Add plugin section to spire-server

This patch enables end users to configure the whole plugin section of the spire-server config. Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
spiffe · Apr 13, 2023 · 22e84dd · 22e84dd
1 parent 6fc5363
commit 22e84dd
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 1 deletion.
diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -80,6 +80,7 @@ A Helm chart to install the SPIRE server.
 | nodeAttestor.k8sPsat.serviceAccountAllowList | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | notifier.k8sbundle.namespace | string | `""` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace |
+| plugins | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. |

diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl
@@ -148,3 +148,40 @@ Create the name of the service account to use
 {{- .Values.clusterDomain }}
 {{- end }}
 {{- end }}
+
+{{/*
+Take a copy of the config and merge in .Values.plugins passed through as root.
+*/}}
+{{- define "spire-server.config_merge" }}
+{{- $pluginsToMerge := dict "plugins" .root.Values.plugins }}
+{{- $newConfig := .config | fromYaml | mustMerge $pluginsToMerge }}
+{{- $newConfig | toYaml }}
+{{- end }}
+
+{{/*
+Take a copy of the plugin section and return a yaml string based version
+reformatted from a dict of dicts to a dict of lists of dicts
+*/}}
+{{- define "spire-server.plugins_reformat" }}
+{{- range $type, $v := . }}
+{{ $type }}:
+  {{- range $name, $v2 := $v }}
+    - {{ $name }}: {{ $v2 | toYaml | nindent 8 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Take a copy of the config as a yaml config and root var.
+Merge in .root.Values.plugin into config,
+Reformat the plugin section from a dict of dicts to a dict of lists of dicts,
+and export it back as as json string.
+This makes it much easier for users to merge in plugin configs, as dicts are easier
+to merge in values, but spire needs arrays.
+*/}}
+{{- define "spire-server.reformat-and-yaml2json" -}}
+{{- $config := include "spire-server.config_merge" . | fromYaml }}
+{{- $plugins := include "spire-server.plugins_reformat" $config.plugins | fromYaml }}
+{{- $_ := set $config "plugins" $plugins }}
+{{- $config | toPrettyJson }}
+{{- end }}
diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -107,4 +107,4 @@ metadata:
   namespace: {{ include "spire-server.namespace" . }}
 data:
   server.conf: |
-    {{- include "spire-server.yaml-config" . | fromYaml | toPrettyJson | nindent 4 }}
+    {{- include "spire-server.reformat-and-yaml2json" (dict "config" (include "spire-server.yaml-config" .) "root" .) | nindent 4 }}
diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -217,3 +217,5 @@ nodeAttestor:
   k8sPsat:
     enabled: true
     serviceAccountAllowList: []
+
+plugins: {}
diff --git a/examples/spire-plugins/node-agent-join-token.yaml b/examples/spire-plugins/node-agent-join-token.yaml
@@ -0,0 +1,5 @@
+spire-server:
+  plugins:
+    NodeAttestor:
+      join_token:
+        plugin_data: {}
diff --git a/examples/spire-plugins/node-agent-tpm/Dockerfile.agent b/examples/spire-plugins/node-agent-tpm/Dockerfile.agent
@@ -0,0 +1,9 @@
+FROM alpine
+RUN \
+  cd /tmp && \
+  wget -O plugin.tar.gz https://github.com/boxboat/spire-tpm-plugin/releases/download/v1.3.3/spire_tpm_plugin_tpm_attestor_agent_linux_amd64_v1.3.3.tar.gz && \
+  tar -zxvf plugin.tar.gz && \
+  mv tpm_attestor_agent /
+
+FROM ghcr.io/spiffe/spire-server:1.5.4
+COPY --from=0 /tpm_attestor_agent /bin/tpm_attestor_agent
diff --git a/examples/spire-plugins/node-agent-tpm/Dockerfile.server b/examples/spire-plugins/node-agent-tpm/Dockerfile.server
@@ -0,0 +1,9 @@
+FROM alpine
+RUN \
+  cd /tmp && \
+  wget -O plugin.tar.gz https://github.com/boxboat/spire-tpm-plugin/releases/download/v1.3.3/spire_tpm_plugin_tpm_attestor_server_linux_amd64_v1.3.3.tar.gz && \
+  tar -zxvf plugin.tar.gz && \
+  mv tpm_attestor_server /
+
+FROM ghcr.io/spiffe/spire-server:1.5.4
+COPY --from=0 /tpm_attestor_server /bin/tpm_attestor_server
diff --git a/examples/spire-plugins/node-agent-tpm/values.yaml b/examples/spire-plugins/node-agent-tpm/values.yaml
@@ -0,0 +1,25 @@
+spire-server:
+  initContainers:
+  - name: tpm-init
+    image: busybox
+    command:
+    - sh
+    - -c
+    - |
+      mkdir -p /run/spire/data/certs
+      mkdir -p /run/spire/data/hashes
+    volumeMounts:
+    - mountPath: /run/spire/data
+      name: spire-data
+  image:
+    registry: docker.io
+    repository: kfox1111/misc
+    version: tpm-server-test
+  plugins:
+    NodeAttestor:
+      tpm:
+        plugin_cmd: /bin/tpm_attestor_server
+        plugin_checksum: 97442358ae946e3fb8f2464432b8c23efdc0b5d44ec1eea27babe59ef646cc2f
+        plugin_data:
+        - ca_path: /run/spire/data/certs
+          hash_path: /run/spire/data/hashes