spire-server-post-upgrade.yaml | 77 - .../hook-job-spire-server-pre-upgrade.yaml | 77 - ...ok-preinstall-csidriver-csi.spiffe.io.yaml | 37 - ...ook-preinstall-namespace-spire-server.yaml | 25 - ...ook-preinstall-namespace-spire-system.yaml | 25 - ...viceaccount-spire-server-post-install.yaml | 24 - ...viceaccount-spire-server-post-upgrade.yaml | 24 - ...rviceaccount-spire-server-pre-upgrade.yaml | 24 - ...penshift-security-context-constraints.yaml | 105 - .../spire/templates/role-spire-bundle.yaml | 23 - ...re-controller-manager-leader-election.yaml | 25 - .../templates/rolebinding-spire-bundle.yaml | 23 - ...re-controller-manager-leader-election.yaml | 23 - ...vice-spire-controller-manager-webhook.yaml | 31 - .../spire/templates/service-spire-server.yaml | 31 - .../templates/serviceaccount-spire-agent.yaml | 25 - .../serviceaccount-spire-server.yaml | 25 - ...erviceaccount-spire-spiffe-csi-driver.yaml | 25 - .../templates/statefulset-spire-server.yaml | 197 -- ...rver-spire-controller-manager-webhook.yaml | 43 - helm-charts/0.27.3/charts/spire/values.yaml | 127 -- ...piffe.io_clusterfederatedtrustdomains.yaml | 100 - .../spire.spiffe.io_clusterspiffeids.yaml | 239 --- .../spire.spiffe.io_clusterstaticentries.yaml | 103 - ...re.spiffe.io_controllermanagerconfigs.yaml | 68 - helm-charts/0.27.3/values-custom.yaml | 100 - helm-charts/0.27.3/values.yaml | 208 -- helm-charts/0.27.4/README.md | 2 +- helm-charts/0.27.4/charts/keystone/Chart.yaml | 4 +- helm-charts/0.27.4/charts/keystone/README.md | 2 +- helm-charts/0.27.4/values-custom.yaml | 8 +- helm-charts/0.27.4/values.yaml | 8 +- ...piffe.io_clusterfederatedtrustdomains.yaml | 100 - .../spire.spiffe.io_clusterspiffeids.yaml | 239 --- .../spire.spiffe.io_clusterstaticentries.yaml | 103 - ...re.spiffe.io_controllermanagerconfigs.yaml | 68 - k8s/0.27.3/eks/vsecm-distroless-fips.yaml | 1049 ---------- k8s/0.27.3/eks/vsecm-distroless.yaml | 1049 ---------- k8s/0.27.3/local/vsecm-distroless-fips.yaml | 1049 ---------- k8s/0.27.3/local/vsecm-distroless.yaml | 1049 ---------- k8s/0.27.3/remote/vsecm-distroless-fips.yaml | 1049 ---------- k8s/0.27.3/remote/vsecm-distroless.yaml | 1049 ---------- k8s/0.27.3/spire.yaml | 1802 ----------------- k8s/0.27.4/eks/vsecm-distroless-fips.yaml | 20 +- k8s/0.27.4/eks/vsecm-distroless.yaml | 20 +- k8s/0.27.4/local/vsecm-distroless-fips.yaml | 20 +- k8s/0.27.4/local/vsecm-distroless.yaml | 20 +- k8s/0.27.4/remote/vsecm-distroless-fips.yaml | 20 +- k8s/0.27.4/remote/vsecm-distroless.yaml | 20 +- 155 files changed, 177 insertions(+), 14130 deletions(-) delete mode 100644 helm-charts/0.27.3/Chart.yaml delete mode 100644 helm-charts/0.27.3/README.md delete mode 100644 helm-charts/0.27.3/README.md.gotmpl delete mode 100644 helm-charts/0.27.3/charts/keystone/.helmignore delete mode 100644 helm-charts/0.27.3/charts/keystone/Chart.yaml delete mode 100644 helm-charts/0.27.3/charts/keystone/README.md delete mode 100644 helm-charts/0.27.3/charts/keystone/templates/Deployment.yaml delete mode 100644 helm-charts/0.27.3/charts/keystone/templates/Identity.yaml delete mode 100644 helm-charts/0.27.3/charts/keystone/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.3/charts/keystone/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.3/charts/keystone/values.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/.helmignore delete mode 100644 helm-charts/0.27.3/charts/safe/Chart.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/README.md delete mode 100644 helm-charts/0.27.3/charts/safe/templates/Identity.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/RoleBinding.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/Secret.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/Service.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/StatefulSet.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.3/charts/safe/templates/hook-preinstall-namespace.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/templates/hook-preinstall-role.yaml delete mode 100644 helm-charts/0.27.3/charts/safe/values.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/.helmignore delete mode 100644 helm-charts/0.27.3/charts/sentinel/Chart.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/README.md delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/Deployment.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/Identity.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/Role.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/RoleBinding.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/Secret.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.3/charts/sentinel/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.3/charts/sentinel/values.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/.helmignore delete mode 100644 helm-charts/0.27.3/charts/spire/Chart.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/README.md delete mode 100644 helm-charts/0.27.3/charts/spire/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-agent.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-agent.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/configmap-spire-agent.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/configmap-spire-bundle.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/configmap-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/configmap-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/daemonset-spire-agent.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/openshift-security-context-constraints.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/role-spire-bundle.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/role-spire-controller-manager-leader-election.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-bundle.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/service-spire-controller-manager-webhook.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/service-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-agent.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/statefulset-spire-server.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml delete mode 100644 helm-charts/0.27.3/charts/spire/values.yaml delete mode 100644 helm-charts/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml delete mode 100644 helm-charts/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml delete mode 100644 helm-charts/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml delete mode 100644 helm-charts/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml delete mode 100644 helm-charts/0.27.3/values-custom.yaml delete mode 100644 helm-charts/0.27.3/values.yaml delete mode 100644 k8s/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml delete mode 100644 k8s/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml delete mode 100644 k8s/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml delete mode 100644 k8s/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml delete mode 100644 k8s/0.27.3/eks/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.27.3/eks/vsecm-distroless.yaml delete mode 100644 k8s/0.27.3/local/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.27.3/local/vsecm-distroless.yaml delete mode 100644 k8s/0.27.3/remote/vsecm-distroless-fips.yaml delete mode 100644 k8s/0.27.3/remote/vsecm-distroless.yaml delete mode 100644 k8s/0.27.3/spire.yaml diff --git a/Makefile b/Makefile index 253e36d9..84745e2d 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ ifdef VSECM_VERSION VERSION := $(VSECM_VERSION) else - VERSION := 0.27.3 + VERSION := 0.27.4 endif # Set deploySpire to false, if you want to use existing spire deployment diff --git a/dockerfiles/example/init-container.Dockerfile b/dockerfiles/example/init-container.Dockerfile index d4b10112..03b6d401 100644 --- a/dockerfiles/example/init-container.Dockerfile +++ b/dockerfiles/example/init-container.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o example \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/multiple-secrets.Dockerfile b/dockerfiles/example/multiple-secrets.Dockerfile index 288e2e11..3438d921 100644 --- a/dockerfiles/example/multiple-secrets.Dockerfile +++ b/dockerfiles/example/multiple-secrets.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sdk-go.Dockerfile b/dockerfiles/example/sdk-go.Dockerfile index bda36926..b1db94d7 100644 --- a/dockerfiles/example/sdk-go.Dockerfile +++ b/dockerfiles/example/sdk-go.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sidecar.Dockerfile b/dockerfiles/example/sidecar.Dockerfile index 76189df9..d2e9dbc4 100644 --- a/dockerfiles/example/sidecar.Dockerfile +++ b/dockerfiles/example/sidecar.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/inspector.Dockerfile b/dockerfiles/util/inspector.Dockerfile index 51bdfc1d..a5c3702e 100644 --- a/dockerfiles/util/inspector.Dockerfile +++ b/dockerfiles/util/inspector.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/keygen.Dockerfile b/dockerfiles/util/keygen.Dockerfile index 24750d73..66a89a7f 100644 --- a/dockerfiles/util/keygen.Dockerfile +++ b/dockerfiles/util/keygen.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keygen \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile index 1366b621..2177170c 100644 --- a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile index decca563..1e345c3f 100644 --- a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/safe.Dockerfile b/dockerfiles/vsecm-ist-fips/safe.Dockerfile index 1d92909f..adbbf231 100644 --- a/dockerfiles/vsecm-ist-fips/safe.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/safe.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile index dbcd6d5e..ac6ca556 100644 --- a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile index e244352c..51bf573c 100644 --- a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/init-container.Dockerfile b/dockerfiles/vsecm-ist/init-container.Dockerfile index 0813ae4e..64fc8bf0 100644 --- a/dockerfiles/vsecm-ist/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist/init-container.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-init-container \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/keystone.Dockerfile b/dockerfiles/vsecm-ist/keystone.Dockerfile index 6750723d..37ece904 100644 --- a/dockerfiles/vsecm-ist/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist/keystone.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keystone \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/safe.Dockerfile b/dockerfiles/vsecm-ist/safe.Dockerfile index 09df6848..6e0dc9a2 100644 --- a/dockerfiles/vsecm-ist/safe.Dockerfile +++ b/dockerfiles/vsecm-ist/safe.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-safe ./app/safe/cm # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sentinel.Dockerfile b/dockerfiles/vsecm-ist/sentinel.Dockerfile index a03081c9..0aeed59a 100644 --- a/dockerfiles/vsecm-ist/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist/sentinel.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bac # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sidecar.Dockerfile b/dockerfiles/vsecm-ist/sidecar.Dockerfile index c312805b..ffd0511a 100644 --- a/dockerfiles/vsecm-ist/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist/sidecar.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-sidecar ./app/side # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.3" +ENV APP_VERSION="0.27.4" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/docs/config.toml b/docs/config.toml index f0dc9ace..7fbe816b 100644 --- a/docs/config.toml +++ b/docs/config.toml @@ -22,4 +22,4 @@ smart_punctuation = true [extra] author = "VMware Secrets Manager Contributors" -version = "0.27.3" +version = "0.27.4" diff --git a/examples/operator_decrpyt_secrets/reveal.sh b/examples/operator_decrpyt_secrets/reveal.sh index fc30806f..5a997bec 100644 --- a/examples/operator_decrpyt_secrets/reveal.sh +++ b/examples/operator_decrpyt_secrets/reveal.sh @@ -9,7 +9,7 @@ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.27.3" +VERSION="0.27.4" docker run --rm \ -v "$(pwd)":/vsecm \ diff --git a/examples/workshop_aegis/init-container/Deployment.yaml b/examples/workshop_aegis/init-container/Deployment.yaml index 9f52ebd8..4860176d 100644 --- a/examples/workshop_aegis/init-container/Deployment.yaml +++ b/examples/workshop_aegis/init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.27.3 + image: vsecm/example-using-init-container:0.27.4 env: - name: SECRET valueFrom: @@ -50,7 +50,7 @@ spec: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.3 + image: vsecm/vsecm-ist-init-container:0.27.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/init-container/image-override.yaml b/examples/workshop_aegis/init-container/image-override.yaml index 660bfba2..33944c41 100644 --- a/examples/workshop_aegis/init-container/image-override.yaml +++ b/examples/workshop_aegis/init-container/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.27.3 + image: localhost:5000/example-using-init-container:0.27.4 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.27.3 + image: localhost:5000/vsecm-ist-init-container:0.27.4 diff --git a/examples/workshop_aegis/inspector/Deployment.yaml b/examples/workshop_aegis/inspector/Deployment.yaml index f84e2ac9..e0ef2bf1 100644 --- a/examples/workshop_aegis/inspector/Deployment.yaml +++ b/examples/workshop_aegis/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.27.3 + image: vsecm/example-multiple-secrets:0.27.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/inspector/image-override.yaml b/examples/workshop_aegis/inspector/image-override.yaml index 5420d5e5..09d9ddcf 100644 --- a/examples/workshop_aegis/inspector/image-override.yaml +++ b/examples/workshop_aegis/inspector/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.27.3 + image: localhost:5000/example-multiple-secrets:0.27.4 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/workshop_aegis/sdk/Deployment.yaml b/examples/workshop_aegis/sdk/Deployment.yaml index 197b7e0b..564597d3 100644 --- a/examples/workshop_aegis/sdk/Deployment.yaml +++ b/examples/workshop_aegis/sdk/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.27.3 + image: vsecm/example-using-sdk-go:0.27.4 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/sdk/image-override.yaml b/examples/workshop_aegis/sdk/image-override.yaml index 61345b9b..9c526efb 100644 --- a/examples/workshop_aegis/sdk/image-override.yaml +++ b/examples/workshop_aegis/sdk/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk:0.27.3 + image: localhost:5000/example-using-sdk:0.27.4 diff --git a/examples/workshop_aegis/sidecar/Deployment.yaml b/examples/workshop_aegis/sidecar/Deployment.yaml index 7454eeac..2b471ba8 100644 --- a/examples/workshop_aegis/sidecar/Deployment.yaml +++ b/examples/workshop_aegis/sidecar/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.27.3 + image: vsecm/example-using-sidecar:0.27.4 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.27.3 + image: vsecm/vsecm-ist-sidecar:0.27.4 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/workshop_aegis/sidecar/image-override.yaml b/examples/workshop_aegis/sidecar/image-override.yaml index 2144e4fd..b2ef696d 100644 --- a/examples/workshop_aegis/sidecar/image-override.yaml +++ b/examples/workshop_aegis/sidecar/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.27.3 + image: localhost:5000/example-using-sidecar:0.27.4 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.27.3 + image: localhost:5000/vsecm-ist-sidecar:0.27.4 diff --git a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml index 814e0624..1d422cd0 100644 --- a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:32000/example-multiple-secrets:0.27.3 + image: localhost:32000/example-multiple-secrets:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml index a4f21d88..017e2cb3 100644 --- a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-sentinel containers: - name: main - image: localhost:32000/vsecm-ist-sentinel:0.27.3 + image: localhost:32000/vsecm-ist-sentinel:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml index 9441d500..2462d4a6 100644 --- a/examples/workshop_federation/cluster-2/safe/Deployment.yaml +++ b/examples/workshop_federation/cluster-2/safe/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-safe containers: - name: main - image: localhost:32000/vsecm-ist-safe:0.27.3 + image: localhost:32000/vsecm-ist-safe:0.27.4 ports: - containerPort: 8443 volumeMounts: diff --git a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml index fd600668..a0e0c3fa 100644 --- a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml +++ b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.27.3 + image: localhost:5000/vsecm-inspector:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire-controller-manager-config.yaml b/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire-controller-manager-config.yaml index f3db7c9e..2f5bedb6 100644 --- a/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire-controller-manager-config.yaml +++ b/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire-controller-manager-config.yaml @@ -12,7 +12,7 @@ data: name: spire-controller-manager namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire.yaml b/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire.yaml index e73d9451..8693a8ce 100644 --- a/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire.yaml +++ b/examples/workshop_spiffe_federation/clusters/azmodan/k8s/spire/spire.yaml @@ -5,7 +5,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -17,7 +17,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -29,7 +29,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -221,7 +221,7 @@ metadata: name: spire-controller-manager-webhook namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -243,7 +243,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -265,7 +265,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -410,7 +410,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - hhelm.sh/chart: spire-0.27.3 + hhelm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -531,7 +531,7 @@ metadata: namespace: spire-server labels: app: spire-server - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -790,7 +790,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -805,7 +805,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -820,7 +820,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -922,7 +922,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -983,7 +983,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1043,7 +1043,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire-controller-manager-config.yaml b/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire-controller-manager-config.yaml index 6ce0be5e..ec60afee 100644 --- a/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire-controller-manager-config.yaml +++ b/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire-controller-manager-config.yaml @@ -23,7 +23,7 @@ data: name: spire-controller-manager namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire.yaml b/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire.yaml index 21fd7082..0fadc44a 100644 --- a/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire.yaml +++ b/examples/workshop_spiffe_federation/clusters/baal/k8s/spire/spire.yaml @@ -16,7 +16,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -28,7 +28,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -40,7 +40,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -232,7 +232,7 @@ metadata: name: spire-controller-manager-webhook namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -254,7 +254,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -276,7 +276,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -421,7 +421,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - hhelm.sh/chart: spire-0.27.3 + hhelm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -542,7 +542,7 @@ metadata: namespace: spire-server labels: app: spire-server - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -801,7 +801,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -816,7 +816,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -831,7 +831,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -933,7 +933,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -994,7 +994,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1054,7 +1054,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire-controller-manager-config.yaml b/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire-controller-manager-config.yaml index 8b1db49a..85155788 100644 --- a/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire-controller-manager-config.yaml +++ b/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire-controller-manager-config.yaml @@ -22,7 +22,7 @@ data: name: spire-controller-manager namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire.yaml