diff --git a/Makefile b/Makefile index caf6c3ce..769fe5ee 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,7 @@ VSECM_EKS_REGISTRY_URL ?= "public.ecr.aws/h8y1n7y7" VSECM_NAMESPACE_SYSTEM ?= "vsecm-system" VSECM_NAMESPACE_SPIRE ?= "spire-system" +VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server" # Utils include ./makefiles/VSecMMacOs.mk diff --git a/core/env/namespace.go b/core/env/namespace.go index e65e7cf4..ef53ee30 100644 --- a/core/env/namespace.go +++ b/core/env/namespace.go @@ -28,6 +28,7 @@ func NamespaceForVSecMSystem() string { return u } +// TODO: nobody uses this; remove it from docs and the code. // NamespaceForSpire returns the namespace for SPIRE. // The namespace is determined by the environment variable // "VSECM_NAMESPACE_SPIRE". If the variable is not set or is empty, @@ -36,10 +37,10 @@ func NamespaceForVSecMSystem() string { // Returns: // // string: The namespace to be used for SPIRE. -func NamespaceForSpire() string { - u := os.Getenv("VSECM_NAMESPACE_SPIRE") - if u == "" { - u = "spire-system" - } - return u -} +//func NamespaceForSpire() string { +/// u := os.Getenv("VSECM_NAMESPACE_SPIRE") +// if u == "" { +// u = "spire-system" +// } +// return u +//} diff --git a/hack/print-spire-bundle.sh b/hack/print-spire-bundle.sh index 24dc4b8c..49c94fef 100755 --- a/hack/print-spire-bundle.sh +++ b/hack/print-spire-bundle.sh @@ -10,7 +10,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -SPIRE_SERVER=$(kubectl get po -n spire-system \ +SPIRE_SERVER=$(kubectl get po -n spire-server \ | grep "spire-server-" | awk '{print $1}') export SPIRE_SERVER=SPIRE_SERVER diff --git a/hack/uninstall.sh b/hack/uninstall.sh index de920ae3..cb892869 100755 --- a/hack/uninstall.sh +++ b/hack/uninstall.sh @@ -12,11 +12,13 @@ VSECM_NS="$1" SPIRE_NS="$2" +SPIRE_SERVER_NS="$3" if kubectl get ns | grep vsecm-system; then # Order is important for SPIFFE SCI Driver to properly unmount volumes. # ref: https://github.com/spiffe/spiffe-csi#failure-to-terminate-pods-when-driver-is-unhealthy-or-removed kubectl delete ns $VSECM_NS + kubectl delete ns $SPIRE_SERVER_NS kubectl delete ns $SPIRE_NS kubectl delete ClusterSPIFFEID example diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml index 787891cd..61b5c94d 100644 --- a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml @@ -13,7 +13,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: leader-election-role - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} rules: - apiGroups: [""] resources: ["configmaps"] diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml index 397140fa..f336e57b 100644 --- a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml @@ -12,7 +12,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: leader-election-rolebinding - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -20,4 +20,4 @@ roleRef: subjects: - kind: ServiceAccount name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml index 5608f7fd..d7a5a2c5 100644 --- a/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/crd-rbac/role_binding.yaml @@ -19,4 +19,4 @@ roleRef: subjects: - kind: ServiceAccount name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml index d8047e59..ed2f49ef 100644 --- a/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml @@ -12,6 +12,8 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: "csi.spiffe.io" + annotations: + "helm.sh/hook": pre-install spec: # We only support ephemeral, inline volumes. We don't need a controller to # provision and attach volumes. diff --git a/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml new file mode 100644 index 00000000..4722f91f --- /dev/null +++ b/helm-charts/0.25.4/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml @@ -0,0 +1,14 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml index 5fd6c2d2..a9cdac01 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-agent-config-map.yaml @@ -21,7 +21,7 @@ data: agent { data_dir = "/run/spire" log_level = {{ .Values.global.spire.logLevel | quote }} - server_address = "spire-server" + server_address = {{ .Values.global.spire.serverAddress | quote }} server_port = {{ .Values.global.spire.serverPort | quote }} socket_path = "/run/spire/sockets/agent.sock" trust_bundle_path = "/run/spire/bundle/bundle.crt" diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml index 9203e373..a91cddb9 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-config.