Support Nested Spire with External Agent

.github/tests/nested/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/nested/pre-install.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+kubectl create namespace "${scenario}-root-server"
+# Install a spire root server for testing against.
+helm install -n "${scenario}-root-server" spire charts/spire --wait -f "${SCRIPTPATH}/spire-root-server-values.yaml"
+kubectl get all -n "${scenario}-root-server"
+kubectl get nodes -o go-template='{{range .items}}{{printf "%s\n" .metadata.uid}}{{end}}' | while read -r line; do
+  kubectl exec -t spire-server-0 -n "${scenario}-root-server" -- spire-server entry create -spiffeID spiffe://example.org/example-cluster/nested-spire -parentID "spiffe://example.org/spire/agent/k8s_psat/example-cluster/$line" -selector k8s:pod-label:app.kubernetes.io/name:server -downstream
+done

.github/tests/nested/spire-root-server-values.yaml

@@ -0,0 +1,18 @@
+spire-server:
+  controllerManager:
+    enabled: false
+  nodeAttestor:
+    k8sPsat:
+      serviceAccountAllowList:
+        - nested:spire-agent-upstream
+  bundleConfigMap: spire-bundle-upstream
+  notifier:
+    k8sbundle:
+      namespace: nested
+
+spire-agent:
+  enabled: false
+
+spiffe-csi-driver:
+  enabled: false
+

.github/tests/nested/values.yaml

@@ -0,0 +1,23 @@
+spire-server:
+  enabled: true
+  upstreamAuthority:
+    spire:
+      enabled: true
+      server:
+        address: spire-server.nested-root-server
+  controllerManager:
+    enabled: true
+    identities:
+      spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+
+spiffe-oidc-discovery-provider:
+  enabled: true
+  insecureScheme:
+    enabled: true
+
+upstream:
+  enabled: true
+
+upstream-spire-agent:
+  server:
+    address: spire-server.nested-root-server

charts/spire/Chart.yaml

@@ -28,10 +28,20 @@ dependencies:
     condition: spire-agent.enabled
     repository: file://./charts/spire-agent
     version: 0.1.0
+  - name: spire-agent
+    alias: upstream-spire-agent
+    condition: upstream.enabled
+    repository: file://./charts/spire-agent
+    version: 0.1.0
   - name: spiffe-csi-driver
     condition: spiffe-csi-driver.enabled
     repository: file://./charts/spiffe-csi-driver
     version: 0.1.0
+  - name: spiffe-csi-driver
+    alias: upstream-spiffe-csi-driver
+    condition: upstream.enabled
+    repository: file://./charts/spiffe-csi-driver
+    version: 0.1.0
   - name: spiffe-oidc-discovery-provider
     condition: spiffe-oidc-discovery-provider.enabled
     repository: file://./charts/spiffe-oidc-discovery-provider

charts/spire/README.md

@@ -100,8 +100,10 @@ Kubernetes: `>=1.21.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
 | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
+| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
+| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
 
 ## Values
@@ -120,5 +122,14 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.controllerManager.enabled | bool | `true` |  |
 | spire-server.enabled | bool | `true` |  |
 | spire-server.nameOverride | string | `"server"` |  |
+| upstream-spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream-spiffe-csi-driver.healthChecks.port | int | `9810` |  |
+| upstream-spiffe-csi-driver.pluginName | string | `"upstream.csi.spiffe.io"` |  |
+| upstream-spire-agent.bundleConfigMap | string | `"spire-bundle-upstream"` |  |
+| upstream-spire-agent.healthChecks.port | int | `9981` |  |
+| upstream-spire-agent.nameOverride | string | `"agent-upstream"` |  |
+| upstream-spire-agent.serviceAccount.name | string | `"spire-agent-upstream"` |  |
+| upstream-spire-agent.socketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream.enabled | bool | `false` | enable upstream csi driver and agent for use with nested spire. |
 