b/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire.yaml index 0b926588..1c8093b5 100644 --- a/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire.yaml +++ b/examples/workshop_spiffe_federation/clusters/diablo/k8s/spire/spire.yaml @@ -14,7 +14,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -26,7 +26,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -38,7 +38,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -230,7 +230,7 @@ metadata: name: spire-controller-manager-webhook namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -252,7 +252,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -274,7 +274,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -419,7 +419,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - hhelm.sh/chart: spire-0.27.3 + hhelm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -540,7 +540,7 @@ metadata: namespace: spire-server labels: app: spire-server - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -799,7 +799,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -814,7 +814,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -829,7 +829,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -931,7 +931,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -992,7 +992,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1052,7 +1052,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire-controller-manager-config.yaml b/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire-controller-manager-config.yaml index e490eed6..2ef1840f 100644 --- a/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire-controller-manager-config.yaml +++ b/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire-controller-manager-config.yaml @@ -22,7 +22,7 @@ data: name: spire-controller-manager namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire.yaml b/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire.yaml index 0b926588..1c8093b5 100644 --- a/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire.yaml +++ b/examples/workshop_spiffe_federation/clusters/mephisto/k8s/spire/spire.yaml @@ -14,7 +14,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -26,7 +26,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -38,7 +38,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -230,7 +230,7 @@ metadata: name: spire-controller-manager-webhook namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -252,7 +252,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -274,7 +274,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -419,7 +419,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - hhelm.sh/chart: spire-0.27.3 + hhelm.sh/chart: spire-0.27.4 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -540,7 +540,7 @@ metadata: namespace: spire-server labels: app: spire-server - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -799,7 +799,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -814,7 +814,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -829,7 +829,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -931,7 +931,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -992,7 +992,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1052,7 +1052,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.3 + helm.sh/chart: spire-0.27.4 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" diff --git a/examples/workshop_vsecm/hack/015-reveal-secrets.sh b/examples/workshop_vsecm/hack/015-reveal-secrets.sh index 52daa1c9..cc6f0d3d 100644 --- a/examples/workshop_vsecm/hack/015-reveal-secrets.sh +++ b/examples/workshop_vsecm/hack/015-reveal-secrets.sh @@ -10,7 +10,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.27.3" +VERSION="0.27.4" eval "$(minikube docker-env -u)" diff --git a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml index 5fbfd353..75d79a1a 100644 --- a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.27.3 + image: vsecm/example-using-init-container:0.27.4 env: - name: SECRET valueFrom: @@ -53,7 +53,7 @@ spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.3 + image: vsecm/vsecm-ist-init-container:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml index 14b5770d..060f496d 100644 --- a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.27.3 + image: vsecm/example-multiple-secrets:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml index 755c71e0..013e812e 100644 --- a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml @@ -21,7 +21,7 @@ spec: spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.3 + image: vsecm/vsecm-ist-init-container:0.27.4 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/hack/create-custom-manifest.sh b/hack/create-custom-manifest.sh index f3470478..8448a665 100755 --- a/hack/create-custom-manifest.sh +++ b/hack/create-custom-manifest.sh @@ -10,5 +10,5 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -cp ./helm-charts/0.27.3/values-custom.yaml ./helm-charts/0.27.3/values.yaml -make k8s-manifests-update VERSION=0.27.3 +cp ./helm-charts/0.27.4/values-custom.yaml ./helm-charts/0.27.4/values.yaml +make k8s-manifests-update VERSION=0.27.4 diff --git a/hack/tag-docker.sh b/hack/tag-docker.sh index 10149fd5..bb2924d5 100755 --- a/hack/tag-docker.sh +++ b/hack/tag-docker.sh @@ -15,7 +15,7 @@ # and we should not need to pull the images and sign them again. # So we'd rarely (if ever) need to use this script. -VERSION="0.27.3" +VERSION="0.27.4" export DOCKER_CONTENT_TRUST=0 diff --git a/helm-charts-playground/app/main.go b/helm-charts-playground/app/main.go index b8ddca66..9edfe623 100644 --- a/helm-charts-playground/app/main.go +++ b/helm-charts-playground/app/main.go @@ -117,12 +117,12 @@ func copyVSecMCrds(inputDir, outputDir string) { } func main() { - inputFile := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.3/spire.yaml" + inputFile := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.4/spire.yaml" outputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/helm-charts-playground/vsecm-manifests" createManifests(inputFile, outputDir) - //inputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.3/crds" + //inputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.4/crds" //outputDir = "/Users/volkan/Desktop/WORKSPACE/secrets-manager/helm-charts-playground/vsecm-manifests/crds" // //copyVSecMCrds(inputDir, outputDir) diff --git a/helm-charts/0.27.3/Chart.yaml b/helm-charts/0.27.3/Chart.yaml deleted file mode 100644 index 7c089474..00000000 --- a/helm-charts/0.27.3/Chart.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: vsecm -description: Helm chart for VMware Secrets Manager - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application -sources: -- https://github.com/vmware-tanzu/secrets-manager - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.3" -home: https://vsecm.com/ - -icon: https://vsecm.com/assets/vsecm-256.png - -keywords: - - secrets - - kubernetes - - secrets-manager - - spire - - spiffe - - zero-trust - - cloud-native - - edge - - secret-management - - security - -dependencies: - - name: keystone - repository: file://charts/keystone - version: 0.27.3 - condition: global.deployKeystone - - name: spire - repository: file://charts/spire - version: 0.27.3 - condition: global.deploySpire - - name: safe - repository: file://charts/safe - version: 0.27.3 - condition: global.deploySafe - - name: sentinel - repository: file://charts/sentinel - version: 0.27.3 - condition: global.deploySentinel diff --git a/helm-charts/0.27.3/README.md b/helm-charts/0.27.3/README.md deleted file mode 100644 index 28044d30..00000000 --- a/helm-charts/0.27.3/README.md +++ /dev/null @@ -1,150 +0,0 @@ -# VMware Secrets Manager (VSecM) Helm Chart - -VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured -that your sensitive data is always secure and protected. VSecM is perfect for -securely storing arbitrary configuration information at a central location and -securely dispatching it to workloads. - -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) - -[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) - -## Quickstart - -To use VMware Secrets Manager, follow the steps below: - -1. Add VMware Secrets Manager Helm repository: - - ```bash - helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/ - ``` - -2. Update the helm repository: - - ```bash - helm repo update - ``` - -3. Install VMware Secrets Manager using Helm: - - ```bash - helm install vsecm vsecm/vsecm --version 0.27.3 - ``` - -## Options - -The following options can be passed to the `helm install` command to set global -variables: - -*`--set global.deploySpire=`: - This flag can be passed to install or skip SPIRE. -*`--set global.baseImage=`: - This flag can be passed to install VSecM with the given baseImage Docker image. - -Default values are `true` and `distroless` for `global.deploySpire` -and `global.baseImage` respectively. - -Here's an example command with the above options: - -```bash -helm install vsecm vsecm/helm-charts --version 0.27.3 \ - --set global.deploySpire=true --set global.baseImage=distroless -``` - -Make sure to replace `` and -`` with the desired values. - -## Environment Configuration - -**VMware Secrets Manager** can be tweaked further using environment variables. - -[Check out **Configuring VSecM** on the official documentation][configuring-vsecm] -for details. - -These environment variable configurations are expose through subcharts. -You can modify them as follows: - -```bash -helm install vsecm vsecm/helm-charts --version 0.27.3 \ ---set safe.environments.VSECM_LOG_LEVEL="6" ---set sentinel.environments.VSECM_LOGL_LEVEL="5" -# You can update other environment variables too. -# Most of the time VSecM assumes sane defaults if you don't set them. -``` - -[configuring-vsecm]: https://vsecm.com/docs/configuration/ - -## Subcharts - -For further details about subcharts follow these links: - -* [VSecM Safe](charts/safe/README.md) -* [VSecM Sentinel](charts/sentinel/README.md) -* [VsecM Keystone](charts/keystone/README.md) -* [SPIRE](charts/spire/README.md) - -Please check out [the official **VSecM** documentation][ducks] -for more information about **VSecM** components and the overall -**VSecM** architecture. - -[ducks]: https://vsecm.com/documentation/welcome/overview/ - -## Detailed Documentation - -The sections below are autogenerated from chart source code: - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| file://charts/keystone | keystone | 0.27.3 | -| file://charts/safe | safe | 0.27.3 | -| file://charts/sentinel | sentinel | 0.27.3 | -| file://charts/spire | spire | 0.27.3 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.baseImage | string | `"distroless"` | Possible options for baseImage (distroless, distroless-fips). When in doubt, stick with distroless. | -| global.deployKeystone | bool | `true` | Deploy the Keystone VSecM component. VSecM Keystone is a lightweight Pod that is initialized only after VSecM Sentinel completes it `initCommand` initialization sequence. | -| global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. | -| global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | -| global.enableKAppAnnotations | bool | `false` | Set it to true to enable kapp annotations. This is useful when you are using kapp to deploy the VSecM components. (ref: https://carvel.dev/kapp/) | -| global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | -| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.3"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.3"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.3"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.3"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | -| global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | -| global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | -| global.images.spireAgent | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"}` | Container registry details of SPIRE Agent. | -| global.images.spireControllerManager | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"}` | Container registry details of SPIRE Controller Manager. | -| global.images.spireServer | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}` | Container registry details of SPIRE Server. | -| global.preInstallSpireNamespaces | bool | `true` | Set it to true to enable the pre-installation of the SPIRE namespaces. If set to false, the SPIRE namespaces will not be pre-installed; you will need to create `spire-system` and `spire-server` namespaces manually. | -| global.preInstallVSecMNamespaces | bool | `true` | Set it to true to enable the pre-installation of the VSecM namespaces. If set to false, the VSecM namespaces will not be pre-installed; you will need to create a `vsecm-system` namespace manually. | -| global.registry | string | `"vsecm"` | Registry url. Defaults to "vsecm", which points to the public vsecm DockerHub registry: . | -| global.spire | object | `{"caCommonName":"vsecm.com","caCountry":"US","caOrganization":"vsecm.com","controllerManagerClassName":"vsecm","federationEnabled":false,"logLevel":"DEBUG","namespace":"spire-system","serverAddress":"spire-server.spire-server.svc.cluster.local","serverNamespace":"spire-server","serverPort":443,"trustDomain":"vsecm.com"}` | SPIRE-related global configuration. | -| global.spire.caCommonName | string | `"vsecm.com"` | The SPIRE CA common name. | -| global.spire.caCountry | string | `"US"` | The SPIRE CA country. | -| global.spire.caOrganization | string | `"vsecm.com"` | The SPIRE CA organization. | -| global.spire.controllerManagerClassName | string | `"vsecm"` | This is the className that ClusterSPIFFEIDs will use to be able to register their SPIFFE IDs with the SPIRE Server. | -| global.spire.federationEnabled | bool | `false` | Enable federation. If set to true, SPIRE Server will be configured to federate with other SPIRE Servers. This is useful when you have multiple clusters, and you want to establish trust between them. | -| global.spire.logLevel | string | `"DEBUG"` | The log level of the SPIRE components. This is useful for debugging. | -| global.spire.namespace | string | `"spire-system"` | This is the namespace where the SPIRE components will be deployed. | -| global.spire.serverAddress | string | `"spire-server.spire-server.svc.cluster.local"` | The SPIRE Server address. This is the address where the SPIRE Server that the agents will connect to. This address is in the form of ..svc.cluster.local unless you have a custom setup. | -| global.spire.serverNamespace | string | `"spire-server"` | It is best to keep the SPIRE server namespace separate from other SPIRE components for an added layer of security. | -| global.spire.serverPort | int | `443` | The SPIRE Server port. This is the port where the SPIRE Server will listen for incoming connections. This is the port of the SPIRE server k8s Service. | -| global.spire.trustDomain | string | `"vsecm.com"` | The trust domain is the root of the SPIFFE ID hierarchy. It is used to identify the trust domain of a workload. If you use anything other than the default `vsecm.com`, you must also update the relevant environment variables that does SPIFFE ID validation. To prevent accidental collisions (two trust domains select identical names), operators are advised to select trust domain names which are highly likely to be globally unique. Even though a trust domain name is not a DNS name, using a registered domain name as a suffix of a trust domain name, when available, will reduce chances of an accidental collision; for example, if a trust domain operator owns the domain name `example.com`, then using a trust domain name such as `apps.example.com` would likely not produce a collision. When trust domain names are automatically generated without operator input, randomly generating a unique name (such as a UUID) is strongly advised. All SPIFFE IDs shall be prefixed with `spiffe://` unless you have an advanced custom setup. | -| global.vsecm.keystoneSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.namespace | string | `"vsecm-system"` | | -| global.vsecm.safeEndpointUrl | string | `"https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"` | | -| global.vsecm.safeSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$"` | | -| global.vsecm.safeSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.sentinelSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"` | | -| global.vsecm.sentinelSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.workloadNameRegExp | string | `"^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"` | | -| global.vsecm.workloadSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"` | | - -## License - -This project is licensed under the [BSD 2-Clause License][license]. - -[license]: https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE diff --git a/helm-charts/0.27.3/README.md.gotmpl b/helm-charts/0.27.3/README.md.gotmpl deleted file mode 100644 index 9599f585..00000000 --- a/helm-charts/0.27.3/README.md.gotmpl +++ /dev/null @@ -1,104 +0,0 @@ -# VMware Secrets Manager (VSecM) Helm Chart - -VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured -that your sensitive data is always secure and protected. VSecM is perfect for -securely storing arbitrary configuration information at a central location and -securely dispatching it to workloads. - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) - -## Quickstart - -To use VMware Secrets Manager, follow the steps below: - -1. Add VMware Secrets Manager Helm repository: - - ```bash - helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/ - ``` - -2. Update the helm repository: - - ```bash - helm repo update - ``` - -3. Install VMware Secrets Manager using Helm: - - ```bash - helm install vsecm vsecm/vsecm --version {{ template "chart.version" . }} - ``` - -## Options - -The following options can be passed to the `helm install` command to set global -variables: - -*`--set global.deploySpire=`: - This flag can be passed to install or skip SPIRE. -*`--set global.baseImage=`: - This flag can be passed to install VSecM with the given baseImage Docker image. - -Default values are `true` and `distroless` for `global.deploySpire` -and `global.baseImage` respectively. - -Here's an example command with the above options: - -```bash -helm install vsecm vsecm/helm-charts --version {{ template "chart.version" . }} \ - --set global.deploySpire=true --set global.baseImage=distroless -``` - -Make sure to replace `` and -`` with the desired values. - -## Environment Configuration - -**VMware Secrets Manager** can be tweaked further using environment variables. - -[Check out **Configuring VSecM** on the official documentation][configuring-vsecm] -for details. - -These environment variable configurations are expose through subcharts. -You can modify them as follows: - -```bash -helm install vsecm vsecm/helm-charts --version {{ template "chart.version" . }} \ ---set safe.environments.VSECM_LOG_LEVEL="6" ---set sentinel.environments.VSECM_LOGL_LEVEL="5" -# You can update other environment variables too. -# Most of the time VSecM assumes sane defaults if you don't set them. -``` - -[configuring-vsecm]: https://vsecm.com/docs/configuration/ - -## Subcharts - -For further details about subcharts follow these links: - -* [VSecM Safe](charts/safe/README.md) -* [VSecM Sentinel](charts/sentinel/README.md) -* [VsecM Keystone](charts/keystone/README.md) -* [SPIRE](charts/spire/README.md) - -Please check out [the official **VSecM** documentation][ducks] -for more information about **VSecM** components and the overall -**VSecM** architecture. - -[ducks]: https://vsecm.com/documentation/welcome/overview/ - -## Detailed Documentation - -The sections below are autogenerated from chart source code: - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -## License - -This project is licensed under the [BSD 2-Clause License][license]. - -[license]: https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE diff --git a/helm-charts/0.27.3/charts/keystone/.helmignore b/helm-charts/0.27.3/charts/keystone/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.3/charts/keystone/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.3/charts/keystone/Chart.yaml b/helm-charts/0.27.3/charts/keystone/Chart.yaml deleted file mode 100644 index 7ac5bc0a..00000000 --- a/helm-charts/0.27.3/charts/keystone/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: keystone -description: Helm chart for keystone - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.3" diff --git a/helm-charts/0.27.3/charts/keystone/README.md b/helm-charts/0.27.3/charts/keystone/README.md deleted file mode 100644 index cd4eb4b4..00000000 --- a/helm-charts/0.27.3/charts/keystone/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# keystone - -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) - -Helm chart for keystone - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that, by default, autoscaling is disabled. It does not typically make sense to autoscale VSecM Keystone as it is a control plane component with minimal resource requirements. | -| environments | list | `[{"name":"VSECM_LOG_LEVEL","value":"7"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| initEnvironments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"},{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"},{"name":"VSECM_LOG_LEVEL","value":"7"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| initEnvironments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE agent. If you change this, you will need to change the associated volumeMount in the Deployment.yaml too. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| initEnvironments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| initEnvironments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| initEnvironments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| initEnvironments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| initEnvironments[5] | object | `{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"}` | The interval (in milliseconds) that the VSecM Init Container will poll the VSecM Safe for secrets. | -| initEnvironments[6] | object | `{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"}` | The time (in milliseconds) that the VSecM Init Container will wait before exiting and yielding the control to the main container. | -| initEnvironments[7] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| livenessPort | int | `8081` | The port of the liveness probe. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| replicaCount | int | `1` | | -| resources | object | `{"requests":{"cpu":"5m","memory":"20Mi"}}` | Resource limits and requests. | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-keystone"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | -| serviceAccount.name | string | `"vsecm-keystone"` | The name of the service account to use. If not set and 'create' is true, a name is generated using the fullname template. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.3/charts/keystone/templates/Deployment.yaml b/helm-charts/0.27.3/charts/keystone/templates/Deployment.yaml deleted file mode 100644 index 51591769..00000000 --- a/helm-charts/0.27.3/charts/keystone/templates/Deployment.yaml +++ /dev/null @@ -1,156 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "keystone.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "keystone.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "keystone.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "keystone.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "{{ .Values.global.registry }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - {{- $safeInitEndpointUrlSet := false }} - {{- $safeInitSpiffeIdPrefixSet := false }} - {{- $workloadInitSpiffeIdPrefixSet := false }} - {{- $vsecmInitNamespaceSet := false }} - {{- $spireInitNamespaceSet := false }} - {{- $spiffeTrustDomainSet := false }} - {{- $workloadNameRegExpSet := false }} - {{- range .Values.initEnvironments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeInitEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeInitSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadInitSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmInitNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireInitNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{- if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeInitEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeInitSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadInitSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmInitNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireInitNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{- if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "keystone.repository" .}}:{{ .Values.global.images.keystone.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- range .Values.environments }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/helm-charts/0.27.3/charts/keystone/templates/Identity.yaml b/helm-charts/0.27.3/charts/keystone/templates/Identity.yaml deleted file mode 100644 index 26bac553..00000000 --- a/helm-charts/0.27.3/charts/keystone/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "keystone.fullname" . }} - labels: - {{- include "keystone.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.keystoneSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "keystone.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "keystone.serviceAccountName" . }}" diff --git a/helm-charts/0.27.3/charts/keystone/templates/ServiceAccount.yaml b/helm-charts/0.27.3/charts/keystone/templates/ServiceAccount.yaml deleted file mode 100644 index 29907cb0..00000000 --- a/helm-charts/0.27.3/charts/keystone/templates/ServiceAccount.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "keystone.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/keystone/templates/_helpers.tpl b/helm-charts/0.27.3/charts/keystone/templates/_helpers.tpl deleted file mode 100644 index aa8b4a55..00000000 --- a/helm-charts/0.27.3/charts/keystone/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "keystone.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "keystone.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "keystone.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "keystone.labels" -}} -helm.sh/chart: {{ include "keystone.chart" . }} -{{ include "keystone.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "keystone.selectorLabels" -}} -app.kubernetes.io/name: {{ include "keystone.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "keystone.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "keystone.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Keystone -*/}} -{{- define "keystone.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.keystone.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/keystone/values.yaml b/helm-charts/0.27.3/charts/keystone/values.yaml deleted file mode 100644 index a16e1ce1..00000000 --- a/helm-charts/0.27.3/charts/keystone/values.yaml +++ /dev/null @@ -1,108 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for keystone. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 - -# -- The port of the liveness probe. -livenessPort: 8081 - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -initEnvironments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE - # agent. If you change this, you will need to change the associated - # volumeMount in the Deployment.yaml too. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The interval (in milliseconds) that the VSecM Init Container will poll - # the VSecM Safe for secrets. - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - # -- The time (in milliseconds) that the VSecM Init Container will wait - # before exiting and yielding the control to the main container. - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Annotations to add to the service account. - annotations: {} - # -- The name of the service account to use. - # If not set and 'create' is true, a name is generated using the fullname - # template. - name: "vsecm-keystone" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: {} -# fsGroup: 2000 - -# -- Resource limits and requests. -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that, by default, autoscaling is disabled. -# It does not typically make sense to autoscale VSecM Keystone as it is -# a control plane component with minimal resource requirements. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.27.3/charts/safe/.helmignore b/helm-charts/0.27.3/charts/safe/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.3/charts/safe/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.3/charts/safe/Chart.yaml b/helm-charts/0.27.3/charts/safe/Chart.yaml deleted file mode 100644 index 7ef3aedf..00000000 --- a/helm-charts/0.27.3/charts/safe/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: safe -description: Helm chart for VMware Secrets Manager (VSecM) Safe - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.3" diff --git a/helm-charts/0.27.3/charts/safe/README.md b/helm-charts/0.27.3/charts/safe/README.md deleted file mode 100644 index c3aab1fc..00000000 --- a/helm-charts/0.27.3/charts/safe/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# safe - -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) - -Helm chart for VMware Secrets Manager (VSecM) Safe - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that autoscaling is not supported for VSecM Safe yet. For proper operation there should always be a single VSecM Safe pod at all times. | -| data | object | `{"hostPath":{"path":"/var/local/vsecm/data"},"persistent":false,"persistentVolumeClaim":{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}}` | How persistence is handled. | -| data.hostPath | object | `{"path":"/var/local/vsecm/data"}` | hostPath if `persistent` is false. | -| data.persistent | bool | `false` | If `persistent` is true, a PersistentVolumeClaim is used. Otherwise, a hostPath is used. | -| data.persistentVolumeClaim | object | `{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}` | PVC settings (if `persistent` is true). | -| environments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_LOG_LEVEL","value":"7"},{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"},{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"},{"name":"VSECM_PROBE_READINESS_PORT","value":":8082"},{"name":"VSECM_SAFE_BACKING_STORE","value":"file"},{"name":"VSECM_SAFE_BOOTSTRAP_TIMEOUT","value":"300000"},{"name":"VSECM_ROOT_KEY_INPUT_MODE_MANUAL","value":"false"},{"name":"VSECM_ROOT_KEY_NAME","value":"vsecm-root-key"},{"name":"VSECM_ROOT_KEY_PATH","value":"/key/key.txt"},{"name":"VSECM_SAFE_DATA_PATH","value":"/var/local/vsecm/data"},{"name":"VSECM_SAFE_FIPS_COMPLIANT","value":"false"},{"name":"VSECM_SAFE_IV_INITIALIZATION_INTERVAL","value":"50"},{"name":"VSECM_SAFE_K8S_SECRET_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SECRET_BACKUP_COUNT","value":"3"},{"name":"VSECM_SAFE_SECRET_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT","value":"10000"},{"name":"VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX","value":"k8s:"},{"name":"VSECM_SAFE_ROOT_KEY_STORE","value":"k8s"},{"name":"VSECM_SAFE_TLS_PORT","value":":8443"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE agent. If you change this, you will need to change the associated volumeMount in the Deployment.yaml too. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| environments[10] | object | `{"name":"VSECM_SAFE_BOOTSTRAP_TIMEOUT","value":"300000"}` | The interval (in milliseconds) that the VSecM Safe will wait during bootstrapping before it bails out. | -| environments[11] | object | `{"name":"VSECM_ROOT_KEY_INPUT_MODE_MANUAL","value":"false"}` | Whether to automatically generate root cryptographic material or expect it to be provided through VSecM Sentinel CLI by the operator. If set to "false", VSecM Safe will automatically generate the root keys, which will make the operator's life easier. | -| environments[12] | object | `{"name":"VSECM_ROOT_KEY_NAME","value":"vsecm-root-key"}` | The name of the VSecM Root Key Secret. | -| environments[13] | object | `{"name":"VSECM_ROOT_KEY_PATH","value":"/key/key.txt"}` | The path where the VSecM Root Key will be mounted. | -| environments[14] | object | `{"name":"VSECM_SAFE_DATA_PATH","value":"/var/local/vsecm/data"}` | The path where the VSecM Safe will store its data (if the backing store is "file"). | -| environments[15] | object | `{"name":"VSECM_SAFE_FIPS_COMPLIANT","value":"false"}` | Should VSecM Safe use FIPS-compliant encryption? | -| environments[16] | object | `{"name":"VSECM_SAFE_IV_INITIALIZATION_INTERVAL","value":"50"}` | The IV initialization interval (in milliseconds) for the VSecM Safe. | -| environments[17] | object | `{"name":"VSECM_SAFE_K8S_SECRET_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[18] | object | `{"name":"VSECM_SAFE_SECRET_BACKUP_COUNT","value":"3"}` | How many versions of older secrets should be kept. | -| environments[19] | object | `{"name":"VSECM_SAFE_SECRET_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| environments[20] | object | `{"name":"VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[21] | object | `{"name":"VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT","value":"10000"}` | The timeout (in milliseconds) for the VSecM Safe to acquire a source. After this timeout, the VSecM Safe will bail out. | -| environments[22] | object | `{"name":"VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX","value":"k8s:"}` | The prefix to use for the workload names, when storing workload secrets as Kubernetes secrets. | -| environments[23] | object | `{"name":"VSECM_SAFE_ROOT_KEY_STORE","value":"k8s"}` | The place where the VSecM Safe will store its root key. The only possible value is "k8s" at the moment. | -| environments[24] | object | `{"name":"VSECM_SAFE_TLS_PORT","value":":8443"}` | The port that the VSecM Safe will listen on. | -| environments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| environments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| environments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| environments[5] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| environments[6] | object | `{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"}` | Useful for debugging. This will log cryptographic fingerprints of secrets without revealing the secret itself. It is recommended to keep this "false" in production. | -| environments[7] | object | `{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"}` | The port that the liveness probe listens on. | -| environments[8] | object | `{"name":"VSECM_PROBE_READINESS_PORT","value":":8082"}` | The port that the readiness probe listens on. | -| environments[9] | object | `{"name":"VSECM_SAFE_BACKING_STORE","value":"file"}` | The backing store for VSecM Safe. Possible values are: "memory", "file", "aws-secret", "azure-secret", "gcp-secret", "k8s". Currently, only "memory" and "file" are supported. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| livenessPort | int | `8081` | The port that the liveness probe listens on. `environments.VSECM_PROBE_LIVENESS_PORT` should match this value. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| readinessPort | int | `8082` | The port that the readiness probe listens on. `environments.VSECM_PROBE_READINESS_PORT` should match this value. | -| replicaCount | int | `1` | Number of replicas to deploy. Note that values greater than 1 are not supported yet. | -| resources | object | `{"requests":{"cpu":"5m","memory":"20Mi"}}` | Resource limits and requests. | -| rootKeySecretName | string | `"vsecm-root-key"` | The name of the root key secret. | -| service | object | `{"port":8443,"targetPort":8443,"type":"ClusterIP"}` | Service settings. | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-safe"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `"vsecm-safe"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.3/charts/safe/templates/Identity.yaml b/helm-charts/0.27.3/charts/safe/templates/Identity.yaml deleted file mode 100644 index 70240025..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "safe.fullname" . }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.safeSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "safe.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "safe.serviceAccountName" . }}" diff --git a/helm-charts/0.27.3/charts/safe/templates/RoleBinding.yaml b/helm-charts/0.27.3/charts/safe/templates/RoleBinding.yaml deleted file mode 100644 index 4b70be7e..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/RoleBinding.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: {{ .Values.global.vsecm.namespace }} -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: {{ .Values.global.vsecm.namespace }} -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: {{ .Values.global.vsecm.namespace }} -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## diff --git a/helm-charts/0.27.3/charts/safe/templates/Secret.yaml b/helm-charts/0.27.3/charts/safe/templates/Secret.yaml deleted file mode 100644 index f343622e..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/Secret.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.rootKeySecretName }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: {{ include "safe.serviceAccountName" . }} - {{- if .Values.global.enableKAppAnnotations }} - kapp.k14s.io/update-strategy: skip - {{- end }} -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" diff --git a/helm-charts/0.27.3/charts/safe/templates/Service.yaml b/helm-charts/0.27.3/charts/safe/templates/Service.yaml deleted file mode 100644 index a4b6311d..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/Service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP - name: http - selector: - {{- include "safe.selectorLabels" . | nindent 4 }} diff --git a/helm-charts/0.27.3/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.27.3/charts/safe/templates/ServiceAccount.yaml deleted file mode 100644 index fb27036d..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/ServiceAccount.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "safe.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: {{ .Values.rootKeySecretName }} - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: true -secrets: - - name: {{ .Values.rootKeySecretName }} - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/safe/templates/StatefulSet.yaml b/helm-charts/0.27.3/charts/safe/templates/StatefulSet.yaml deleted file mode 100644 index 5fda0575..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/StatefulSet.yaml +++ /dev/null @@ -1,195 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - serviceName: {{ include "safe.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "safe.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "safe.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "safe.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "safe.repository" .}}:{{ .Values.global.images.safe.tag }}" - imagePullPolicy: {{ .Values.global.images.safe.pullPolicy }} - ports: - - containerPort: {{ .Values.service.port }} - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: {{ .Values.data.hostPath.path }} - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- $workloadSpiffeIdPrefixSet := false }} - {{- $spiffeTrustDomainSet := false }} - {{- $workloadNameRegExpSet := false }} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SENTINEL" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{- if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{- if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: {{ .Values.readinessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - -{{- if not .Values.data.persistent }} - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: {{ .Values.data.hostPath.path }} - type: DirectoryOrCreate -{{- end}} - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: {{ .Values.rootKeySecretName }} - items: - - key: KEY_TXT - path: key.txt - -{{- if .Values.data.persistent }} - volumeClaimTemplates: - - metadata: - name: vsecm-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/safe/templates/_helpers.tpl b/helm-charts/0.27.3/charts/safe/templates/_helpers.tpl deleted file mode 100644 index f7dd4480..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "safe.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "safe.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "safe.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "safe.labels" -}} -helm.sh/chart: {{ include "safe.chart" . }} -{{ include "safe.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "safe.selectorLabels" -}} -app.kubernetes.io/name: {{ include "safe.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "safe.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "safe.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for vsecm safe -*/}} -{{- define "safe.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.safe.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-namespace.yaml b/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-namespace.yaml deleted file mode 100644 index a122e8c8..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-namespace.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.global.preInstallVSecMNamespaces }} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.global.vsecm.namespace }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-role.yaml b/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-role.yaml deleted file mode 100644 index 1250298a..00000000 --- a/helm-charts/0.27.3/charts/safe/templates/hook-preinstall-role.