Support Nested Spire with External Agent (#117)

spiffe · Aug 16, 2023 · ae8941c · ae8941c
1 parent f40743d
commit ae8941c
Show file tree

Hide file tree

Showing 18 changed files with 383 additions and 2 deletions.
diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -0,0 +1,18 @@
+spire-server:
+  controllerManager:
+    enabled: false
+  nodeAttestor:
+    k8sPsat:
+      serviceAccountAllowList:
+        - spire-system:spire-agent-upstream
+  bundleConfigMap: spire-bundle-upstream
+  notifier:
+    k8sbundle:
+      namespace: spire-system
+
+spire-agent:
+  enabled: false
+
+spiffe-csi-driver:
+  enabled: false
+
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -30,10 +30,20 @@ dependencies:
     condition: spire-agent.enabled
     repository: file://./charts/spire-agent
     version: 0.1.0
+  - name: spire-agent
+    alias: upstream-spire-agent
+    condition: upstream.enabled
+    repository: file://./charts/spire-agent
+    version: 0.1.0
   - name: spiffe-csi-driver
     condition: spiffe-csi-driver.enabled
     repository: file://./charts/spiffe-csi-driver
     version: 0.1.0
+  - name: spiffe-csi-driver
+    alias: upstream-spiffe-csi-driver
+    condition: upstream.enabled
+    repository: file://./charts/spiffe-csi-driver
+    version: 0.1.0
   - name: spiffe-oidc-discovery-provider
     condition: spiffe-oidc-discovery-provider.enabled
     repository: file://./charts/spiffe-oidc-discovery-provider

