spiffe · marcofranssen · Aug 16, 2023 · Apr 3, 2023 · Apr 10, 2023 · Apr 11, 2023
@@ -0,0 +1,18 @@
+spire-server:
+  controllerManager:
+    enabled: false
+  nodeAttestor:
+    k8sPsat:
+      serviceAccountAllowList:
+        - spire-system:spire-agent-upstream
+  bundleConfigMap: spire-bundle-upstream
+  notifier:
+    k8sbundle:
+      namespace: spire-system
+
+spire-agent:
+  enabled: false
+
+spiffe-csi-driver:
+  enabled: false
+
@@ -30,10 +30,20 @@ dependencies:
     condition: spire-agent.enabled
     repository: file://./charts/spire-agent
     version: 0.1.0
+  - name: spire-agent
+    alias: upstream-spire-agent
+    condition: upstream-spire-agent.enabled
+    repository: file://./charts/spire-agent
+    version: 0.1.0
   - name: spiffe-csi-driver
     condition: spiffe-csi-driver.enabled
     repository: file://./charts/spiffe-csi-driver
     version: 0.1.0
+  - name: spiffe-csi-driver
+    alias: upstream-spiffe-csi-driver
+    condition: upstream-spiffe-csi-driver.enabled
+    repository: file://./charts/spiffe-csi-driver
+    version: 0.1.0
   - name: spiffe-oidc-discovery-provider
     condition: spiffe-oidc-discovery-provider.enabled
     repository: file://./charts/spiffe-oidc-discovery-provider