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: {{ .Values.global.vsecm.namespace }} -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - "helm.sh/hook-weight": "2" - {{- end }} diff --git a/helm-charts/0.27.3/charts/safe/values.yaml b/helm-charts/0.27.3/charts/safe/values.yaml deleted file mode 100644 index 6f8ecbc1..00000000 --- a/helm-charts/0.27.3/charts/safe/values.yaml +++ /dev/null @@ -1,191 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -- Number of replicas to deploy. Note that values greater than 1 are not -# supported yet. -replicaCount: 1 - -# -- The port that the liveness probe listens on. -# `environments.VSECM_PROBE_LIVENESS_PORT` should match this value. -livenessPort: 8081 -# -- The port that the readiness probe listens on. -# `environments.VSECM_PROBE_READINESS_PORT` should match this value. -readinessPort: 8082 - -# -- The name of the root key secret. -rootKeySecretName: &rootKeyName vsecm-root-key - -# -- How persistence is handled. -data: - # -- If `persistent` is true, a PersistentVolumeClaim is used. - # Otherwise, a hostPath is used. - persistent: false - # -- PVC settings (if `persistent` is true). - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi - - # -- hostPath if `persistent` is false. - hostPath: - path: "/var/local/vsecm/data" - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE - # agent. If you change this, you will need to change the associated - # volumeMount in the Deployment.yaml too. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - # -- Useful for debugging. This will log cryptographic fingerprints of - # secrets without revealing the secret itself. It is recommended to keep - # this "false" in production. - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - # -- The port that the liveness probe listens on. - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - # -- The port that the readiness probe listens on. - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - # -- The backing store for VSecM Safe. - # Possible values are: "memory", "file", "aws-secret", "azure-secret", - # "gcp-secret", "k8s". Currently, only "memory" and "file" are supported. - - name: VSECM_SAFE_BACKING_STORE - value: "file" - # -- The interval (in milliseconds) that the VSecM Safe will wait during - # bootstrapping before it bails out. - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - # -- Whether to automatically generate root cryptographic material or - # expect it to be provided through VSecM Sentinel CLI by the operator. - # If set to "false", VSecM Safe will automatically generate the root keys, - # which will make the operator's life easier. - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - # -- The name of the VSecM Root Key Secret. - - name: VSECM_ROOT_KEY_NAME - value: *rootKeyName - # -- The path where the VSecM Root Key will be mounted. - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - # -- The path where the VSecM Safe will store its data (if the backing store - # is "file"). - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - # -- Should VSecM Safe use FIPS-compliant encryption? - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - # -- The IV initialization interval (in milliseconds) for the VSecM Safe. - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - # -- How many versions of older secrets should be kept. - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - # -- The timeout (in milliseconds) for the VSecM Safe to acquire a source. - # After this timeout, the VSecM Safe will bail out. - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - # -- The prefix to use for the workload names, when storing workload - # secrets as Kubernetes secrets. - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - # -- The place where the VSecM Safe will store its root key. - # The only possible value is "k8s" at the moment. - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - # -- The port that the VSecM Safe will listen on. - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-safe" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: - {} - # fsGroup: 2000 - -# -- Service settings. -service: - type: ClusterIP - port: 8443 - targetPort: 8443 - -# -- Resource limits and requests. -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that autoscaling is not supported for VSecM -# Safe yet. For proper operation there should always be a single VSecM Safe -# pod at all times. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.27.3/charts/sentinel/.helmignore b/helm-charts/0.27.3/charts/sentinel/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.3/charts/sentinel/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.3/charts/sentinel/Chart.yaml b/helm-charts/0.27.3/charts/sentinel/Chart.yaml deleted file mode 100644 index deb631a9..00000000 --- a/helm-charts/0.27.3/charts/sentinel/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: sentinel -description: Helm chart for sentinel - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.3" diff --git a/helm-charts/0.27.3/charts/sentinel/README.md b/helm-charts/0.27.3/charts/sentinel/README.md deleted file mode 100644 index c85681b8..00000000 --- a/helm-charts/0.27.3/charts/sentinel/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# sentinel - -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) - -Helm chart for sentinel - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that autoscaling does not make sense for VSecM Sentinel as it is a control plane component that is mainly used as a CLI tool. It is not a server that is expected to be running all the time. | -| environments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_LOG_LEVEL","value":"7"},{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"},{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"},{"name":"VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER","value":"false"},{"name":"VSECM_SENTINEL_INIT_COMMAND_PATH","value":"/opt/vsecm-sentinel/init/data"},{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE","value":"0"},{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC","value":"0"},{"name":"VSECM_SENTINEL_LOGGER_URL","value":"localhost:50051"},{"name":"VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL","value":"http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect"},{"name":"VSECM_SENTINEL_SECRET_GENERATION_PREFIX","value":"gen:"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| environments[10] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE","value":"0"}` | The amount of time to wait (in milliseconds) after all initialization commands are executed. | -| environments[11] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC","value":"0"}` | The amount of time to wait (in milliseconds) before executing the initialization commands. | -| environments[12] | object | `{"name":"VSECM_SENTINEL_LOGGER_URL","value":"localhost:50051"}` | VSecM Sentinel uses a gRPC logger to log audit events. This is the URL of the gRPC logger. | -| environments[13] | object | `{"name":"VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL","value":"http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect"}` | The OIDC provider's base URL. This is the URL that VSecM Sentinel will use to introspect the token. | -| environments[14] | object | `{"name":"VSECM_SENTINEL_SECRET_GENERATION_PREFIX","value":"gen:"}` | The prefix to hint to generate secrets randomly based on regex-like patterns. | -| environments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| environments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| environments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| environments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| environments[5] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged), 7: TRACE level logging (maximum verbosity). | -| environments[6] | object | `{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"}` | Useful for debugging. This will log cryptographic fingerprints of secrets without revealing the secret itself. It is recommended to keep this "false" in production. | -| environments[7] | object | `{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"}` | The port that the liveness probe listens on. | -| environments[8] | object | `{"name":"VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER","value":"false"}` | Enable or disable OIDC resource server. When enabled, VSecM Sentinel will act as an OIDC resource server. Note that exposing VSecM Sentinel's functionality through a server significantly alters the attack surface, and the decision should be considered carefully. This option will create a RESTful API around VSecM Sentinel. Since VSecM Sentinel is the main entry point to the system, the server's security is important. Ideally, do not expose this server to the public Internet and protect it with tight security controls. | -| environments[9] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_PATH","value":"/opt/vsecm-sentinel/init/data"}` | The path where the initialization commands are mounted. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | | -| initCommand | object | `{"command":"exit:true\n--\n","enabled":true}` | The custom initialization commands that will be executed by the VSecM Sentinel during its initial bootstrapping. The commands are executed in the order they are provided. See the official documentation for more information: https://vsecm.com/configuration | -| initCommand.enabled | bool | `true` | Specifies whether the custom initialization commands are enabled. If set to 'false', the custom initialization commands will not be executed. | -| livenessPort | int | `8081` | The port that the liveness probe listens on. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| replicaCount | int | `1` | Number of replicas to deploy. Note that values greater than 1 are not supported yet. | -| resources.requests.cpu | string | `"5m"` | | -| resources.requests.memory | string | `"20Mi"` | | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-sentinel"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `"vsecm-sentinel"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.3/charts/sentinel/templates/Deployment.yaml b/helm-charts/0.27.3/charts/sentinel/templates/Deployment.yaml deleted file mode 100644 index f456c96e..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/Deployment.yaml +++ /dev/null @@ -1,157 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sentinel.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "sentinel.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "sentinel.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "sentinel.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "sentinel.repository" .}}:{{ .Values.global.images.sentinel.tag }}" - imagePullPolicy: {{ .Values.global.images.sentinel.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - {{- end }} - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- $workloadSpiffeIdPrefixSet := false }} - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- $spiffeTrustDomainSet := false}} - {{- $workloadNameRegExpSet := false}} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SENTINEL" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{ if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{ if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret - {{- end }} diff --git a/helm-charts/0.27.3/charts/sentinel/templates/Identity.yaml b/helm-charts/0.27.3/charts/sentinel/templates/Identity.yaml deleted file mode 100644 index 434a3eb8..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "sentinel.fullname" . }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.sentinelSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "sentinel.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "sentinel.serviceAccountName" . }}" diff --git a/helm-charts/0.27.3/charts/sentinel/templates/Role.yaml b/helm-charts/0.27.3/charts/sentinel/templates/Role.yaml deleted file mode 100644 index 49c9e02c..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/Role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: {{ .Values.global.vsecm.namespace }} -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] - - diff --git a/helm-charts/0.27.3/charts/sentinel/templates/RoleBinding.yaml b/helm-charts/0.27.3/charts/sentinel/templates/RoleBinding.yaml deleted file mode 100644 index 70e8b8fc..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/RoleBinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: {{ .Values.global.vsecm.namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "sentinel.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/sentinel/templates/Secret.yaml b/helm-charts/0.27.3/charts/sentinel/templates/Secret.yaml deleted file mode 100644 index 7020db7f..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/Secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.initCommand.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: {{ include "sentinel.serviceAccountName" . }} - {{- if .Values.global.enableKAppAnnotations }} - kapp.k14s.io/versioned: "" - kapp.k14s.io/versioned-keep-original: "" - {{- end }} -type: Opaque -stringData: - data: {{ .Values.initCommand.command | quote }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/sentinel/templates/ServiceAccount.yaml b/helm-charts/0.27.3/charts/sentinel/templates/ServiceAccount.yaml deleted file mode 100644 index fb056b24..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/ServiceAccount.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sentinel.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/sentinel/templates/_helpers.tpl b/helm-charts/0.27.3/charts/sentinel/templates/_helpers.tpl deleted file mode 100644 index 914b1544..00000000 --- a/helm-charts/0.27.3/charts/sentinel/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "sentinel.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sentinel.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sentinel.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "sentinel.labels" -}} -helm.sh/chart: {{ include "sentinel.chart" . }} -{{ include "sentinel.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "sentinel.selectorLabels" -}} -app.kubernetes.io/name: {{ include "sentinel.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "sentinel.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "sentinel.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Sentinel -*/}} -{{- define "sentinel.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.sentinel.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/sentinel/values.yaml b/helm-charts/0.27.3/charts/sentinel/values.yaml deleted file mode 100644 index f9244c45..00000000 --- a/helm-charts/0.27.3/charts/sentinel/values.yaml +++ /dev/null @@ -1,163 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -- Number of replicas to deploy. Note that values greater than 1 are not -# supported yet. -replicaCount: 1 - -# -- The port that the liveness probe listens on. -livenessPort: 8081 - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The log level. 0: Logs are off (only audit events will be logged), - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - # -- Useful for debugging. This will log cryptographic fingerprints of - # secrets without revealing the secret itself. It is recommended to keep - # this "false" in production. - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - # -- The port that the liveness probe listens on. - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - # -- Enable or disable OIDC resource server. When enabled, VSecM Sentinel will - # act as an OIDC resource server. Note that exposing VSecM Sentinel's functionality - # through a server significantly alters the attack surface, and the decision - # should be considered carefully. This option will create a RESTful API around VSecM - # Sentinel. Since VSecM Sentinel is the main entry point to the system, the - # server's security is important. Ideally, do not expose this server to the - # public Internet and protect it with tight security controls. - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - # -- The path where the initialization commands are mounted. - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - # -- The amount of time to wait (in milliseconds) after all - # initialization commands are executed. - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - # -- The amount of time to wait (in milliseconds) before executing the - # initialization commands. - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - # -- VSecM Sentinel uses a gRPC logger to log audit events. This is the URL of the - # gRPC logger. - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - # -- The OIDC provider's base URL. This is the URL that VSecM Sentinel will use to - # introspect the token. - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - # -- The prefix to hint to generate secrets randomly based on regex-like patterns. - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-sentinel" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: {} - # fsGroup: 2000 - -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that autoscaling does not make sense for VSecM -# Sentinel as it is a control plane component that is mainly used as a CLI -# tool. It is not a server that is expected to be running all the time. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# -- The custom initialization commands that will be executed by the VSecM -# Sentinel during its initial bootstrapping. The commands are executed in the -# order they are provided. See the official documentation for more information: -# https://vsecm.com/configuration -initCommand: - # -- Specifies whether the custom initialization commands are enabled. - # If set to 'false', the custom initialization commands will not be executed. - enabled: true - - # Add any initialization command here, separated by a line with only "--" - # The command stanza MUST end with a "--". - command: | - exit:true - -- - - # Example: - # -------- - # - # sleep:30001 - # -- - # w:keycloak-admin-secret,keycloak-db-secret - # n:smo-app,web-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_ADMIN_USER":"{{.username}}","KEYCLOAK_ADMIN_PASSWORD":"{{.password}}"} - # -- - # w:k8s:keycloak-db-secret - # n:smo-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_DB_USER":"{{.username}}","KEYCLOAK_DB_PASSWORD":"{{.password}}"} - # -- - # sleep:5000 - # -- - # w:keycloak - # n:default - # s:trigger-init - # -- diff --git a/helm-charts/0.27.3/charts/spire/.helmignore b/helm-charts/0.27.3/charts/spire/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.3/charts/spire/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.3/charts/spire/Chart.yaml b/helm-charts/0.27.3/charts/spire/Chart.yaml deleted file mode 100644 index 937f9589..00000000 --- a/helm-charts/0.27.3/charts/spire/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: spire -description: Helm chart for spire - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.3" diff --git a/helm-charts/0.27.3/charts/spire/README.md b/helm-charts/0.27.3/charts/spire/README.md deleted file mode 100644 index 87c09545..00000000 --- a/helm-charts/0.27.3/charts/spire/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# spire - -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) - -Helm chart for spire - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| data | object | `{"persistent":true,"persistentVolumeClaim":{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}}` | Persistence settings for the SPIRE Server. | -| data.persistent | bool | `true` | Persistence is enabled by default. However, you are recommended to provide your own storage class if you are using a cloud provider or a storage solution that supports dynamic provisioning. | -| data.persistentVolumeClaim | object | `{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}` | Define the PVC if `persistent` is true. | -| enableSpireMintedDefaultClusterSpiffeIds | bool | `false` | SPIRE assigns a default Cluster SPIFFE ID to all workloads in the cluster. The SPIFFEID SPIRE assigns by default is not aligned with the SPIFFE ID format that VSecM Safe expects. Also, you might not want SPIRE to assign SPIFFE IDs to every single workload you have in your cluster if you are not using SPIRE to attest those workloads. Therefore, this option is set to false by default. If you set this to true, make sure you update `safeSpiffeIdTemplate` `sentinelSpiffeIdTemplate`, `keystoneSpiffeIdTemplate`, `workloadNameRegExp`, `workloadSpiffeIdPrefix`, `safeSpiffeIdPrefix`, `sentinelSpiffeIdPrefix` and other relevant configurations to match with what SPIRE assigns. | -| experimental | object | `{"eventsBasedCache":false}` | Experimental settings. | -| experimental.eventsBasedCache | bool | `false` | eventsBasedCache is known to significantly improve SPIRE Server performance. It is set to `false` by default, just in case. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| nameOverride | string | `""` | The name override of the chart. | -| resources | object | `{"agent":{"requests":{"cpu":"50m","memory":"512Mi"}},"server":{"requests":{"cpu":"100m","memory":"1Gi"}},"spiffeCsiDriver":{"requests":{"cpu":"50m","memory":"128Mi"}}}` | These are the default resources suitable for a moderate SPIRE usage. Of course, it's best to do your own benchmarks and update these requests and limits to your production needs accordingly. That being said, as a rule of thumb, do not limit the CPU request on SPIRE Agent and SPIRE server. It's best to let them leverage the available excess CPU, if available. | -| resources.agent | object | `{"requests":{"cpu":"50m","memory":"512Mi"}}` | SPIRE Agent resource requests and limits. | -| resources.server | object | `{"requests":{"cpu":"100m","memory":"1Gi"}}` | SPIRE Server resource requests and limits. | -| resources.spiffeCsiDriver | object | `{"requests":{"cpu":"50m","memory":"128Mi"}}` | SPIFFE CSI Driver resource requests and limits. | -| spireAgent | object | `{"hostSocketDir":"/run/spire/agent-sockets","internalAdminSocketDir":"/tmp/spire-agent/private","internalPublicSocketDir":"/tmp/spire-agent/public","socketName":"spire-agent.sock"}` | SPIRE Agent settings. | -| spireAgent.hostSocketDir | string | `"/run/spire/agent-sockets"` | The corresponding SPIRE Agent socket directory on the host. SPIRE Agents and SPIFFE CSI Driver shares this directory. | -| spireAgent.internalAdminSocketDir | string | `"/tmp/spire-agent/private"` | The corresponding SPIRE Agent internal admin directory in the container. The configuration should match the SPIRE Agent configuration and SPIRE Agent DaemonSet. You are advised not to change this value. | -| spireAgent.internalPublicSocketDir | string | `"/tmp/spire-agent/public"` | The corresponding SPIRE Agent internal socket directory in the container. The configuration should match the SPIRE Agent configuration and SPIRE Agent DaemonSet. | -| spireAgent.socketName | string | `"spire-agent.sock"` | The SPIRE Agent socket name. | -| spireServer | object | `{"configDir":"/run/spire/config","dataDir":"/run/spire/data","privateSocketDir":"/tmp/spire-server/private","service":{"type":"ClusterIP"}}` | SPIRE Server settings. | -| spireServer.configDir | string | `"/run/spire/config"` | The configuration directory for the SPIRE Server. | -| spireServer.dataDir | string | `"/run/spire/data"` | The data directory for the SPIRE Server. SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. | -| spireServer.privateSocketDir | string | `"/tmp/spire-server/private"` | The private socket directory for the SPIRE Server. SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. | -| spireServer.service | object | `{"type":"ClusterIP"}` | Service details for the SPIRE Server. | -| spireServer.service.type | string | `"ClusterIP"` | Service type. Possible values are: ClusterIP, NodePort, LoadBalancer. Defaults to `ClusterIP`. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.3/charts/spire/templates/_helpers.tpl b/helm-charts/0.27.3/charts/spire/templates/_helpers.tpl deleted file mode 100644 index bfccb818..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "spire.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "spire.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "spire.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "spire.labels" -}} -helm.sh/chart: {{ include "spire.chart" . }} -{{ include "spire.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "spire.selectorLabels" -}} -app.kubernetes.io/name: {{ include "spire.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-agent.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-agent.yaml deleted file mode 100644 index ddda58ac..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-agent.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -rules: - - apiGroups: [""] - resources: - - pods - - nodes - - nodes/proxy - verbs: ["get"] diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml deleted file mode 100644 index 2755cef5..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-spire-controller-manager -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/status"] - verbs: ["get", "patch", "update"] diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-server.yaml deleted file mode 100644 index c4e288f1..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrole-spire-server-spire-server.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ClusterRole to allow spire-server node attestor to query Token Review API -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server -rules: -{{- if .Values.global.enableOpenShift }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -{{- else }} - - apiGroups: [""] - resources: [nodes, pods] - verbs: ["get", "list"] - - apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: ["get", "watch", "list", "create"] -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-agent.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-agent.yaml deleted file mode 100644 index c02d04ea..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-agent.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds SPIRE Agent Cluster Role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-agent - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml deleted file mode 100644 index 350b095b..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: spire-server-spire-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: spire-server-spire-controller-manager -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml deleted file mode 100644 index 53f50c8e..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds spire-server-spire-server cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server - -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-spire-server - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml deleted file mode 100644 index ef8db644..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.enableSpireMintedDefaultClusterSpiffeIds }} -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: spire-server-spire-default -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/ns/{{"{{"}} .PodMeta.Namespace {{"}}"}}/sa/{{"{{"}} .PodSpec.ServiceAccountName {{"}}"}}" - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - spire-server - - spire-system - - vsecm-system -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml b/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml deleted file mode 100644 index 38f5582d..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: spire-server-spire-test-keys -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/ns/{{"{{"}} .PodMeta.Namespace {{"}}"}}/sa/{{"{{"}} .PodSpec.ServiceAccountName {{"}}"}}" - podSelector: - matchLabels: - component: test-keys - release: spire - release-namespace: {{ .Values.global.spire.serverNamespace }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - - spire-server - - spire-system - - vsecm-system diff --git a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-agent.yaml b/helm-charts/0.27.3/charts/spire/templates/configmap-spire-agent.yaml deleted file mode 100644 index ebac0aec..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-agent.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -data: - agent.conf: | - { - "agent": { - "data_dir": "/run/spire", - "log_level": "info", - "retry_bootstrap": true, - "server_address": "spire-server.spire-server", - "server_port": "443", - "socket_path": "{{ .Values.spireAgent.internalPublicSocketDir }}/{{ .Values.spireAgent.socketName }}", - "trust_bundle_path": "/run/spire/bundle/bundle.crt", - "trust_domain": "vsecm.com" - }, - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "9982", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "KeyManager": [ - { - "memory": { - "plugin_data": null - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "cluster": "vsecm-cluster" - } - } - } - ], - "WorkloadAttestor": [ - { - "k8s": { - "plugin_data": { - "disable_container_selectors": false, - "skip_kubelet_verification": true, - "use_new_container_locator": false, - "verbose_container_locator_logs": false - } - } - } - ] - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-bundle.yaml b/helm-charts/0.27.3/charts/spire/templates/configmap-spire-bundle.yaml deleted file mode 100644 index 7cb7656c..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-bundle.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-controller-manager.yaml b/helm-charts/0.27.3/charts/spire/templates/configmap-spire-controller-manager.yaml deleted file mode 100644 index 72bbed59..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-controller-manager.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager - namespace: {{ .Values.global.spire.serverNamespace }} -data: - controller-manager-config.yaml: | - - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metadata: - name: spire-controller-manager - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - metrics: - bindAddress: 0.0.0.0:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: 6f304bd2.spiffe.io - resourceNamespace: {{ .Values.global.spire.serverNamespace }} - validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook - entryIDPrefix: vsecm-cluster - clusterName: vsecm-cluster - trustDomain: vsecm.com - ignoreNamespaces: - - kube-system - - kube-public - - local-path-storage - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - - ibm-odf-validation-webhook - - ibm-system - spireServerSocketPath: "{{ .Values.spireServer.privateSocketDir }}/api.sock" - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - watchClassless: false - parentIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/spire/agent/k8s_psat/{{"{{"}} .ClusterName {{"}}"}}/{{"{{"}} .NodeMeta.UID {{"}}"}}" - reconcile: - clusterSPIFFEIDs: true - clusterStaticEntries: true - clusterFederatedTrustDomains: true diff --git a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/configmap-spire-server.yaml deleted file mode 100644 index 11445520..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/configmap-spire-server.yaml +++ /dev/null @@ -1,118 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -data: - server.conf: | - { - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "8080", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "DataStore": [ - { - "sql": { - "plugin_data": { - "connection_string": "/run/spire/data/datastore.sqlite3", - "database_type": "sqlite3" - } - } - } - ], - "KeyManager": [ - { - "disk": { - "plugin_data": { - "keys_path": "/run/spire/data/keys.json" - } - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "clusters": [ - { - "vsecm-cluster": { - "allowed_node_label_keys": [], - "allowed_pod_label_keys": [], - "audience": [ - "spire-server" - ], - "service_account_allow_list": [ - "spire-system:spire-agent" - ] - } - } - ] - } - } - } - ], - "Notifier": [ - { - "k8sbundle": { - "plugin_data": { - "config_map": "spire-bundle", - "namespace": "spire-system" - } - } - } - ] - }, - "server": { -{{- if .Values.experimental.eventsBasedCache }} - "experimental": { - "events_based_cache": true - }, -{{- end }} - "audit_log_enabled": false, - "bind_address": "0.0.0.0", - "bind_port": "8081", - "ca_key_type": "rsa-2048", - "ca_subject": [ - { - "common_name": "aegist.ist", - "country": [ - "US" - ], - "organization": [ - "vsecm.com" - ] - } - ], - "ca_ttl": "24h", - "data_dir": "/run/spire/data", - "default_jwt_svid_ttl": "1h", - "default_x509_svid_ttl": "4h", - "jwt_issuer": "https://oidc-discovery.vsecm.com", - "log_level": "info", - "trust_domain": "vsecm.com" - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } diff --git a/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-agent.yaml b/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-agent.yaml deleted file mode 100644 index 24f05a0f..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-agent.yaml +++ /dev/null @@ -1,170 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: default -spec: - selector: - matchLabels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-agent - checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 - labels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - {{- end }} - priorityClassName: system-node-critical - initContainers: - - name: ensure-alternate-names - image: "{{ .Values.global.images.spireHelperBash.repository }}:{{ .Values.global.images.spireHelperBash.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperBash.pullPolicy }} - command: ["bash", "-xc"] - args: - - | - cd {{ .Values.spireAgent.hostSocketDir }} - L=`readlink socket` - [ "x$L" != "x{{ .Values.spireAgent.socketName }}" ] && rm -f socket - [ ! -L socket ] && ln -s {{ .Values.spireAgent.socketName }} socket - L=`readlink api.sock` - [ "x$L" != "x{{ .Values.spireAgent.socketName }}" ] && rm -f api.sock - [ ! -L api.sock ] && ln -s {{ .Values.spireAgent.socketName }} api.sock - [ -L {{ .Values.spireAgent.socketName }} ] && rm -f {{ .Values.spireAgent.socketName }} - exit 0 - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.hostSocketDir }} - securityContext: - runAsUser: 0 - runAsGroup: 0 -{{- if not .Values.global.enableOpenShift }} - - name: fsgroupfix - image: "{{ .Values.global.images.spireHelperBash.repository }}:{{ .Values.global.images.spireHelperBash.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperBash.pullPolicy }} - command: ["bash", "-c"] - args: - - "chown -R 1000:1000 {{ .Values.spireAgent.hostSocketDir }} {{ .Values.spireAgent.internalAdminSocketDir }}" - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.hostSocketDir }} - - name: spire-agent-admin-socket-dir - mountPath: {{ .Values.spireAgent.internalAdminSocketDir }} - securityContext: - runAsUser: 0 - runAsGroup: 0 -{{- end }} - containers: - - name: spire-agent - image: "{{ .Values.global.images.spireAgent.repository }}:{{ .Values.global.images.spireAgent.tag }}" - imagePullPolicy: {{ .Values.global.images.spireAgent.pullPolicy }} - args: ["-config", "/opt/spire/conf/agent/agent.conf"] - securityContext: - {} - env: - - name: PATH - value: "/opt/spire/bin:/bin" -{{- if .Values.global.enableOpenShift }} - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName -{{- end}} - ports: - - containerPort: 9982 - name: healthz - - containerPort: 9988 - name: prom - volumeMounts: - - name: spire-config - mountPath: /opt/spire/conf/agent - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.internalPublicSocketDir }} - readOnly: false - - name: spire-token - mountPath: /var/run/secrets/tokens - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - resources: - {} - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-agent-admin-socket-dir - emptyDir: {} - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - name: spire-agent-socket-dir - hostPath: - path: {{ .Values.spireAgent.hostSocketDir }} - type: DirectoryOrCreate diff --git a/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml b/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml deleted file mode 100644 index a07d7949..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml +++ /dev/null @@ -1,155 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-spiffe-csi-driver - namespace: {{ .Values.global.spire.namespace }} - labels: - hhelm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - serviceAccountName: spire-spiffe-csi-driver - - priorityClassName: system-node-critical -{{- if .Values.global.enableOpenShift }} - initContainers: - - name: set-context - command: - - chcon - - '-Rvt' - - container_file_t - - spire-agent-socket/ - image: "{{ .Values.global.images.openShiftHelperUbi9.repository }}/{{ .Values.global.images.openShiftHelperUbi9.tag }}" - imagePullPolicy: {{ .Values.global.images.openShiftHelperUbi9.pullPolicy }} - securityContext: - capabilities: - drop: - - all - privileged: true - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /spire-agent-socket - terminationMessagePolicy: File - terminationMessagePath: /dev/termination-log -{{- end }} - containers: - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: "{{ .Values.global.images.spiffeCsiDriver.repository }}:{{ .Values.global.images.spiffeCsiDriver.tag }}" - imagePullPolicy: {{ .Values.global.images.spiffeCsiDriver.pullPolicy }} - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-plugin-name", "csi.spiffe.io", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - readOnlyRootFilesystem: true - capabilities: - drop: - - all - privileged: true - resources: - {} - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: "{{ .Values.global.images.nodeDriverRegistrar.repository }}:{{ .Values.global.images.nodeDriverRegistrar.tag }}" - imagePullPolicy: {{ .Values.global.images.nodeDriverRegistrar.pullPolicy }} - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - "-health-port", "9809" - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - ports: - - containerPort: 9809 - name: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 5 - timeoutSeconds: 5 - resources: - {} - volumes: - - name: spire-agent-socket-dir - hostPath: - path: {{ .Values.spireAgent.hostSocketDir }} - type: DirectoryOrCreate - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml deleted file mode 100644 index c36af7f1..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml deleted file mode 100644 index 9ed33674..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml deleted file mode 100644 index 9a138035..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml deleted file mode 100644 index 822bb3ce..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-post-install - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml deleted file mode 100644 index fe2cbc33..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-post-upgrade - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml deleted file mode 100644 index cbedded1..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-pre-upgrade - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-install.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-install.yaml deleted file mode 100644 index c1637b5f..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-install.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-install - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-post-install - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml deleted file mode 100644 index b4d4f3d6..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-upgrade - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-post-upgrade - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - containers: - - name: post-upgrade-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml deleted file mode 100644 index 294029e9..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-pre-upgrade - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-pre-upgrade - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Ignore" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Ignore" - } - ] - } diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml deleted file mode 100644 index 25c2931d..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" - annotations: - "helm.sh/hook": pre-install -{{- if .Values.global.enableOpenShift }} - labels: - security.openshift.io/csi-ephemeral-volume-profile: restricted -{{- end }} - -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml deleted file mode 100644 index c2cc528f..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.global.preInstallSpireNamespaces }} -apiVersion: v1 -kind: Namespace -metadata: - name: spire-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - {{- if .Values.global.enableOpenShift }} - security.openshift.io/scc.podSecurityLabelSync: "false" - {{- end }} - annotations: - "helm.sh/hook": pre-install -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml deleted file mode 100644 index 6e296316..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.global.preInstallSpireNamespaces }} -apiVersion: v1 -kind: Namespace -metadata: - name: spire-server - labels: - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/warn: restricted -{{- if .Values.global.enableOpenShift }} - security.openshift.io/scc.podSecurityLabelSync: "false" -{{- end }} - annotations: - "helm.sh/hook": pre-install -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml deleted file mode 100644 index c3d9d26b..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml deleted file mode 100644 index 85708dd9..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml b/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml deleted file mode 100644 index e638b441..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.3/charts/spire/templates/openshift-security-context-constraints.yaml b/helm-charts/0.27.3/charts/spire/templates/openshift-security-context-constraints.yaml deleted file mode 100644 index 8e34b4c0..