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: spire-controller-manager-config - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} data: spire-controller-manager-config.yaml: | apiVersion: spire.spiffe.io/v1alpha1 @@ -24,16 +24,40 @@ data: leaderElection: leaderElect: true resourceName: 98c9c988.spiffe.io - resourceNamespace: {{ .Values.global.spire.namespace }} + resourceNamespace: {{ .Values.global.spire.serverNamespace }} clusterName: vsecm-cluster trustDomain: vsecm.com ignoreNamespaces: - kube-system - kube-public - {{ .Values.global.spire.namespace }} + - {{ .Values.global.spire.serverNamespace }} - local-path-storage # - do not ignore {{ .Values.global.vsecm.namespace }}! # - {{ .Values.global.vsecm.namespace }} - kube-node-lease - kube-public - kubernetes-dashboard + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml index 7da831fa..2b5b3730 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-controller-manager-webhook.yaml @@ -17,7 +17,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain failurePolicy: Fail name: vclusterfederatedtrustdomain.kb.io @@ -31,7 +31,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid failurePolicy: Fail name: vclusterspiffeid.kb.io @@ -45,7 +45,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry failurePolicy: Fail name: clusterstaticentry.kb.io diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml index 27a92e28..2add2db5 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-bundle-endpoint.yaml @@ -13,7 +13,7 @@ apiVersion: v1 kind: Service metadata: name: spire-server-bundle-endpoint - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} spec: type: {{ .Values.bundleEndpoint.type }} ports: diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml index bcc3d2d2..996743f9 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-cluster-role-binding.yaml @@ -13,11 +13,11 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spire-server-cluster-role-binding - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} subjects: - kind: ServiceAccount name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} roleRef: kind: ClusterRole name: spire-server-cluster-role diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml index c122e809..375dfda2 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-config-map.yaml @@ -13,7 +13,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} data: server.conf: | server { diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml index 5868917a..6f00355a 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml @@ -15,7 +15,7 @@ apiVersion: v1 kind: Service metadata: name: spire-controller-manager-webhook-service - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} spec: ports: - port: 443 diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml index 29726f6d..2c9d800d 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-role-binding.yaml @@ -18,7 +18,7 @@ metadata: subjects: - kind: ServiceAccount name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} roleRef: kind: Role name: spire-server-role diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml index 4318daae..bdb01783 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-service-account.yaml @@ -13,4 +13,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml index 5f71a612..44e0ccdd 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-service.yaml @@ -13,7 +13,7 @@ apiVersion: v1 kind: Service metadata: name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} spec: type: {{ .Values.service.type }} ports: diff --git a/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml b/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml index e2295799..e5339a27 100644 --- a/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml +++ b/helm-charts/0.25.4/charts/spire/templates/spire-server-stateful-set.yaml @@ -12,7 +12,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: spire-server - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} labels: app: spire-server app.kubernetes.io/component: server @@ -24,7 +24,7 @@ spec: app: spire-server template: metadata: - namespace: {{ .Values.global.spire.namespace }} + namespace: {{ .Values.global.spire.serverNamespace }} labels: app: spire-server spec: diff --git a/helm-charts/0.25.4/values.yaml b/helm-charts/0.25.4/values.yaml index d2ad02fc..53e8fd54 