Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Commit

Permalink
option to configure agent sds (#479)
Browse files Browse the repository at this point in the history 
Co-authored-by: Marco Franssen <marco.franssen@gmail.com>
  • Loading branch information
@grameshtwilio @marcofranssen
grameshtwilio and marcofranssen committed Sep 11, 2023
1 parent 693ce08 commit 9ad2ed5
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 0 deletions.
5 changes: 5 additions & 0 deletions charts/spire/charts/spire-agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,11 @@ A Helm chart to install the SPIRE agent.
| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` |
| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` |
| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` |
| `sds.enabled` | Enables Envoy SDS configuration | `false` |
| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` |
| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` |
| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` |
| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` |
| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` |
| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` |
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
Expand Down
7 changes: 7 additions & 0 deletions charts/spire/charts/spire-agent/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ agent:
trust_bundle_path: "/run/spire/bundle/bundle.crt"
{{- end }}
trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
{{- if .Values.sds.enabled }}
sds:
default_svid_name: {{ .Values.sds.defaultSvidName | quote }}
default_bundle_name: {{ .Values.sds.defaultBundleName | quote }}
default_all_bundles_name: {{ .Values.sds.defaultAllBundlesName | quote }}
disable_spiffe_cert_validation: {{ .Values.sds.disableSpiffeCertValidation }}
{{- end }}

plugins:
NodeAttestor:
Expand Down
12 changes: 12 additions & 0 deletions charts/spire/charts/spire-agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,18 @@ workloadAttestors:
## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio
disableContainerSelectors: false

sds:
## @param sds.enabled Enables Envoy SDS configuration
enabled: false
## @param sds.defaultSvidName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
defaultSvidName: "default"
## @param sds.defaultBundleName The Validation Context resource name to use for the default X.509 bundle with Envoy SDS
defaultBundleName: "ROOTCA"
## @param sds.defaultAllBundlesName The Validation Context resource name to use for all bundles (including federated) with Envoy SDS
defaultAllBundlesName: "ALL"
## @param sds.disableSpiffeCertValidation Disable Envoy SDS custom validation
disableSpiffeCertValidation: false

telemetry:
prometheus:
## @param telemetry.prometheus.enabled Flag to enable prometheus monitoring
Expand Down

0 comments on commit 9ad2ed5

Please sign in to comment.