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/openshift-security-context-constraints.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.global.enableOpenShift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-spiffe-csi-driver -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-system:spire-spiffe-csi-driver -volumes: - - configmap - - hostPath - - secret -allowHostDirVolumePlugin: true -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] ---- -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-spiffe-oidc-discovery-provider -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider - - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider-pre-delete -volumes: - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - hostPath - - projected - - secret -allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] -seccompProfiles: - - '*' ---- -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-agent -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-system:spire-agent -volumes: - - configMap - - hostPath - - projected - - secret - - emptyDir -allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/role-spire-bundle.yaml b/helm-charts/0.27.3/charts/spire/templates/role-spire-bundle.yaml deleted file mode 100644 index 8eccaf65..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/role-spire-bundle.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Role to be able to push certificate bundles to a configmap -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} -rules: - - apiGroups: [""] - resources: [configmaps] - resourceNames: [spire-bundle] - verbs: - - get - - patch \ No newline at end of file diff --git a/helm-charts/0.27.3/charts/spire/templates/role-spire-controller-manager-leader-election.yaml b/helm-charts/0.27.3/charts/spire/templates/role-spire-controller-manager-leader-election.yaml deleted file mode 100644 index 71b6e60e..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/role-spire-controller-manager-leader-election.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: spire-controller-manager-leader-election - namespace: {{ .Values.global.spire.serverNamespace }} -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] diff --git a/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-bundle.yaml b/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-bundle.yaml deleted file mode 100644 index 01605e56..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-bundle.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: Role - name: spire-bundle - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml b/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml deleted file mode 100644 index aa0de276..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: spire-controller-manager-leader-election - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: spire-controller-manager-leader-election -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.27.3/charts/spire/templates/service-spire-controller-manager-webhook.yaml b/helm-charts/0.27.3/charts/spire/templates/service-spire-controller-manager-webhook.yaml deleted file mode 100644 index abf54e68..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/service-spire-controller-manager-webhook.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: https - port: 443 - targetPort: https - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire diff --git a/helm-charts/0.27.3/charts/spire/templates/service-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/service-spire-server.yaml deleted file mode 100644 index e56a2cfd..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/service-spire-server.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: {{ .Values.spireServer.service.type }} - ports: - - name: grpc - port: 443 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire diff --git a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-agent.yaml b/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-agent.yaml deleted file mode 100644 index 840e5968..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-agent.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -{{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-server.yaml deleted file mode 100644 index a69ee0fa..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-server.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -{{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml b/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml deleted file mode 100644 index 8b86f8d5..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-spiffe-csi-driver - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm -{{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} -{{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/statefulset-spire-server.yaml b/helm-charts/0.27.3/charts/spire/templates/statefulset-spire-server.yaml deleted file mode 100644 index f76dc0cf..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/statefulset-spire-server.yaml +++ /dev/null @@ -1,197 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: server -spec: - replicas: 1 - serviceName: spire-server - selector: - matchLabels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-server - checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 - checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 - checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - labels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - component: server - release: spire - release-namespace: {{ .Values.global.spire.serverNamespace }} - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - serviceAccountName: spire-server - shareProcessNamespace: true - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - - priorityClassName: system-cluster-critical - containers: - - name: spire-server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }}" - imagePullPolicy: {{ .Values.global.images.spireServer.pullPolicy }} - args: - - -expandEnv - - -config - - {{ .Values.spireServer.configDir }}/server.conf - env: - - name: PATH - value: "/opt/spire/bin:/bin" - ports: - - name: grpc - containerPort: 8081 - protocol: TCP - - containerPort: 8080 - name: healthz - - containerPort: 9988 - name: prom - livenessProbe: - httpGet: - path: /live - port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: {{ .Values.spireServer.privateSocketDir}} - readOnly: false - - name: spire-config - mountPath: {{ .Values.spireServer.configDir }} - readOnly: true - - name: spire-data - mountPath: {{ .Values.spireServer.dataDir }} - readOnly: false - - name: server-tmp - mountPath: /tmp - readOnly: false - - - name: spire-controller-manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireControllerManager.repository }}:{{ .Values.global.images.spireControllerManager.tag }}" - imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} - args: - - --config=controller-manager-config.yaml - env: - - name: ENABLE_WEBHOOKS - value: "true" - ports: - - name: https - containerPort: 9443 - protocol: TCP - - containerPort: 8083 - name: healthz - - containerPort: 8082 - name: prom-cm - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: {{ .Values.spireServer.privateSocketDir }} - readOnly: true - - name: controller-manager-config - mountPath: /controller-manager-config.yaml - subPath: controller-manager-config.yaml - readOnly: true - - name: spire-controller-manager-tmp - mountPath: /tmp - subPath: spire-controller-manager - readOnly: false - volumes: - - name: server-tmp - emptyDir: {} - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-tmp - emptyDir: {} - - name: controller-manager-config - configMap: - name: spire-controller-manager - {{- if .Values.data.persistent }} - # noinspection KubernetesUnknownKeys - volumeClaimTemplates: - - metadata: - name: spire-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} - {{- end }} diff --git a/helm-charts/0.27.3/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml b/helm-charts/0.27.3/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml deleted file mode 100644 index e18947f6..00000000 --- a/helm-charts/0.27.3/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-server-spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None diff --git a/helm-charts/0.27.3/charts/spire/values.yaml b/helm-charts/0.27.3/charts/spire/values.yaml deleted file mode 100644 index 20ddb6a0..00000000 --- a/helm-charts/0.27.3/charts/spire/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -# Commented out for now, as scaling to multiple instances will not work until -# we use an external database. -# Check out the official documentation for more information: -# https://spiffe.io/docs/latest/setup/ -# -# replicaCount: 1 -# -# autoscaling: -# enabled: false -# minReplicas: 1 -# maxReplicas: 100 -# targetCPUUtilizationPercentage: 80 -# # targetMemoryUtilizationPercentage: 80 -# - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- Experimental settings. -experimental: - # -- eventsBasedCache is known to significantly improve SPIRE Server - # performance. It is set to `false` by default, just in case. - eventsBasedCache: false - -# -- SPIRE assigns a default Cluster SPIFFE ID to all workloads in the -# cluster. The SPIFFEID SPIRE assigns by default is not aligned with the -# SPIFFE ID format that VSecM Safe expects. Also, you might not want -# SPIRE to assign SPIFFE IDs to every single workload you have in your -# cluster if you are not using SPIRE to attest those workloads. Therefore, -# this option is set to false by default. -# -# If you set this to true, make sure you update `safeSpiffeIdTemplate` -# `sentinelSpiffeIdTemplate`, `keystoneSpiffeIdTemplate`, -# `workloadNameRegExp`, `workloadSpiffeIdPrefix`, `safeSpiffeIdPrefix`, -# `sentinelSpiffeIdPrefix` and other relevant configurations to match -# with what SPIRE assigns. -enableSpireMintedDefaultClusterSpiffeIds: false - -# -- SPIRE Agent settings. -spireAgent: - # -- The corresponding SPIRE Agent socket directory on the host. - # SPIRE Agents and SPIFFE CSI Driver shares this directory. - hostSocketDir: "/run/spire/agent-sockets" - # -- The SPIRE Agent socket name. - socketName: "spire-agent.sock" - - # -- The corresponding SPIRE Agent internal socket directory in the - # container. The configuration should match the SPIRE Agent configuration - # and SPIRE Agent DaemonSet. - internalPublicSocketDir: "/tmp/spire-agent/public" - - # -- The corresponding SPIRE Agent internal admin directory in the - # container. The configuration should match the SPIRE Agent configuration - # and SPIRE Agent DaemonSet. You are advised not to change this value. - internalAdminSocketDir: "/tmp/spire-agent/private" - -# -- SPIRE Server settings. -spireServer: - # -- The data directory for the SPIRE Server. - # SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. - dataDir: "/run/spire/data" - # -- The private socket directory for the SPIRE Server. - # SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. - privateSocketDir: "/tmp/spire-server/private" - - # -- The configuration directory for the SPIRE Server. - configDir: "/run/spire/config" - - # -- Service details for the SPIRE Server. - service: - # -- Service type. - # Possible values are: ClusterIP, NodePort, LoadBalancer. - # Defaults to `ClusterIP`. - type: ClusterIP - -# -- These are the default resources suitable for a moderate SPIRE usage. -# Of course, it's best to do your own benchmarks and update these -# requests and limits to your production needs accordingly. -# That being said, as a rule of thumb, do not limit the CPU request -# on SPIRE Agent and SPIRE server. It's best to let them leverage -# the available excess CPU, if available. -resources: - # -- SPIRE Server resource requests and limits. - server: - requests: - memory: "1Gi" - cpu: "100m" - # -- SPIRE Agent resource requests and limits. - agent: - requests: - memory: "512Mi" - cpu: "50m" - # -- SPIFFE CSI Driver resource requests and limits. - spiffeCsiDriver: - requests: - memory: "128Mi" - cpu: "50m" - -# -- Persistence settings for the SPIRE Server. -data: - # -- Persistence is enabled by default. However, you are recommended to - # provide your own storage class if you are using a cloud provider or - # a storage solution that supports dynamic provisioning. - persistent: true - # -- Define the PVC if `persistent` is true. - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi diff --git a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/helm-charts/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml deleted file mode 100644 index 658617dd..00000000 --- a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - className: - description: Set the class of controller to handle this object. - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml b/helm-charts/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml deleted file mode 100644 index 597b2b08..00000000 --- a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml +++ /dev/null @@ -1,239 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - autoPopulateDNSNames: - description: AutoPopulateDNSNames indicates whether or not to auto - populate service DNS names. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream - SPIRE server. - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - jwtTtl: - description: JWTTTL indicates an upper-bound time-to-live for JWT - SVIDs minted for this ClusterSPIFFEID. - type: string - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for X509 SVIDs - minted for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml b/helm-charts/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml deleted file mode 100644 index c19df220..00000000 --- a/helm-charts/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml +++ /dev/null @@ -1,103 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterstaticentries.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterStaticEntry - listKind: ClusterStaticEntryList - plural: clusterstaticentries - singular: clusterstaticentry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterStaticEntry is the Schema for the clusterstaticentries - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry - properties: - admin: - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - dnsNames: - items: - type: string - type: array - downstream: - type: boolean - federatesWith: - items: - type: string - type: array - hint: - type: string - jwtSVIDTTL: - type: string - parentID: - type: string - selectors: - items: - type: string - type: array - spiffeID: - type: string - storeSVID: - type: boolean - x509SVIDTTL: - type: string - required: - - parentID - - selectors - - spiffeID - type: object - status: - description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry - properties: - masked: - description: If the static entry was masked by another entry. - type: boolean - rendered: - description: If the static entry rendered properly. - type: boolean - set: - description: If the static entry was successfully created/updated. - type: boolean - required: - - masked - - rendered - - set - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/helm-charts/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/helm-charts/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 538ac974..00000000 --- a/helm-charts/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to deletion/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/helm-charts/0.27.3/values-custom.yaml b/helm-charts/0.27.3/values-custom.yaml deleted file mode 100644 index cf461a0a..00000000 --- a/helm-charts/0.27.3/values-custom.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# This is a custom values file for VMware Secrets Manager to work with -# Istio-style SPIFFE IDs -# (i.e., `spiffe:///ns//sa/`). -# -# In addition to that, this values file also deploys SPIRE components to -# `spire-system-custom` and `spire-server-custom namespaces` (the defaults for -# those namespaces are `spire-system` and `spire-server` respectively). -# You can replace them with your own preferred namespaces. -# -# The chart also deploys VSecM components to `vsecm-system-custom` namespace -# (the default for that namespace is `vsecm-system`). You can replace it -# with your own preferred namespace. -# -# Finally, we replace the trust domain from the default `vsecm.com` to -# `aegis.ist`. You can replace this with your own trust domain too. -# -# To generate manifests based on this values file: -# -# 1. Define the following environment variables: -# VSECM_NAMESPACE_SYSTEM ?= "vsecm-system-custom" -# VSECM_NAMESPACE_SPIRE ?= "spire-system-custom" -# VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server-custom" -# -# 2. $un the following command at the root of the project: -# ./hack/create-custom-manifest.sh -# Note that this action will override the existing values.yaml at the root -# of the ./helm-charts/$version/ directory. - -global: - deploySpire: true - deployKeystone: true - deploySentinel: true - baseImage: distroless - registry: vsecm - images: - keystone: - distrolessRepository: vsecm-ist-keystone - distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.3 - pullPolicy: IfNotPresent - safe: - distrolessRepository: vsecm-ist-safe - distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.3 - pullPolicy: IfNotPresent - sentinel: - distrolessRepository: vsecm-ist-sentinel - distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.3 - pullPolicy: IfNotPresent - initContainer: - repository: vsecm-ist-init-container - tag: 0.27.3 - spireAgent: - repository: ghcr.io/spiffe/spire-agent - tag: 1.9.4 - pullPolicy: IfNotPresent - spiffeCsiDriver: - repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.6 - pullPolicy: IfNotPresent - nodeDriverRegistrar: - repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.0 - pullPolicy: IfNotPresent - spireServer: - repository: ghcr.io/spiffe/spire-server - tag: 1.9.4 - pullPolicy: IfNotPresent - spireControllerManager: - repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.5.0 - pullPolicy: IfNotPresent - vsecm: - namespace: vsecm-system-custom - safeEndpointUrl: "https://vsecm-safe.vsecm-system-custom.svc.cluster.local:8443/" - safeSpiffeIdPrefix: "^spiffe://aegis.ist/ns/vsecm-system-custom/sa/vsecm-safe$" - sentinelSpiffeIdPrefix: "^spiffe://aegis.ist/ns/vsecm-system-custom/sa/vsecm-sentinel$" - workloadSpiffeIdPrefix: "^spiffe://aegis.ist/ns/[^/]+/sa/[^/]+$" - workloadNameRegExp: "^spiffe://aegis.ist/ns/[^/]+/sa/([^/]+)$" - safeSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - sentinelSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - keystoneSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - spire: - trustDomain: "aegis.ist" - namespace: spire-system-custom - serverNamespace: spire-server-custom - serverAddress: "spire-server.spire-server-custom.svc.cluster.local" - logLevel: DEBUG - serverPort: 8081 diff --git a/helm-charts/0.27.3/values.yaml b/helm-charts/0.27.3/values.yaml deleted file mode 100644 index 9b1fac07..00000000 --- a/helm-charts/0.27.3/values.yaml +++ /dev/null @@ -1,208 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -global: - # -- Set it to true to enable kapp annotations. This is useful when you are - # using kapp to deploy the VSecM components. (ref: https://carvel.dev/kapp/) - enableKAppAnnotations: false - - # -- Set it to true to enable the pre-installation of the VSecM namespaces. - # If set to false, the VSecM namespaces will not be pre-installed; you will - # need to create a `vsecm-system` namespace manually. - preInstallVSecMNamespaces: true - - # -- Set it to true to enable the pre-installation of the SPIRE namespaces. - # If set to false, the SPIRE namespaces will not be pre-installed; you will - # need to create `spire-system` and `spire-server` namespaces manually. - preInstallSpireNamespaces: true - - # -- Set it to true for OpenShift deployments. This will add necessary - # annotations to the SPIRE components to make them work on OpenShift. - enableOpenShift: false - - # -- Deploy SPIRE components. If set to false, SPIRE components will not be - # deployed. This is useful when SPIRE is already deployed in the cluster. - deploySpire: true - - # -- Deploy the Keystone VSecM component. VSecM Keystone is a lightweight - # Pod that is initialized only after VSecM Sentinel completes it - # `initCommand` initialization sequence. - deployKeystone: true - # -- Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where - # you can register secrets. For best security, you might want to disable - # the initial deployment of it. This way, you can deploy VSecM Sentinel - # off-cycle later when you need it. - deploySentinel: true - - # -- Possible options for baseImage (distroless, distroless-fips). When in - # doubt, stick with distroless. - baseImage: distroless - # -- Registry url. Defaults to "vsecm", which points to the public vsecm - # DockerHub registry: . - registry: vsecm - - # -- Where to find the dependent images of VSecM. - # Normally, you would not need to modify this. - images: - # - Container registry details for VSecM Keystone. - keystone: - distrolessRepository: vsecm-ist-keystone - distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.3 - pullPolicy: IfNotPresent - # - Container registry details for VSecM Safe. - safe: - distrolessRepository: vsecm-ist-safe - distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.3 - pullPolicy: IfNotPresent - # - Container registry details for VSecM Sentinel. - sentinel: - distrolessRepository: vsecm-ist-sentinel - distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.3 - pullPolicy: IfNotPresent - # - Container registry details of VSecM Init Container. - initContainer: - repository: vsecm-ist-init-container - tag: 0.27.3 - - # -- Container registry details of SPIRE Agent. - spireAgent: - repository: ghcr.io/spiffe/spire-agent - tag: 1.9.