@@ -99,8 +99,10 @@ Now you can interact with the Spire agent socket from your own application. The
 | Repository | Name | Version |
 |------------|------|---------|
 | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
+| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
+| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
 | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 
@@ -122,6 +124,17 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.enabled | bool | `true` | Enables deployment of SPIRE Server |
 | spire-server.nameOverride | string | `"server"` |  |
 | tornjak-frontend.enabled | bool | `false` | Enables deployment of Tornjak frontend/UI (Not for production) |
+| upstream-spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream-spiffe-csi-driver.enabled | bool | `false` | enable upstream csi driver for use with nested spire. |
+| upstream-spiffe-csi-driver.healthChecks.port | int | `9810` |  |
+| upstream-spiffe-csi-driver.pluginName | string | `"upstream.csi.spiffe.io"` |  |
+| upstream-spire-agent.bundleConfigMap | string | `"spire-bundle-upstream"` |  |
+| upstream-spire-agent.enabled | bool | `false` | enable upstream agent for use with nested spire. |
+| upstream-spire-agent.healthChecks.port | int | `9981` |  |
+| upstream-spire-agent.nameOverride | string | `"agent-upstream"` |  |
+| upstream-spire-agent.serviceAccount.name | string | `"spire-agent-upstream"` |  |
+| upstream-spire-agent.socketPath | string | `"/run/spire/agent-sockets-upstream/spire-agent.sock"` |  |
+| upstream-spire-agent.telemetry.prometheus.port | int | `9989` |  |
 | spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
 | spiffe-csi-driver.fullnameOverride | string | `""` |  |
 | spiffe-csi-driver.healthChecks.port | int | `9809` |  |
@@ -438,6 +451,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.upstreamAuthority.spire.enabled | bool | `false` |  |
 | spire-server.upstreamAuthority.spire.server.address | string | `""` |  |
 | spire-server.upstreamAuthority.spire.server.port | int | `8081` |  |
+| spire-server.upstreamAuthority.spire.upstreamDriver | string | `"upstream.csi.spiffe.io"` |  |
 | tornjak-frontend.affinity | object | `{}` |  |
 | tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. |
 | tornjak-frontend.fullnameOverride | string | `""` |  |
@@ -468,5 +482,95 @@ Now you can interact with the Spire agent socket from your own application. The
 | tornjak-frontend.startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe |
 | tornjak-frontend.tolerations | list | `[]` |  |
 | tornjak-frontend.topologySpreadConstraints | list | `[]` |  |
+| upstream-spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
+| upstream-spiffe-csi-driver.fullnameOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.healthChecks.port | int | `9809` |  |
+| upstream-spiffe-csi-driver.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spiffe-csi-driver.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
+| upstream-spiffe-csi-driver.image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry |
+| upstream-spiffe-csi-driver.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| upstream-spiffe-csi-driver.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spiffe-csi-driver.imagePullSecrets | list | `[]` |  |
+| upstream-spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` |  |
+| upstream-spiffe-csi-driver.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| upstream-spiffe-csi-driver.livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe |
+| upstream-spiffe-csi-driver.nameOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.namespaceOverride | string | `""` |  |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` |  |
+| upstream-spiffe-csi-driver.nodeSelector | object | `{}` |  |
+| upstream-spiffe-csi-driver.pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. |
+| upstream-spiffe-csi-driver.podAnnotations | object | `{}` |  |
+| upstream-spiffe-csi-driver.podSecurityContext | object | `{}` |  |
+| upstream-spiffe-csi-driver.priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| upstream-spiffe-csi-driver.resources | object | `{}` |  |
+| upstream-spiffe-csi-driver.securityContext.privileged | bool | `true` |  |
+| upstream-spiffe-csi-driver.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| upstream-spiffe-csi-driver.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| upstream-spiffe-csi-driver.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| upstream-spiffe-csi-driver.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| upstream-spiffe-csi-driver.tolerations | list | `[]` |  |
+| upstream-spire-agent.bundleConfigMap | string | `"spire-bundle"` |  |
+| upstream-spire-agent.clusterName | string | `"example-cluster"` |  |
+| upstream-spire-agent.configMap.annotations | object | `{}` | Annotations to add to the SPIRE Agent ConfigMap |
+| upstream-spire-agent.extraContainers | list | `[]` |  |
+| upstream-spire-agent.extraVolumeMounts | list | `[]` |  |
+| upstream-spire-agent.extraVolumes | list | `[]` |  |
+| upstream-spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy |
+| upstream-spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
+| upstream-spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry |
+| upstream-spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag |
+| upstream-spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| upstream-spire-agent.fullnameOverride | string | `""` |  |
+| upstream-spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking |
+| upstream-spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
+| upstream-spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry |
+| upstream-spire-agent.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| upstream-spire-agent.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.imagePullSecrets | list | `[]` |  |
+| upstream-spire-agent.initContainers | list | `[]` |  |
+| upstream-spire-agent.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| upstream-spire-agent.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
+| upstream-spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
+| upstream-spire-agent.nameOverride | string | `""` |  |
+| upstream-spire-agent.namespaceOverride | string | `""` |  |
+| upstream-spire-agent.nodeSelector | object | `{}` |  |
+| upstream-spire-agent.podAnnotations | object | `{}` |  |
+| upstream-spire-agent.podSecurityContext | object | `{}` |  |
+| upstream-spire-agent.priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| upstream-spire-agent.readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe |
+| upstream-spire-agent.readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe |
+| upstream-spire-agent.resources | object | `{}` |  |
+| upstream-spire-agent.securityContext | object | `{}` |  |
+| upstream-spire-agent.server.address | string | `""` |  |
+| upstream-spire-agent.server.namespaceOverride | string | `""` |  |
+| upstream-spire-agent.server.port | int | `8081` |  |
+| upstream-spire-agent.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| upstream-spire-agent.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| upstream-spire-agent.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| upstream-spire-agent.socketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
+| upstream-spire-agent.telemetry.prometheus.enabled | bool | `false` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.enabled | bool | `false` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.labels | object | `{}` |  |
+| upstream-spire-agent.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent |
+| upstream-spire-agent.telemetry.prometheus.port | int | `9988` |  |
+| upstream-spire-agent.tolerations | list | `[]` |  |
+| upstream-spire-agent.trustBundleFormat | string | `"pem"` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" |
+| upstream-spire-agent.trustBundleURL | string | `""` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap |
+| upstream-spire-agent.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers |
+| upstream-spire-agent.waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| upstream-spire-agent.waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
+| upstream-spire-agent.waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry |
+| upstream-spire-agent.waitForIt.image.tag | string | `"latest-20230517"` | Overrides the image tag |
+| upstream-spire-agent.waitForIt.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| upstream-spire-agent.waitForIt.resources | object | `{}` |  |
+| upstream-spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped |
+| upstream-spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor |
 