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -78,8 +78,10 @@ Now you can interact with the Spire agent socket from your own application. The
 | Repository | Name | Version |
 |------------|------|---------|
 | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
+| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
+| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
 | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 
@@ -93,6 +95,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | global.spire.image.registry | string | `""` | Override all Spire image registries at once |
 | global.spire.jwtIssuer | string | `"https://oidc-discovery.example.org"` | Set the jwt issuer |
 | global.spire.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers |
+| global.spire.upstreamServerAddress | string | `""` | Set what address to use for the upstream server when using nested spire |
 | spiffe-csi-driver.enabled | bool | `true` | Enables deployment of CSI driver |
 | spiffe-oidc-discovery-provider.enabled | bool | `false` | Enables deployment of OIDC discovery provider |
 | spire-agent.enabled | bool | `true` | Enables deployment of SPIRE Agent(s) |
@@ -101,6 +104,16 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.enabled | bool | `true` | Enables deployment of SPIRE Server |
 | spire-server.nameOverride | string | `"server"` |  |
 | tornjak-frontend.enabled | bool | `false` | Enables deployment of Tornjak frontend/UI (Not for production) |
+| upstream-spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream-spiffe-csi-driver.healthChecks.port | int | `9810` |  |
+| upstream-spiffe-csi-driver.pluginName | string | `"upstream.csi.spiffe.io"` |  |
+| upstream-spire-agent.bundleConfigMap | string | `"spire-bundle-upstream"` |  |
+| upstream-spire-agent.healthChecks.port | int | `9981` |  |
+| upstream-spire-agent.nameOverride | string | `"agent-upstream"` |  |
+| upstream-spire-agent.serviceAccount.name | string | `"spire-agent-upstream"` |  |
+| upstream-spire-agent.socketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream-spire-agent.telemetry.prometheus.port | int | `9989` |  |
+| upstream.enabled | bool | `false` | enable upstream agent and driver for use with nested spire. |
 | spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
 | spiffe-csi-driver.fullnameOverride | string | `""` |  |
 | spiffe-csi-driver.healthChecks.port | int | `9809` |  |
@@ -431,6 +444,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.upstreamAuthority.spire.enabled | bool | `false` |  |
 | spire-server.upstreamAuthority.spire.server.address | string | `""` |  |
 | spire-server.upstreamAuthority.spire.server.port | int | `8081` |  |
+| spire-server.upstreamAuthority.spire.upstreamDriver | string | `""` |  |
 | tornjak-frontend.affinity | object | `{}` |  |
 | tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. |
 | tornjak-frontend.fullnameOverride | string | `""` |  |
@@ -461,5 +475,96 @@ Now you can interact with the Spire agent socket from your own application. The
 | tornjak-frontend.startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe |
 | tornjak-frontend.tolerations | list | `[]` |  |
 | tornjak-frontend.topologySpreadConstraints | list | `[]` |  |
+| upstream-spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
+| upstream-spiffe-csi-driver.fullnameOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.healthChecks.port | int | `9809` |  |
+| upstream-spiffe-csi-driver.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spiffe-csi-driver.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
+| upstream-spiffe-csi-driver.image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry |
+| upstream-spiffe-csi-driver.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| upstream-spiffe-csi-driver.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spiffe-csi-driver.imagePullSecrets | list | `[]` |  |
+| upstream-spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` |  |
+| upstream-spiffe-csi-driver.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| upstream-spiffe-csi-driver.livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe |
+| upstream-spiffe-csi-driver.nameOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.namespaceOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` |  |
+| upstream-spiffe-csi-driver.nodeSelector | object | `{}` |  |
+| upstream-spiffe-csi-driver.pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. |
+| upstream-spiffe-csi-driver.podAnnotations | object | `{}` |  |
+| upstream-spiffe-csi-driver.podSecurityContext | object | `{}` |  |
+| upstream-spiffe-csi-driver.priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| upstream-spiffe-csi-driver.resources | object | `{}` |  |
+| upstream-spiffe-csi-driver.securityContext.privileged | bool | `true` |  |
+| upstream-spiffe-csi-driver.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| upstream-spiffe-csi-driver.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| upstream-spiffe-csi-driver.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| upstream-spiffe-csi-driver.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| upstream-spiffe-csi-driver.tolerations | list | `[]` |  |
+| upstream-spire-agent.bundleConfigMap | string | `"spire-bundle"` |  |
+| upstream-spire-agent.clusterName | string | `"example-cluster"` |  |
+| upstream-spire-agent.configMap.annotations | object | `{}` | Annotations to add to the SPIRE Agent ConfigMap |
+| upstream-spire-agent.extraContainers | list | `[]` |  |
+| upstream-spire-agent.extraVolumeMounts | list | `[]` |  |
+| upstream-spire-agent.extraVolumes | list | `[]` |  |
+| upstream-spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy |
+| upstream-spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
+| upstream-spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry |
+| upstream-spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag |
+| upstream-spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| upstream-spire-agent.fullnameOverride | string | `""` |  |
+| upstream-spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking |
+| upstream-spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
+| upstream-spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry |
+| upstream-spire-agent.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| upstream-spire-agent.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.imagePullSecrets | list | `[]` |  |
+| upstream-spire-agent.initContainers | list | `[]` |  |
+| upstream-spire-agent.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| upstream-spire-agent.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
+| upstream-spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
+| upstream-spire-agent.nameOverride | string | `""` |  |
+| upstream-spire-agent.namespaceOverride | string | `""` |  |
+| upstream-spire-agent.nodeSelector | object | `{}` |  |
+| upstream-spire-agent.podAnnotations | object | `{}` |  |
+| upstream-spire-agent.podSecurityContext | object | `{}` |  |
+| upstream-spire-agent.priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| upstream-spire-agent.readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe |
+| upstream-spire-agent.readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe |
+| upstream-spire-agent.resources | object | `{}` |  |
+| upstream-spire-agent.securityContext | object | `{}` |  |
+| upstream-spire-agent.server.address | string | `""` |  |
+| upstream-spire-agent.server.namespaceOverride | string | `""` |  |
+| upstream-spire-agent.server.port | int | `8081` |  |
+| upstream-spire-agent.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| upstream-spire-agent.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| upstream-spire-agent.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| upstream-spire-agent.socketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
+| upstream-spire-agent.telemetry.prometheus.enabled | bool | `false` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.enabled | bool | `false` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.labels | object | `{}` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent |
+| upstream-spire-agent.telemetry.prometheus.port | int | `9988` |  |
+| upstream-spire-agent.tolerations | list | `[]` |  |
+| upstream-spire-agent.trustBundleFormat | string | `"pem"` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" |
+| upstream-spire-agent.trustBundleURL | string | `""` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap |
+| upstream-spire-agent.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers |
+| upstream-spire-agent.waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spire-agent.waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
+| upstream-spire-agent.waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry |
+| upstream-spire-agent.waitForIt.image.tag | string | `"latest-20230517"` | Overrides the image tag |
+| upstream-spire-agent.waitForIt.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.waitForIt.resources | object | `{}` |  |
+| upstream-spire-agent.workloadAttestors.k8s.disableContainerSelectors | bool | `false` | Set to true if using holdApplicationUntilProxyStarts in Istio |
+| upstream-spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped |
+| upstream-spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor |
 
