Skip to content

Commit

Permalink
deploy: add spire manifests in helm and kustomize
Browse files Browse the repository at this point in the history
Signed-off-by: TessaIO <[email protected]>
  • Loading branch information
TessaIO committed Dec 21, 2024
1 parent dce9ca5 commit 18e6360
Show file tree
Hide file tree
Showing 26 changed files with 322 additions and 95 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
# operator: "In"
# values:
# - "node-feature-discovery"
# enableSpiffe: true
# klog:
# addDirHeader: false
# alsologtostderr: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
# noPublish: false
# noOwnerRefs: false
# sleepInterval: 60s
# enableSpiffe: true
# featureSources: [all]
# labelSources: [all]
# klog:
Expand Down
6 changes: 6 additions & 0 deletions deployment/helm/node-feature-discovery/Chart.lock
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
dependencies:
- name: spire
repository: https://spiffe.github.io/helm-charts-hardened/
version: 0.24.1
digest: sha256:f3b4dc973a59682bf3aa5ca9b53322f57935dd093081e82a37b8082e00becbe9
generated: "2024-12-20T16:52:40.180416+01:00"
4 changes: 4 additions & 0 deletions deployment/helm/node-feature-discovery/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,7 @@ keywords:
- node-labels
type: application
version: 0.2.1
dependencies:
- name: spire
version: 0.24.1
repository: https://spiffe.github.io/helm-charts-hardened/
Binary file not shown.
18 changes: 18 additions & 0 deletions deployment/helm/node-feature-discovery/templates/master.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,29 @@ spec:
{{- with .Values.master.extraArgs }}
{{- toYaml . | nindent 12 }}
{{- end }}
# Go over featureGates and add the feature-gate flag
{{- range $key, $value := .Values.featureGates }}
- "-feature-gates={{ $key }}={{ $value }}"
{{- end }}
{{/* {{- if .Values.spire.enabled }}*/}}
{{/* - "-enable-spiffe"*/}}
{{/* {{- end }}*/}}
volumeMounts:
{{- if .Values.spire.enabled }}
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
{{- end }}
- name: nfd-master-conf
mountPath: "/etc/kubernetes/node-feature-discovery"
readOnly: true
volumes:
{{- if .Values.spire.enabled }}
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
{{- end }}
- name: nfd-master-conf
configMap:
name: {{ include "node-feature-discovery.fullname" . }}-master-conf
Expand Down
14 changes: 14 additions & 0 deletions deployment/helm/node-feature-discovery/templates/worker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,12 +109,20 @@ spec:
{{- with .Values.gc.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{/* {{- if .Values.spire.enabled }}*/}}
{{/* - "-enable-spiffe"*/}}
{{/* {{- end }}*/}}
ports:
- containerPort: {{ .Values.worker.metricsPort | default "8081"}}
name: metrics
- containerPort: {{ .Values.worker.healthPort | default "8082" }}
name: health
volumeMounts:
{{- if .Values.spire.enabled }}
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
{{- end }}
- name: host-boot
mountPath: "/host-boot"
readOnly: true
Expand Down Expand Up @@ -145,6 +153,12 @@ spec:
mountPath: "/etc/kubernetes/node-feature-discovery"
readOnly: true
volumes:
{{- if .Values.spire.enabled }}
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
{{- end }}
- name: host-boot
hostPath:
path: "/boot"
Expand Down
30 changes: 29 additions & 1 deletion deployment/helm/node-feature-discovery/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ image:
# This should be set to 'IfNotPresent' for released version
pullPolicy: Always
# tag, if defined will use the given image tag, else Chart.AppVersion will be used
# tag
tag: v0.16.5
imagePullSecrets: []

nameOverride: ""
Expand Down Expand Up @@ -43,6 +43,7 @@ master:
# operator: "In"
# values:
# - "node-feature-discovery"
# enableSpiffe: true
# klog:
# addDirHeader: false
# alsologtostderr: false
Expand Down Expand Up @@ -179,6 +180,7 @@ worker:
# noPublish: false
# noOwnerRefs: false
# sleepInterval: 60s
# enableSpiffe: true
# featureSources: [all]
# labelSources: [all]
# klog:
Expand Down Expand Up @@ -597,3 +599,29 @@ prometheus:
enable: false
scrapeInterval: 10s
labels: {}