 ----------------------------------------------

charts/spire/charts/spire-server/README.md

@@ -109,5 +109,9 @@ A Helm chart to install the SPIRE server.
 | upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. |
 | upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info |
 | upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. |
+| upstreamAuthority.spire.enabled | bool | `false` |  |
+| upstreamAuthority.spire.server.address | string | `""` |  |
+| upstreamAuthority.spire.server.port | int | `8081` |  |
+| upstreamAuthority.spire.upstreamDriver | string | `"upstream.csi.spiffe.io"` |  |
 
 ----------------------------------------------

charts/spire/charts/spire-server/templates/configmap.yaml

@@ -71,6 +71,17 @@ plugins:
   {{- end }}
   {{- end }}
 
+  {{- with .Values.upstreamAuthority.spire }}
+  {{- if eq (.enabled | toString) "true" }}
+  UpstreamAuthority:
+    - spire:
+        plugin_data:
+          server_address: {{ .server.address | quote }}
+          server_port: {{ .server.port }}
+          workload_api_socket: "/run/spire/upstream_agent/spire-agent.sock"
+  {{- end }}
+  {{- end }}
+
   {{- with .Values.upstreamAuthority.certManager }}
   {{- if eq (.enabled | toString) "true" }}
   UpstreamAuthority:

charts/spire/charts/spire-server/templates/roles.yaml

@@ -3,7 +3,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-server.fullname" . }}-bundle
+  name: {{ $namespace }}-{{ include "spire-server.fullname" . }}-bundle
   namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }}
 rules:
   - apiGroups: [""]
@@ -50,15 +50,15 @@ roleRef:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-server.fullname" . }}-bundle
+  name: {{ $namespace }}-{{ include "spire-server.fullname" . }}-bundle
   namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "spire-server.serviceAccountName" . }}
     namespace: {{ $namespace }}
 roleRef:
   kind: Role
-  name: {{ include "spire-server.fullname" . }}-bundle
+  name: {{ $namespace }}-{{ include "spire-server.fullname" . }}-bundle
   apiGroup: rbac.authorization.k8s.io
 
 {{- if and .Values.nodeAttestor.k8sPsat.enabled }}

charts/spire/charts/spire-server/templates/statefulset.yaml

@@ -101,6 +101,11 @@ spec:
               mountPath: /run/spire/upstream_ca
               readOnly: false
             {{ end }}
+            {{- if eq (.Values.upstreamAuthority.spire.enabled | toString) "true" }}
+            - name: upstream-agent
+              mountPath: /run/spire/upstream_agent
+              readOnly: true
+            {{ end }}
             {{- if gt (len .Values.extraVolumeMounts) 0 }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -176,6 +181,12 @@ spec:
           secret:
             secretName: {{ include "spire-server.upstream-ca-secret" . }}
         {{- end }}
+        {{- if eq (.Values.upstreamAuthority.spire.enabled | toString) "true" }}
+        - name: upstream-agent
+          csi:
+            driver: {{ .Values.upstreamAuthority.spire.upstreamDriver }}
+            readOnly: true
+        {{- end }}
         {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
         - name: controller-manager-config
           configMap:

charts/spire/charts/spire-server/values.yaml

@@ -114,6 +114,12 @@ upstreamAuthority:
         certificate: ""
         key: ""
         bundle: ""
+  spire:
+    enabled: false
+    upstreamDriver: upstream.csi.spiffe.io
+    server:
+      address: ""
+      port: 8081
   certManager:
     enabled: false
     rbac:

charts/spire/values.yaml

@@ -36,8 +36,28 @@ spire-agent:
   enabled: true
   nameOverride: agent
 
+upstream:
+  # -- enable upstream csi driver and agent for use with nested spire.
+  enabled: false
+
+upstream-spire-agent:
+  nameOverride: agent-upstream
+  bundleConfigMap: spire-bundle-upstream
+
+  socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  serviceAccount:
+    name: spire-agent-upstream
+  healthChecks:
+    port: 9981
+
 spiffe-csi-driver:
   enabled: true
 
+upstream-spiffe-csi-driver:
+  pluginName: upstream.csi.spiffe.io
+  agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  healthChecks:
+    port: 9810
+
 spiffe-oidc-discovery-provider:
   enabled: false