 ----------------------------------------------
@@ -238,5 +238,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | upstreamAuthority.spire.enabled | bool | `false` |  |
 | upstreamAuthority.spire.server.address | string | `""` |  |
 | upstreamAuthority.spire.server.port | int | `8081` |  |
+| upstreamAuthority.spire.upstreamDriver | string | `"upstream.csi.spiffe.io"` |  |
 
 ----------------------------------------------
@@ -0,0 +1,75 @@
+{{- if .Values.upstreamAuthority.spire.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+rules:
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    resourceNames: [{{ include "spire-server.fullname" . | quote }}]
+    verbs: ["get", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+    namespace: {{ include "spire-server.namespace" . }}
+roleRef:
+  kind: Role
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "spire-server.fullname" . }}-pre-delete
+  namespace: {{ include "spire-server.namespace" . }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+spec:
+  template:
+    metadata:
+      name: {{ include "spire-server.fullname" . }}-pre-delete
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-delete
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: pre-delete-job
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        args:
+          - delete
+          - -n
+          - {{ include "spire-server.namespace" . }}
+          - statefulset
+          - {{ include "spire-server.fullname" . }}
+          - --wait
+{{- end }}
@@ -125,6 +125,11 @@ spec:
               mountPath: /run/spire/upstream_ca
               readOnly: false
             {{ end }}
+            {{- if eq (.Values.upstreamAuthority.spire.enabled | toString) "true" }}
+            - name: upstream-agent
+              mountPath: /run/spire/upstream_agent
+              readOnly: true
+            {{ end }}
             {{- if gt (len .Values.extraVolumeMounts) 0 }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -269,6 +274,12 @@ spec:
           secret:
             secretName: {{ include "spire-server.upstream-ca-secret" . }}
         {{- end }}
+        {{- if eq (.Values.upstreamAuthority.spire.enabled | toString) "true" }}
+        - name: upstream-agent
+          csi:
+            driver: {{ .Values.upstreamAuthority.spire.upstreamDriver }}
+            readOnly: true
+        {{- end }}
         {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
         - name: controller-manager-config
           configMap:

@@ -209,6 +209,7 @@ upstreamAuthority:
       renewBefore: ""
   spire:
     enabled: false
+    upstreamDriver: upstream.csi.spiffe.io
     server:
       address: ""
       port: 8081

@@ -41,10 +41,33 @@ spire-agent:
   enabled: true
   nameOverride: agent
 
+upstream-spire-agent:
+  # -- enable upstream agent for use with nested spire.
+  enabled: false
+  nameOverride: agent-upstream
+  bundleConfigMap: spire-bundle-upstream
+
+  socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  serviceAccount:
+    name: spire-agent-upstream
+  healthChecks:
+    port: 9981
+  telemetry:
+    prometheus:
+      port: 9989
+
 spiffe-csi-driver:
   # -- Enables deployment of CSI driver
   enabled: true
 
+upstream-spiffe-csi-driver:
+  # -- enable upstream csi driver for use with nested spire.
+  enabled: false
+  pluginName: upstream.csi.spiffe.io
+  agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  healthChecks:
+    port: 9810
+
 spiffe-oidc-discovery-provider:
   # -- Enables deployment of OIDC discovery provider
   enabled: false