100644 --- a/helm-charts/0.25.4/values.yaml +++ b/helm-charts/0.25.4/values.yaml @@ -144,6 +144,12 @@ global: trustDomain: "vsecm.com" # -- This is the namespace where the SPIRE components will be deployed. namespace: spire-system + # -- It is best to keep the SPIRE server namespace separate from other + # SPIRE components for an added layer of security. + serverNamespace: spire-server + # -- The SPIRE Server address. This is the address where the SPIRE Server + # that the agents will connect to. + serverAddress: "spire-server.spire-server.svc.cluster.local" # -- The log level of the SPIRE components. This is useful for debugging. logLevel: DEBUG # -- The SPIRE Server port. This is the port where the SPIRE Server will diff --git a/k8s/0.25.4/spire.yaml b/k8s/0.25.4/spire.yaml index 2c3fd716..ac92a317 100644 --- a/k8s/0.25.4/spire.yaml +++ b/k8s/0.25.4/spire.yaml @@ -15,6 +15,22 @@ kind: Namespace metadata: name: spire-system --- +# Source: vsecm/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server +--- # Source: vsecm/charts/spire/templates/spire-agent-service-account.yaml # /* # | Protect your secrets, protect your sensitive data. @@ -49,7 +65,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: spire-server - namespace: spire-system + namespace: spire-server --- # Source: vsecm/charts/spire/templates/spire-agent-config-map.yaml # /* @@ -75,7 +91,7 @@ data: agent { data_dir = "/run/spire" log_level = "DEBUG" - server_address = "spire-server" + server_address = "spire-server.spire-server.svc.cluster.local" server_port = "8081" socket_path = "/run/spire/sockets/agent.sock" trust_bundle_path = "/run/spire/bundle/bundle.crt" @@ -124,7 +140,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: spire-controller-manager-config - namespace: spire-system + namespace: spire-server data: spire-controller-manager-config.yaml: | apiVersion: spire.spiffe.io/v1alpha1 @@ -136,19 +152,43 @@ data: leaderElection: leaderElect: true resourceName: 98c9c988.spiffe.io - resourceNamespace: spire-system + resourceNamespace: spire-server clusterName: vsecm-cluster trustDomain: vsecm.com ignoreNamespaces: - kube-system - kube-public - spire-system + - spire-server - local-path-storage # - do not ignore vsecm-system! # - vsecm-system - kube-node-lease - kube-public - kubernetes-dashboard + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system --- # Source: vsecm/charts/spire/templates/spire-server-bundle-config-map.yaml # /* @@ -187,7 +227,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: spire-server - namespace: spire-system + namespace: spire-server data: server.conf: | server { @@ -381,7 +421,7 @@ roleRef: subjects: - kind: ServiceAccount name: spire-server - namespace: spire-system + namespace: spire-server --- # Source: vsecm/charts/spire/templates/spire-agent-cluster-role-binding.yaml # /* @@ -424,11 +464,11 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spire-server-cluster-role-binding - namespace: spire-system + namespace: spire-server subjects: - kind: ServiceAccount name: spire-server - namespace: spire-system + namespace: spire-server roleRef: kind: ClusterRole name: spire-server-cluster-role @@ -450,7 +490,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: leader-election-role - namespace: spire-system + namespace: spire-server rules: - apiGroups: [""] resources: ["configmaps"] @@ -506,7 +546,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: leader-election-rolebinding - namespace: spire-system + namespace: spire-server roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -514,7 +554,7 @@ roleRef: subjects: - kind: ServiceAccount name: spire-server - namespace: spire-system + namespace: spire-server --- # Source: vsecm/charts/spire/templates/spire-server-role-binding.yaml # /* @@ -537,7 +577,7 @@ metadata: subjects: - kind: ServiceAccount name: spire-server - namespace: spire-system + namespace: spire-server roleRef: kind: Role name: spire-server-role @@ -559,7 +599,7 @@ apiVersion: v1 kind: Service metadata: name: spire-server-bundle-endpoint - namespace: spire-system + namespace: spire-server spec: type: ClusterIP ports: @@ -585,7 +625,7 @@ apiVersion: v1 kind: Service metadata: name: spire-controller-manager-webhook-service - namespace: spire-system + namespace: spire-server spec: ports: - port: 443 @@ -610,7 +650,7 @@ apiVersion: v1 kind: Service metadata: name: spire-server - namespace: spire-system + namespace: spire-server spec: type: ClusterIP ports: @@ -636,7 +676,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: spire-server - namespace: spire-system + namespace: spire-server labels: app: spire-server app.kubernetes.io/component: server @@ -648,7 +688,7 @@ spec: app: spire-server template: metadata: - namespace: spire-system + namespace: spire-server labels: app: spire-server spec: @@ -728,40 +768,6 @@ spec: configMap: name: spire-controller-manager-config --- -# Source: vsecm/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # We only support ephemeral, inline volumes. We don't need a controller to - # provision and attach volumes. - attachRequired: false - - # We want the pod information so that the CSI driver can verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # We don't want (or need) K8s to change ownership on the contents of the mount - # when it is mounted into the pod, since the Workload API is completely open - # (i.e. 0777). - # Note, this was added in Kubernetes 1.19, so omit - fsGroupPolicy: None - - # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 - volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta - - Ephemeral ---- # Source: vsecm/charts/spire/templates/spire-controller-manager-webhook.yaml # /* # | Protect your secrets, protect your sensitive data. @@ -782,7 +788,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: spire-system + namespace: spire-server path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain failurePolicy: Fail name: vclusterfederatedtrustdomain.kb.io @@ -796,7 +802,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: spire-system + namespace: spire-server path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid failurePolicy: Fail name: vclusterspiffeid.kb.io @@ -810,7 +816,7 @@ webhooks: clientConfig: service: name: spire-controller-manager-webhook-service - namespace: spire-system + namespace: spire-server path: /validate-spire-spiffe-io-v1alpha1-clusterstaticentry failurePolicy: Fail name: clusterstaticentry.kb.io @@ -992,3 +998,39 @@ spec: hostPath: path: /var/lib/kubelet/plugins_registry type: Directory +--- +# Source: vsecm/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + annotations: + "helm.sh/hook": pre-install +spec: + # We only support ephemeral, inline volumes. We don't need a controller to + # provision and attach volumes. + attachRequired: false + + # We want the pod information so that the CSI driver can verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # We don't want (or need) K8s to change ownership on the contents of the mount + # when it is mounted into the pod, since the Workload API is completely open + # (i.e. 0777). + # Note, this was added in Kubernetes 1.19, so omit + fsGroupPolicy: None + + # We only support ephemeral volumes. Note that this requires Kubernetes 1.16 + volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta + - Ephemeral diff --git a/makefiles/VSecMDeploy.mk b/makefiles/VSecMDeploy.mk index 06123b89..764e30d9 100644 --- a/makefiles/VSecMDeploy.mk +++ b/makefiles/VSecMDeploy.mk @@ -22,7 +22,7 @@ MEMORY ?= $(or $(VSECM_MINIKUBE_MEMORY),4096) # Removes the former VSecM deployment without entirely destroying the cluster. clean: - ./hack/uninstall.sh $(VSECM_NAMESPACE_SYSTEM) $(VSECM_NAMESPACE_SPIRE) + ./hack/uninstall.sh $(VSECM_NAMESPACE_SYSTEM) $(VSECM_NAMESPACE_SPIRE) $(VSECM_NAMESPACE_SPIRE_SERVER) # Completely removes the Minikube cluster. k8s-delete: @@ -39,7 +39,7 @@ deploy-spire: kubectl apply -f ${MANIFESTS_BASE_PATH}/crds; \ kubectl apply -f ${MANIFESTS_BASE_PATH}/spire.yaml; \ echo "verifying SPIRE installation"; \ - kubectl wait --for=condition=ready pod spire-server-0 --timeout=60s -n $(VSECM_NAMESPACE_SPIRE) \ + kubectl wait --for=condition=ready pod spire-server-0 --timeout=60s -n $(VSECM_NAMESPACE_SPIRE_SERVER) \ echo "spire-server: deployment available"; \ echo "spire installation successful"; \ fi diff --git a/makefiles/VSecMInspector.mk b/makefiles/VSecMInspector.mk index 000fd06b..0097dd72 100644 --- a/makefiles/VSecMInspector.mk +++ b/makefiles/VSecMInspector.mk @@ -27,6 +27,3 @@ inspector-push-eks: inspector-push-local: ./hack/push.sh "vsecm-inspector" $(VERSION) \ "$(VSECM_LOCAL_REGISTRY_URL)/vsecm-inspector" - -potato: - ./hack/potato.sh $(VSECM_NAMESPACE_SPIRE) \ No newline at end of file