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIFFE CSI Driver. - spiffeCsiDriver: - repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIFFE CSI Node Driver Registrar. - nodeDriverRegistrar: - repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.0 - pullPolicy: IfNotPresent - # -- Container registry details of SPIRE Server. - spireServer: - repository: ghcr.io/spiffe/spire-server - tag: 1.9.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIRE Controller Manager. - spireControllerManager: - repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.5.0 - pullPolicy: IfNotPresent - - spireHelperBash: - repository: cgr.dev/chainguard/bash - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d - pullPolicy: IfNotPresent - - spireHelperKubectl: - repository: docker.io/rancher/kubectl - tag: v1.28.0 - pullPolicy: IfNotPresent - - openShiftHelperUbi9: - repository: registry.access.redhat.com/ubi9 - tag: latest - pullPolicy: IfNotPresent - - # - VSecM-related global configuration. - vsecm: - # - This is where all VSecM components will be deployed. - namespace: vsecm-system - - # - The endpoint URL of the VSecM Safe Service - # should match https://..svc.cluster.local: - # unless you have a custom setup. - safeEndpointUrl: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from VSecM Safe. You can also use regular expression - # matchers. Check out the official documentation at https://vsecm.com - # for details. - safeSpiffeIdPrefix: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from VSecM Sentinel. You can also use regular expression - # matchers. Check out the official documentation at https://vsecm.com - # for details. - sentinelSpiffeIdPrefix: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from a Workload. If the SPIFFE ID of the workload does not - # match this pattern, then VSecM Safe will reject the workload's request. - # You can also use regular expression # matchers. Check out the official - # documentation at https://vsecm.com for details. - workloadSpiffeIdPrefix: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - # - The regular expression pattern that VSecM Safe will use to match workloads, - # VSecM Safe, VSecM Sentinel, and VSecM Keystone. The first capture group - # must exist and should match the workload's name. The rest of the capture - # groups will be ignored. - workloadNameRegExp: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - # - The SPIFFE ID template that VSecM Safe's ClusterSPIFFEID will use. - safeSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - # - The SPIFFE ID template that VSecM Sentinel's ClusterSPIFFEID will use. - sentinelSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - # - The SPIFFE ID template that VSecM Keystone's ClusterSPIFFEID will use. - keystoneSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - - # -- SPIRE-related global configuration. - spire: - - # -- This is the className that ClusterSPIFFEIDs will use to - # be able to register their SPIFFE IDs with the SPIRE Server. - controllerManagerClassName: "vsecm" - - # -- Enable federation. If set to true, SPIRE Server will be configured - # to federate with other SPIRE Servers. This is useful when you have - # multiple clusters, and you want to establish trust between them. - federationEnabled: false - # -- The trust domain is the root of the SPIFFE ID hierarchy. It is used to - # identify the trust domain of a workload. If you use anything other than - # the default `vsecm.com`, you must also update the relevant environment - # variables that does SPIFFE ID validation. - # - # To prevent accidental collisions (two trust domains select identical names), - # operators are advised to select trust domain names which are highly likely - # to be globally unique. Even though a trust domain name is not a DNS name, - # using a registered domain name as a suffix of a trust domain name, when - # available, will reduce chances of an accidental collision; for example, - # if a trust domain operator owns the domain name `example.com`, - # then using a trust domain name such as `apps.example.com` would likely - # not produce a collision. When trust domain names are automatically generated - # without operator input, randomly generating a unique name (such as a UUID) - # is strongly advised. - # - # All SPIFFE IDs shall be prefixed with `spiffe://` unless - # you have an advanced custom setup. - trustDomain: "vsecm.com" - # -- The SPIRE CA common name. - caCommonName: "vsecm.com" - # -- The SPIRE CA country. - caCountry: "US" - # -- The SPIRE CA organization. - caOrganization: "vsecm.com" - # -- This is the namespace where the SPIRE components will be deployed. - namespace: spire-system - # -- It is best to keep the SPIRE server namespace separate from other - # SPIRE components for an added layer of security. - serverNamespace: spire-server - # -- The SPIRE Server address. This is the address where the SPIRE Server - # that the agents will connect to. - # This address is in the form of ..svc.cluster.local - # unless you have a custom setup. - serverAddress: "spire-server.spire-server.svc.cluster.local" - # -- The log level of the SPIRE components. This is useful for debugging. - logLevel: DEBUG - # -- The SPIRE Server port. This is the port where the SPIRE Server will - # listen for incoming connections. - # This is the port of the SPIRE server k8s Service. - serverPort: 443 diff --git a/helm-charts/0.27.4/README.md b/helm-charts/0.27.4/README.md index 35274e36..5ac16b97 100644 --- a/helm-charts/0.27.4/README.md +++ b/helm-charts/0.27.4/README.md @@ -112,7 +112,7 @@ The sections below are autogenerated from chart source code: | global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | | global.enableKAppAnnotations | bool | `false` | Set it to true to enable kapp annotations. This is useful when you are using kapp to deploy the VSecM components. (ref: https://carvel.dev/kapp/) | | global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | -| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.3"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.3"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.3"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.3"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | +| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.4"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.4"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.4"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.4"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | | global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | | global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | | global.images.spireAgent | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"}` | Container registry details of SPIRE Agent. | diff --git a/helm-charts/0.27.4/charts/keystone/Chart.yaml b/helm-charts/0.27.4/charts/keystone/Chart.yaml index 7ac5bc0a..6b3831c6 100644 --- a/helm-charts/0.27.4/charts/keystone/Chart.yaml +++ b/helm-charts/0.27.4/charts/keystone/Chart.yaml @@ -25,10 +25,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.3 +version: 0.27.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.27.3" +appVersion: "0.27.4" diff --git a/helm-charts/0.27.4/charts/keystone/README.md b/helm-charts/0.27.4/charts/keystone/README.md index cd4eb4b4..d175822f 100644 --- a/helm-charts/0.27.4/charts/keystone/README.md +++ b/helm-charts/0.27.4/charts/keystone/README.md @@ -1,6 +1,6 @@ # keystone -![Version: 0.27.3](https://img.shields.io/badge/Version-0.27.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.3](https://img.shields.io/badge/AppVersion-0.27.3-informational?style=flat-square) +![Version: 0.27.4](https://img.shields.io/badge/Version-0.27.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.4](https://img.shields.io/badge/AppVersion-0.27.4-informational?style=flat-square) Helm chart for keystone diff --git a/helm-charts/0.27.4/values-custom.yaml b/helm-charts/0.27.4/values-custom.yaml index cf461a0a..cd390e2c 100644 --- a/helm-charts/0.27.4/values-custom.yaml +++ b/helm-charts/0.27.4/values-custom.yaml @@ -46,21 +46,21 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent initContainer: repository: vsecm-ist-init-container - tag: 0.27.3 + tag: 0.27.4 spireAgent: repository: ghcr.io/spiffe/spire-agent tag: 1.9.4 diff --git a/helm-charts/0.27.4/values.yaml b/helm-charts/0.27.4/values.yaml index 9b1fac07..46826a7d 100644 --- a/helm-charts/0.27.4/values.yaml +++ b/helm-charts/0.27.4/values.yaml @@ -55,24 +55,24 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent # - Container registry details for VSecM Safe. safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent # - Container registry details for VSecM Sentinel. sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.3 + tag: 0.27.4 pullPolicy: IfNotPresent # - Container registry details of VSecM Init Container. initContainer: repository: vsecm-ist-init-container - tag: 0.27.3 + tag: 0.27.4 # -- Container registry details of SPIRE Agent. spireAgent: diff --git a/k8s/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml deleted file mode 100644 index 658617dd..00000000 --- a/k8s/0.27.3/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - className: - description: Set the class of controller to handle this object. - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/k8s/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml deleted file mode 100644 index 597b2b08..00000000 --- a/k8s/0.27.3/crds/spire.spiffe.io_clusterspiffeids.yaml +++ /dev/null @@ -1,239 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - autoPopulateDNSNames: - description: AutoPopulateDNSNames indicates whether or not to auto - populate service DNS names. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream - SPIRE server. - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - jwtTtl: - description: JWTTTL indicates an upper-bound time-to-live for JWT - SVIDs minted for this ClusterSPIFFEID. - type: string - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for X509 SVIDs - minted for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml deleted file mode 100644 index c19df220..00000000 --- a/k8s/0.27.3/crds/spire.spiffe.io_clusterstaticentries.yaml +++ /dev/null @@ -1,103 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterstaticentries.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterStaticEntry - listKind: ClusterStaticEntryList - plural: clusterstaticentries - singular: clusterstaticentry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterStaticEntry is the Schema for the clusterstaticentries - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry - properties: - admin: - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - dnsNames: - items: - type: string - type: array - downstream: - type: boolean - federatesWith: - items: - type: string - type: array - hint: - type: string - jwtSVIDTTL: - type: string - parentID: - type: string - selectors: - items: - type: string - type: array - spiffeID: - type: string - storeSVID: - type: boolean - x509SVIDTTL: - type: string - required: - - parentID - - selectors - - spiffeID - type: object - status: - description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry - properties: - masked: - description: If the static entry was masked by another entry. - type: boolean - rendered: - description: If the static entry rendered properly. - type: boolean - set: - description: If the static entry was successfully created/updated. - type: boolean - required: - - masked - - rendered - - set - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 538ac974..00000000 --- a/k8s/0.27.3/crds/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to deletion/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/k8s/0.27.3/eks/vsecm-distroless-fips.yaml b/k8s/0.27.3/eks/vsecm-distroless-fips.yaml deleted file mode 100644 index 1070a477..00000000 --- a/k8s/0.27.3/eks/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/eks/vsecm-distroless.yaml b/k8s/0.27.3/eks/vsecm-distroless.yaml deleted file mode 100644 index 15745433..00000000 --- a/k8s/0.27.3/eks/vsecm-distroless.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/local/vsecm-distroless-fips.yaml b/k8s/0.27.3/local/vsecm-distroless-fips.yaml deleted file mode 100644 index c3df0dae..00000000 --- a/k8s/0.27.3/local/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/local/vsecm-distroless.yaml b/k8s/0.27.3/local/vsecm-distroless.yaml deleted file mode 100644 index ed0f57b4..00000000 --- a/k8s/0.27.3/local/vsecm-distroless.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "localhost:5000/vsecm-ist-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "localhost:5000/vsecm-ist-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/remote/vsecm-distroless-fips.yaml b/k8s/0.27.3/remote/vsecm-distroless-fips.yaml deleted file mode 100644 index e2c1f5a1..00000000 --- a/k8s/0.27.3/remote/vsecm-distroless-fips.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-fips-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/remote/vsecm-distroless.yaml b/k8s/0.27.3/remote/vsecm-distroless.yaml deleted file mode 100644 index aa6c0f6e..00000000 --- a/k8s/0.27.3/remote/vsecm-distroless.yaml +++ /dev/null @@ -1,1049 +0,0 @@ ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: vsecm/charts/safe/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-root-key -automountServiceAccountToken: true -secrets: - - name: vsecm-root-key ---- -# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-root-key - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-safe -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" ---- -# Source: vsecm/charts/sentinel/templates/Secret.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: vsecm-sentinel -type: Opaque -stringData: - data: "exit:true\n--\n" ---- -# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: vsecm-system -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: ["vsecm-root-key"] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## ---- -# Source: vsecm/charts/safe/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: vsecm-system -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: vsecm-system -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: vsecm-system -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## ---- -# Source: vsecm/charts/sentinel/templates/Role.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: vsecm-system -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] ---- -# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: vsecm-system -subjects: - - kind: ServiceAccount - name: vsecm-sentinel - namespace: vsecm-system -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/safe/templates/Service.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system ---- -# Source: vsecm/charts/keystone/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-keystone - namespace: vsecm-system - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-keystone - securityContext: - {} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - - - - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - containers: - - name: main - image: "vsecm/vsecm-ist-keystone:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - name: VSECM_LOG_LEVEL - value: "7" - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true ---- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vsecm-sentinel - namespace: vsecm-system - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-sentinel - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-sentinel:0.27.3" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - - - - - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - - - - - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - - - - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - - - - - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret ---- -# Source: vsecm/charts/safe/templates/StatefulSet.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vsecm-safe - namespace: vsecm-system - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vsecm-safe - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - template: - metadata: - labels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - spec: - serviceAccountName: vsecm-safe - securityContext: - {} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "vsecm/vsecm-ist-safe:0.27.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: /var/local/vsecm/data - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - - - - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - - - - name: VSECM_BACKOFF_DELAY - value: "1000" - - - - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - - - - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - - - - - name: VSECM_BACKOFF_MODE - value: "exponential" - - - - - name: VSECM_LOG_LEVEL - value: "7" - - - - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - - - - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - - - - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - - - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - - - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - - - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - - - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - - - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - - - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - - - - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - - - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - - - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - - - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - - - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - - - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - - - - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - - - - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - - name: VSECM_SAFE_ENDPOINT_URL - value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - name: VSECM_NAMESPACE_SYSTEM - value: "vsecm-system" - - name: VSECM_NAMESPACE_SPIRE - value: "spire-system" - - name: SPIFFE_TRUST_DOMAIN - value: "vsecm.com" - - name: VSECM_WORKLOAD_NAME_REGEXP - value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - livenessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: 20Mi - cpu: 5m - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt ---- -# Source: vsecm/charts/keystone/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-keystone - labels: - helm.sh/chart: keystone-0.27.3 - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-keystone - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-keystone" ---- -# Source: vsecm/charts/safe/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-safe - labels: - helm.sh/chart: safe-0.27.3 - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-safe - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-safe" ---- -# Source: vsecm/charts/sentinel/templates/Identity.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: vsecm-sentinel - labels: - helm.sh/chart: sentinel-0.27.3 - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/instance: vsecm - app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" - app.kubernetes.io/managed-by: Helm -spec: - className: "vsecm" - spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} - podSelector: - matchLabels: - app.kubernetes.io/name: vsecm-sentinel - app.kubernetes.io/part-of: vsecm-system - workloadSelectorTemplates: - - "k8s:ns:vsecm-system" - - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.27.3/spire.yaml b/k8s/0.27.3/spire.yaml deleted file mode 100644 index dd6d7d41..00000000 --- a/k8s/0.27.3/spire.yaml +++ /dev/null @@ -1,1802 +0,0 @@ ---- -# Source: vsecm/charts/spire/templates/serviceaccount-spire-agent.