[security] Move SPIRE Server Into its Own Namespace (#992)

* Manifests update Signed-off-by: Volkan Ozcelik <[email protected]> * Add hook annotations. Signed-off-by: Volkan Ozcelik <[email protected]> * Manifest changes Signed-off-by: Volkan Ozcelik <[email protected]> * Updated build scripts Signed-off-by: Volkan Ozcelik <[email protected]> * Manifest update. Signed-off-by: Volkan Ozcelik <[email protected]> * Chart update. Signed-off-by: Volkan Ozcelik <[email protected]> * Manifest update. Signed-off-by: Volkan Ozcelik <[email protected]> * Config changes. Signed-off-by: Volkan Ozcelik <[email protected]> * Update charts Signed-off-by: Volkan Ozcelik <[email protected]> --------- Signed-off-by: Volkan Ozcelik <[email protected]>
vmware-tanzu · Jun 9, 2024 · bcfc8c7 · bcfc8c7
1 parent 476ad72
commit bcfc8c7
Show file tree

Hide file tree

Showing 24 changed files with 176 additions and 87 deletions.
diff --git a/Makefile b/Makefile
@@ -30,6 +30,7 @@ VSECM_EKS_REGISTRY_URL ?= "public.ecr.aws/h8y1n7y7"
 
 VSECM_NAMESPACE_SYSTEM ?= "vsecm-system"
 VSECM_NAMESPACE_SPIRE ?= "spire-system"
+VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server"
 
 # Utils
 include ./makefiles/VSecMMacOs.mk

diff --git a/core/env/namespace.go b/core/env/namespace.go
@@ -28,6 +28,7 @@ func NamespaceForVSecMSystem() string {
 	return u
 }
 
+// TODO: nobody uses this; remove it from docs and the code.
 // NamespaceForSpire returns the namespace for SPIRE.
 // The namespace is determined by the environment variable
 // "VSECM_NAMESPACE_SPIRE". If the variable is not set or is empty,
@@ -36,10 +37,10 @@ func NamespaceForVSecMSystem() string {
 // Returns:
 //
 //	string: The namespace to be used for SPIRE.
-func NamespaceForSpire() string {
-	u := os.Getenv("VSECM_NAMESPACE_SPIRE")
-	if u == "" {
-		u = "spire-system"
-	}
-	return u
-}
+//func NamespaceForSpire() string {
+///	u := os.Getenv("VSECM_NAMESPACE_SPIRE")
+//	if u == "" {
+//		u = "spire-system"
+//	}
+//	return u
+//}
diff --git a/hack/print-spire-bundle.sh b/hack/print-spire-bundle.sh
@@ -10,7 +10,7 @@
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
 
-SPIRE_SERVER=$(kubectl get po -n spire-system \
+SPIRE_SERVER=$(kubectl get po -n spire-server \
   | grep "spire-server-" | awk '{print $1}')
 export SPIRE_SERVER=SPIRE_SERVER
 

diff --git a/hack/uninstall.sh b/hack/uninstall.sh
@@ -12,11 +12,13 @@
 
 VSECM_NS="$1"
 SPIRE_NS="$2"
+SPIRE_SERVER_NS="$3"
 
 if kubectl get ns | grep vsecm-system; then
   # Order is important for SPIFFE SCI Driver to properly unmount volumes.
   # ref: https://github.com/spiffe/spiffe-csi#failure-to-terminate-pods-when-driver-is-unhealthy-or-removed
   kubectl delete ns $VSECM_NS
+  kubectl delete ns $SPIRE_SERVER_NS
   kubectl delete ns $SPIRE_NS
 
   kubectl delete ClusterSPIFFEID example

diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml
@@ -13,7 +13,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: leader-election-role
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]

diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml
@@ -12,12 +12,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: leader-election-rolebinding
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: leader-election-role
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: {{ .Values.global.spire.namespace }}
+    namespace: {{ .Values.global.spire.serverNamespace }}
diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml
@@ -19,4 +19,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: {{ .Values.global.spire.namespace }}
+    namespace: {{ .Values.global.spire.serverNamespace }}
diff --git a/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml
@@ -12,6 +12,8 @@ apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
   name: "csi.spiffe.io"
+  annotations:
+    "helm.sh/hook": pre-install
 spec:
   # We only support ephemeral, inline volumes. We don't need a controller to
   # provision and attach volumes.

diff --git a/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml
@@ -0,0 +1,14 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.global.spire.serverNamespace }}
diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml
@@ -21,7 +21,7 @@ data:
     agent {
       data_dir = "/run/spire"
       log_level = {{ .Values.global.spire.logLevel | quote }}
-      server_address = "spire-server"
+      server_address = {{ .Values.global.spire.serverAddress | quote }}
       server_port = {{ .Values.global.spire.serverPort | quote }}
       socket_path = "/run/spire/sockets/agent.sock"
       trust_bundle_path = "/run/spire/bundle/bundle.crt"