 ----------------------------------------------
diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl
@@ -91,7 +91,9 @@ Create the name of the service account to use
 {{- end }}
 
 {{- define "spire-agent.server-address" }}
-{{- if .Values.server.address }}
+{{- if and (ne (len (dig "spire" "upstreamSpireAddress" "" .Values.global)) 0) .Values.upstream }}
+{{- print .Values.global.spire.upstreamSpireAddress }}
+{{- else if .Values.server.address }}
 {{- .Values.server.address }}
 {{- else }}
 {{ .Release.Name }}-server.{{ include "spire-agent.server.namespace" . }}

diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml
@@ -76,6 +76,9 @@ trustBundleURL: ""
 trustBundleFormat: pem
 bundleConfigMap: spire-bundle
 
+# @ignored
+upstream: false
+
 server:
   address: ""
   port: 8081

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
@@ -250,5 +250,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | upstreamAuthority.spire.enabled | bool | `false` |  |
 | upstreamAuthority.spire.server.address | string | `""` |  |
 | upstreamAuthority.spire.server.port | int | `8081` |  |
+| upstreamAuthority.spire.upstreamDriver | string | `""` |  |
 
 ----------------------------------------------
diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl
@@ -153,6 +153,14 @@ Create the name of the service account to use
 {{- $config | toYaml }}
 {{- end }}
 
+{{- define "spire-server.upstream-spire-address" }}
+{{- if ne (len (dig "spire" "upstreamSpireAddress" "" .Values.global)) 0 }}
+{{- print .Values.global.spire.upstreamSpireAddress }}
+{{- else }}
+{{- print .Values.upstreamAuthority.spire.server.address }}
+{{- end }}
+{{- end }}
+
 {{/*
 Tornjak specific section
 */}}

diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -113,7 +113,7 @@ plugins:
   UpstreamAuthority:
     - spire:
         plugin_data:
-          server_address: {{ .server.address | quote }}
+          server_address: {{ include "spire-server.upstream-spire-address" $root | quote }}
           server_port: {{ .server.port }}
           workload_api_socket: "/run/spire/upstream_agent/spire-agent.sock"
   {{- end }}

diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml
@@ -0,0 +1,90 @@
+{{- if .Values.upstreamAuthority.spire.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+rules:
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    resourceNames: [{{ include "spire-server.fullname" . | quote }}]
+    verbs: ["get", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+    namespace: {{ include "spire-server.namespace" . }}
+roleRef:
+  kind: Role
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+spec:
+  template:
+    metadata:
+      name: {{ include "spire-server.fullname" . }}-pre-delete
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: pre-delete-job
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        args:
+          - delete
+          - -n
+          - {{ include "spire-server.namespace" . }}
+          - statefulset
+          - {{ include "spire-server.fullname" . }}
+          - --wait
+      - name: pre-delete-check
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        args:
+          - wait
+          - --for=delete
+          - pod
+          - -l
+          - app.kubernetes.io/instance={{ include "spire-server.name" . }},app.kubernetes.io/name={{ .Release.Name }},app.kubernetes.io/component=server
+          - -n
+          - {{ include "spire-server.namespace" . }}
+{{- end }}