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire-system - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm ---- -# Source: vsecm/charts/spire/templates/serviceaccount-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm ---- -# Source: vsecm/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-spiffe-csi-driver - namespace: spire-system - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm ---- -# Source: vsecm/charts/spire/templates/configmap-spire-agent.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire-system -data: - agent.conf: | - { - "agent": { - "data_dir": "/run/spire", - "log_level": "info", - "retry_bootstrap": true, - "server_address": "spire-server.spire-server", - "server_port": "443", - "socket_path": "/tmp/spire-agent/public/spire-agent.sock", - "trust_bundle_path": "/run/spire/bundle/bundle.crt", - "trust_domain": "vsecm.com" - }, - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "9982", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "KeyManager": [ - { - "memory": { - "plugin_data": null - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "cluster": "vsecm-cluster" - } - } - } - ], - "WorkloadAttestor": [ - { - "k8s": { - "plugin_data": { - "disable_container_selectors": false, - "skip_kubelet_verification": true, - "use_new_container_locator": false, - "verbose_container_locator_logs": false - } - } - } - ] - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } ---- -# Source: vsecm/charts/spire/templates/configmap-spire-bundle.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire-system ---- -# Source: vsecm/charts/spire/templates/configmap-spire-controller-manager.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager - namespace: spire-server -data: - controller-manager-config.yaml: | - - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metadata: - name: spire-controller-manager - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - metrics: - bindAddress: 0.0.0.0:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: 6f304bd2.spiffe.io - resourceNamespace: spire-server - validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook - entryIDPrefix: vsecm-cluster - clusterName: vsecm-cluster - trustDomain: vsecm.com - ignoreNamespaces: - - kube-system - - kube-public - - local-path-storage - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - - ibm-odf-validation-webhook - - ibm-system - spireServerSocketPath: "/tmp/spire-server/private/api.sock" - className: "vsecm" - watchClassless: false - parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" - reconcile: - clusterSPIFFEIDs: true - clusterStaticEntries: true - clusterFederatedTrustDomains: true ---- -# Source: vsecm/charts/spire/templates/configmap-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire-server -data: - server.conf: | - { - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "8080", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "DataStore": [ - { - "sql": { - "plugin_data": { - "connection_string": "/run/spire/data/datastore.sqlite3", - "database_type": "sqlite3" - } - } - } - ], - "KeyManager": [ - { - "disk": { - "plugin_data": { - "keys_path": "/run/spire/data/keys.json" - } - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "clusters": [ - { - "vsecm-cluster": { - "allowed_node_label_keys": [], - "allowed_pod_label_keys": [], - "audience": [ - "spire-server" - ], - "service_account_allow_list": [ - "spire-system:spire-agent" - ] - } - } - ] - } - } - } - ], - "Notifier": [ - { - "k8sbundle": { - "plugin_data": { - "config_map": "spire-bundle", - "namespace": "spire-system" - } - } - } - ] - }, - "server": { - "audit_log_enabled": false, - "bind_address": "0.0.0.0", - "bind_port": "8081", - "ca_key_type": "rsa-2048", - "ca_subject": [ - { - "common_name": "aegist.ist", - "country": [ - "US" - ], - "organization": [ - "vsecm.com" - ] - } - ], - "ca_ttl": "24h", - "data_dir": "/run/spire/data", - "default_jwt_svid_ttl": "1h", - "default_x509_svid_ttl": "4h", - "jwt_issuer": "https://oidc-discovery.vsecm.com", - "log_level": "info", - "trust_domain": "vsecm.com" - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } ---- -# Source: vsecm/charts/spire/templates/clusterrole-spire-agent.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -rules: - - apiGroups: [""] - resources: - - pods - - nodes - - nodes/proxy - verbs: ["get"] ---- -# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-spire-controller-manager -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/status"] - verbs: ["get", "patch", "update"] ---- -# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ClusterRole to allow spire-server node attestor to query Token Review API -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server -rules: - - apiGroups: [""] - resources: [nodes, pods] - verbs: ["get", "list"] - - apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: ["get", "watch", "list", "create"] ---- -# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-agent.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds SPIRE Agent Cluster Role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: spire-system -roleRef: - kind: ClusterRole - name: spire-agent - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: spire-server-spire-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: spire-server-spire-controller-manager -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-server ---- -# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds spire-server-spire-server cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server - -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-server -roleRef: - kind: ClusterRole - name: spire-server-spire-server - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/role-spire-bundle.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Role to be able to push certificate bundles to a configmap -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: spire-system -rules: - - apiGroups: [""] - resources: [configmaps] - resourceNames: [spire-bundle] - verbs: - - get - - patch ---- -# Source: vsecm/charts/spire/templates/role-spire-controller-manager-leader-election.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: spire-controller-manager-leader-election - namespace: spire-server -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: vsecm/charts/spire/templates/rolebinding-spire-bundle.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: spire-system -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-server -roleRef: - kind: Role - name: spire-bundle - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: spire-controller-manager-leader-election - namespace: spire-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: spire-controller-manager-leader-election -subjects: - - kind: ServiceAccount - name: spire-server - namespace: spire-server ---- -# Source: vsecm/charts/spire/templates/service-spire-controller-manager-webhook.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: https - port: 443 - targetPort: https - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire ---- -# Source: vsecm/charts/spire/templates/service-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: grpc - port: 443 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire ---- -# Source: vsecm/charts/spire/templates/daemonset-spire-agent.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire-system - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: default -spec: - selector: - matchLabels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-agent - checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 - labels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - spec: - - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - priorityClassName: system-node-critical - initContainers: - - name: ensure-alternate-names - image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" - imagePullPolicy: IfNotPresent - command: ["bash", "-xc"] - args: - - | - cd /run/spire/agent-sockets - L=`readlink socket` - [ "x$L" != "xspire-agent.sock" ] && rm -f socket - [ ! -L socket ] && ln -s spire-agent.sock socket - L=`readlink api.sock` - [ "x$L" != "xspire-agent.sock" ] && rm -f api.sock - [ ! -L api.sock ] && ln -s spire-agent.sock api.sock - [ -L spire-agent.sock ] && rm -f spire-agent.sock - exit 0 - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /run/spire/agent-sockets - securityContext: - runAsUser: 0 - runAsGroup: 0 - - name: fsgroupfix - image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" - imagePullPolicy: IfNotPresent - command: ["bash", "-c"] - args: - - "chown -R 1000:1000 /run/spire/agent-sockets /tmp/spire-agent/private" - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /run/spire/agent-sockets - - name: spire-agent-admin-socket-dir - mountPath: /tmp/spire-agent/private - securityContext: - runAsUser: 0 - runAsGroup: 0 - containers: - - name: spire-agent - image: "ghcr.io/spiffe/spire-agent:1.9.6" - imagePullPolicy: IfNotPresent - args: ["-config", "/opt/spire/conf/agent/agent.conf"] - securityContext: - {} - env: - - name: PATH - value: "/opt/spire/bin:/bin" - ports: - - containerPort: 9982 - name: healthz - - containerPort: 9988 - name: prom - volumeMounts: - - name: spire-config - mountPath: /opt/spire/conf/agent - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: /tmp/spire-agent/public - readOnly: false - - name: spire-token - mountPath: /var/run/secrets/tokens - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - resources: - {} - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-agent-admin-socket-dir - emptyDir: {} - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - name: spire-agent-socket-dir - hostPath: - path: /run/spire/agent-sockets - type: DirectoryOrCreate ---- -# Source: vsecm/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-spiffe-csi-driver - namespace: spire-system - labels: - hhelm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - spec: - - serviceAccountName: spire-spiffe-csi-driver - - priorityClassName: system-node-critical - containers: - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: "ghcr.io/spiffe/spiffe-csi-driver:0.2.6" - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-plugin-name", "csi.spiffe.io", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - readOnlyRootFilesystem: true - capabilities: - drop: - - all - privileged: true - resources: - {} - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0" - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - "-health-port", "9809" - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - ports: - - containerPort: 9809 - name: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 5 - timeoutSeconds: 5 - resources: - {} - volumes: - - name: spire-agent-socket-dir - hostPath: - path: /run/spire/agent-sockets - type: DirectoryOrCreate - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory ---- -# Source: vsecm/charts/spire/templates/statefulset-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: server -spec: - replicas: 1 - serviceName: spire-server - selector: - matchLabels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-server - checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 - checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 - checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - labels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - component: server - release: spire - release-namespace: spire-server - spec: - - serviceAccountName: spire-server - shareProcessNamespace: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - - priorityClassName: system-cluster-critical - containers: - - name: spire-server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "ghcr.io/spiffe/spire-server:1.9.6" - imagePullPolicy: IfNotPresent - args: - - -expandEnv - - -config - - /run/spire/config/server.conf - env: - - name: PATH - value: "/opt/spire/bin:/bin" - ports: - - name: grpc - containerPort: 8081 - protocol: TCP - - containerPort: 8080 - name: healthz - - containerPort: 9988 - name: prom - livenessProbe: - httpGet: - path: /live - port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: false - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-data - mountPath: /run/spire/data - readOnly: false - - name: server-tmp - mountPath: /tmp - readOnly: false - - - name: spire-controller-manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "ghcr.io/spiffe/spire-controller-manager:0.5.0" - imagePullPolicy: IfNotPresent - args: - - --config=controller-manager-config.yaml - env: - - name: ENABLE_WEBHOOKS - value: "true" - ports: - - name: https - containerPort: 9443 - protocol: TCP - - containerPort: 8083 - name: healthz - - containerPort: 8082 - name: prom-cm - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: true - - name: controller-manager-config - mountPath: /controller-manager-config.yaml - subPath: controller-manager-config.yaml - readOnly: true - - name: spire-controller-manager-tmp - mountPath: /tmp - subPath: spire-controller-manager - readOnly: false - volumes: - - name: server-tmp - emptyDir: {} - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-tmp - emptyDir: {} - - name: controller-manager-config - configMap: - name: spire-controller-manager - # noinspection KubernetesUnknownKeys - volumeClaimTemplates: - - metadata: - name: spire-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -# Source: vsecm/charts/spire/templates/openshift-security-context-constraints.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: spire-server-spire-test-keys -spec: - className: "vsecm" - spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - podSelector: - matchLabels: - component: test-keys - release: spire - release-namespace: spire-server - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - - spire-server - - spire-system - - vsecm-system ---- -# Source: vsecm/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-server-spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: spire-server - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: spire-server - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None ---- -# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: spire-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - annotations: - "helm.sh/hook": pre-install ---- -# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ -apiVersion: v1 -kind: Namespace -metadata: - name: spire-server - labels: - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/warn: restricted - annotations: - "helm.sh/hook": pre-install ---- -# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-install - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed ---- -# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-upgrade - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed ---- -# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-pre-upgrade - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed ---- -# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] ---- -# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] ---- -# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] ---- -# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-install - namespace: spire-server -roleRef: - kind: ClusterRole - name: spire-server-post-install - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-upgrade - namespace: spire-server -roleRef: - kind: ClusterRole - name: spire-server-post-upgrade - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-pre-upgrade - namespace: spire-server -roleRef: - kind: ClusterRole - name: spire-server-pre-upgrade - apiGroup: rbac.authorization.k8s.io ---- -# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-install.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-install - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-install - spec: - - restartPolicy: Never - serviceAccountName: spire-server-post-install - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "docker.io/rancher/kubectl:v1.28.0" - imagePullPolicy: IfNotPresent - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } ---- -# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-upgrade - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-upgrade - spec: - - restartPolicy: Never - serviceAccountName: spire-server-post-upgrade - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - containers: - - name: post-upgrade-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "docker.io/rancher/kubectl:v1.28.0" - imagePullPolicy: IfNotPresent - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } ---- -# Source: vsecm/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-pre-upgrade - namespace: spire-server - labels: - helm.sh/chart: spire-0.27.3 - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-pre-upgrade - spec: - - restartPolicy: Never - serviceAccountName: spire-server-pre-upgrade - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "docker.io/rancher/kubectl:v1.28.0" - imagePullPolicy: IfNotPresent - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Ignore" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Ignore" - } - ] - } ---- -# Source: vsecm/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" - annotations: - "helm.sh/hook": pre-install - -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral diff --git a/k8s/0.27.4/eks/vsecm-distroless-fips.yaml b/k8s/0.27.4/eks/vsecm-distroless-fips.yaml index 9305ac26..299d381c 100644 --- a/k8s/0.27.4/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.27.4/eks/vsecm-distroless-fips.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.4/eks/vsecm-distroless.yaml b/k8s/0.27.4/eks/vsecm-distroless.yaml index d549560d..ab6ce1b2 100644 --- a/k8s/0.27.4/eks/vsecm-distroless.yaml +++ b/k8s/0.27.4/eks/vsecm-distroless.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.3" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.4/local/vsecm-distroless-fips.yaml b/k8s/0.27.4/local/vsecm-distroless-fips.yaml index 66d5d216..1ffafa19 100644 --- a/k8s/0.27.4/local/vsecm-distroless-fips.yaml +++ b/k8s/0.27.4/local/vsecm-distroless-fips.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.3" + image: "localhost:5000/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.27.3" + image: "localhost:5000/vsecm-ist-fips-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.3" + image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.27.3" + image: "localhost:5000/vsecm-ist-fips-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.4/local/vsecm-distroless.yaml b/k8s/0.27.4/local/vsecm-distroless.yaml index 8f32d0b4..d7088f79 100644 --- a/k8s/0.27.4/local/vsecm-distroless.yaml +++ b/k8s/0.27.4/local/vsecm-distroless.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.3" + image: "localhost:5000/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-keystone:0.27.3" + image: "localhost:5000/vsecm-ist-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.27.3" + image: "localhost:5000/vsecm-ist-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-safe:0.27.3" + image: "localhost:5000/vsecm-ist-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.4/remote/vsecm-distroless-fips.yaml b/k8s/0.27.4/remote/vsecm-distroless-fips.yaml index c2216a73..e98a5194 100644 --- a/k8s/0.27.4/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.27.4/remote/vsecm-distroless-fips.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.3" + image: "vsecm/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.27.3" + image: "vsecm/vsecm-ist-fips-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.27.3" + image: "vsecm/vsecm-ist-fips-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-safe:0.27.3" + image: "vsecm/vsecm-ist-fips-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.4/remote/vsecm-distroless.yaml b/k8s/0.27.4/remote/vsecm-distroless.yaml index 7b517993..c3921289 100644 --- a/k8s/0.27.4/remote/vsecm-distroless.yaml +++ b/k8s/0.27.4/remote/vsecm-distroless.yaml @@ -31,11 +31,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -374,11 +374,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -402,7 +402,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.3" + image: "vsecm/vsecm-ist-init-container:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -475,7 +475,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-keystone:0.27.3" + image: "vsecm/vsecm-ist-keystone:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -551,7 +551,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-sentinel:0.27.3" + image: "vsecm/vsecm-ist-sentinel:0.27.4" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -745,7 +745,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-safe:0.27.3" + image: "vsecm/vsecm-ist-safe:0.27.4" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -965,11 +965,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.3 + helm.sh/chart: keystone-0.27.4 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.3" + app.kubernetes.io/version: "0.27.4" app.kubernetes.io/managed-by: Helm spec: className: "vsecm"