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml
@@ -12,7 +12,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: spire-controller-manager-config
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 data:
   spire-controller-manager-config.yaml: |
     apiVersion: spire.spiffe.io/v1alpha1
@@ -24,16 +24,40 @@ data:
     leaderElection:
       leaderElect: true
       resourceName: 98c9c988.spiffe.io
-      resourceNamespace: {{ .Values.global.spire.namespace }}
+      resourceNamespace: {{ .Values.global.spire.serverNamespace }}
     clusterName: vsecm-cluster
     trustDomain: vsecm.com
     ignoreNamespaces:
       - kube-system
       - kube-public
       - {{ .Values.global.spire.namespace }}
+      - {{ .Values.global.spire.serverNamespace }}
       - local-path-storage
       # - do not ignore {{ .Values.global.vsecm.namespace }}!
       # - {{ .Values.global.vsecm.namespace }}
       - kube-node-lease
       - kube-public
       - kubernetes-dashboard
+      - openshift-cluster-node-tuning-operator
+      - openshift-cluster-samples-operator
+      - openshift-cluster-storage-operator
+      - openshift-console-operator
+      - openshift-console
+      - openshift-dns
+      - openshift-dns-operator
+      - openshift-image-registry
+      - openshift-ingress
+      - openshift-kube-storage-version-migrator
+      - openshift-kube-storage-version-migrator-operator
+      - openshift-kube-proxy
+      - openshift-marketplace
+      - openshift-monitoring
+      - openshift-multus
+      - openshift-network-diagnostics
+      - openshift-network-operator
+      - openshift-operator-lifecycle-manager
+      - openshift-roks-metrics
+      - openshift-service-ca-operator
+      - openshift-service-ca
+      - ibm-odf-validation-webhook
+      - ibm-system
diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml
@@ -17,7 +17,7 @@ webhooks:
     clientConfig:
       service:
         name: spire-controller-manager-webhook-service
-        namespace: {{ .Values.global.spire.namespace }}
+        namespace: {{ .Values.global.spire.serverNamespace }}
         path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain
     failurePolicy: Fail
     name: vclusterfederatedtrustdomain.kb.io
@@ -31,7 +31,7 @@ webhooks:
     clientConfig:
       service:
         name: spire-controller-manager-webhook-service
-        namespace: {{ .Values.global.spire.namespace }}
+        namespace: {{ .Values.global.spire.serverNamespace }}
         path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
     failurePolicy: Fail
     name: vclusterspiffeid.kb.io
@@ -45,7 +45,7 @@ webhooks:
     clientConfig:
       service:
         name: spire-controller-manager-webhook-service
-        namespace: {{ .Values.global.spire.namespace }}
+        namespace: {{ .Values.global.spire.serverNamespace }}
         path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry
     failurePolicy: Fail
     name: clusterstaticentry.kb.io

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: spire-server-bundle-endpoint
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 spec:
   type: {{ .Values.bundleEndpoint.type }}
   ports:

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml
@@ -13,11 +13,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-cluster-role-binding
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: {{ .Values.global.spire.namespace }}
+    namespace: {{ .Values.global.spire.serverNamespace }}
 roleRef:
   kind: ClusterRole
   name: spire-server-cluster-role

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: spire-server
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 data:
   server.conf: |
     server {

diff --git a/...charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml b/...charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: spire-controller-manager-webhook-service
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 spec:
   ports:
     - port: 443

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml
@@ -18,7 +18,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: {{ .Values.global.spire.namespace }}
+    namespace: {{ .Values.global.spire.serverNamespace }}
 roleRef:
   kind: Role
   name: spire-server-role

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml
@@ -13,4 +13,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: spire-server
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: spire-server
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
 spec:
   type: {{ .Values.service.type }}
   ports:

diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml
@@ -12,7 +12,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: spire-server
-  namespace: {{ .Values.global.spire.namespace }}
+  namespace: {{ .Values.global.spire.serverNamespace }}
   labels:
     app: spire-server
     app.kubernetes.io/component: server
@@ -24,7 +24,7 @@ spec:
       app: spire-server
   template:
     metadata:
-      namespace: {{ .Values.global.spire.namespace }}
+      namespace: {{ .Values.global.spire.serverNamespace }}
       labels:
         app: spire-server
     spec:

diff --git a/helm-charts/0.25.4/values.yaml b/helm-charts/0.25.4/values.yaml
@@ -144,6 +144,12 @@ global:
     trustDomain: "vsecm.com"
     # -- This is the namespace where the SPIRE components will be deployed.
     namespace: spire-system
+    # -- It is best to keep the SPIRE server namespace separate from other
+    # SPIRE components for an added layer of security.
+    serverNamespace: spire-server
+    # -- The SPIRE Server address. This is the address where the SPIRE Server
+    # that the agents will connect to.
+    serverAddress: "spire-server.spire-server.svc.cluster.local"
     # -- The log level of the SPIRE components. This is useful for debugging.
     logLevel: DEBUG
     # -- The SPIRE Server port. This is the port where the SPIRE Server will