spire:
enabled: true
global:
spire:
clusterName: "nfd"
trustDomain: "nfd.io"
spire-agent:
kubeletConnectByHostname: "true"
workloadAttestors:
unix:
enabled: true
spire-server:
caSubject:
commonName: "nfd.io"
country: "US"
organization: "SPIFFE"

upstream:
enabled: false
spiffe-csi-driver:
enabled: false
spiffe-oidc-discovery-provider:
enabled: false
tornjak-frontend:
enabled: false
Empty file.
4 changes: 4 additions & 0 deletions deployment/overlays/spiffe/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: node-feature-discovery
23 changes: 23 additions & 0 deletions deployment/overlays/spiffe/spire-agent-cluster-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Required cluster role to allow spire-agent to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role
rules:
- apiGroups: [""]
resources: ["pods","nodes","nodes/proxy"]
verbs: ["get"]

---
# Binds above cluster role to spire-agent service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: spire-agent
roleRef:
kind: ClusterRole
name: spire-agent-cluster-role
apiGroup: rbac.authorization.k8s.io
43 changes: 43 additions & 0 deletions deployment/overlays/spiffe/spire-agent-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "nfd.com"
}
plugins {
NodeAttestor "k8s_sat" {
plugin_data {
cluster = "nfd"
}
}
KeyManager "memory" {
plugin_data {
}
}
WorkloadAttestor "k8s" {
plugin_data {
skip_kubelet_verification = true
node_name_env = "MY_NODE_NAME"
}
}
WorkloadAttestor "unix" {
plugin_data {
}
}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
55 changes: 55 additions & 0 deletions deployment/overlays/spiffe/spire-agent-daemonset.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
template:
metadata:
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: cgr.dev/chainguard/wait-for-it
args: ["-t", "30", "spire-server:8081"]
containers:
- name: spire-agent
image: ghcr.io/spiffe/spire-agent:1.5.1
args: ["-config", "/run/spire/config/agent.conf"]
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: false
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
4 changes: 4 additions & 0 deletions deployment/overlays/spiffe/spire-agent-service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
4 changes: 4 additions & 0 deletions deployment/overlays/spiffe/spire-bundle-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
45 changes: 45 additions & 0 deletions deployment/overlays/spiffe/spire-server-cluster-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Role (namespace scoped) to be able to push certificate bundles to a configmap
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list"]
---
# Binds above role to spire-server service account
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role-binding
subjects:
- kind: ServiceAccount
name: spire-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: spire-server-configmap-role
---
# ClusterRole to allow spire-server node attestor to query Token Review API
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role-binding
subjects:
- kind: ServiceAccount
name: spire-server
roleRef:
kind: ClusterRole
name: spire-server-trust-role
apiGroup: rbac.authorization.k8s.io
Empty file.
Empty file.
Empty file.
Empty file.
3 changes: 3 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ require (
github.com/prometheus/client_golang v1.19.1
github.com/smartystreets/goconvey v1.8.1
github.com/spf13/cobra v1.8.1
github.com/spiffe/go-spiffe/v2 v2.4.0
github.com/stretchr/testify v1.10.0
github.com/vektra/errors v0.0.0-20140903201135-c64d83aba85a
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
Expand Down Expand Up @@ -68,6 +69,7 @@ require (
github.com/euank/go-kmsg-parser v2.0.0+incompatible // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
Expand Down Expand Up @@ -120,6 +122,7 @@ require (
github.com/stoewer/go-strcase v1.3.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/zeebo/errs v1.3.0 // indirect
go.etcd.io/etcd/api/v3 v3.5.16 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
go.etcd.io/etcd/client/v3 v3.5.16 // indirect
Expand Down
Loading

0 comments on commit 18e6360

Please sign in to comment.