spiffe · marcofranssen · May 16, 2023 · Mar 30, 2023 · Apr 13, 2023 · Apr 19, 2023
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+helm install \
+  --namespace spire-server \
+  --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
+  --values "${SCRIPTPATH}/../../../examples/tornjak/values.yaml" \
+  spire charts/spire --wait
+helm test spire -n spire-server
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+kubectl rollout status --watch --timeout 180s --namespace spire-server deployments.apps spire-tornjak-frontend
+kubectl -n spire-server get deploy spire-tornjak-frontend
+kubectl -n spire-server get service spire-tornjak-frontend
+
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-system
+fi
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+kubectl create namespace spire-system
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
+kubectl create namespace spire-server
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted
@@ -38,6 +38,10 @@ dependencies:
     condition: spiffe-oidc-discovery-provider.enabled
     repository: file://./charts/spiffe-oidc-discovery-provider
     version: 0.1.0
+  - name: tornjak-frontend
+    condition: tornjak-frontend.enabled
+    repository: file://./charts/tornjak-frontend
+    version: 0.1.0
 annotations:
   artifacthub.io/category: security
   artifacthub.io/license: Apache-2.0
@@ -104,6 +104,7 @@ Kubernetes: `>=1.21.0-0`
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
+| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 
 ## Values
 
@@ -121,6 +122,7 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.controllerManager.enabled | bool | `true` |  |
 | spire-server.enabled | bool | `true` |  |
 | spire-server.nameOverride | string | `"server"` |  |
+| tornjak-frontend.enabled | bool | `false` |  |
 | spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
 | spiffe-csi-driver.fullnameOverride | string | `""` |  |
 | spiffe-csi-driver.healthChecks.port | int | `9809` |  |
@@ -312,7 +314,7 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
 | spire-server.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
 | spire-server.image.repository | string | `"spiffe/spire-server"` | The repository within the registry |
-| spire-server.image.version | string | `""` |  |
+| spire-server.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | spire-server.imagePullSecrets | list | `[]` |  |
 | spire-server.initContainers | list | `[]` |  |
 | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
@@ -343,6 +345,14 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server |
 | spire-server.tolerations | list | `[]` |  |
 | spire-server.topologySpreadConstraints | list | `[]` |  |
+| spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information |
+| spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) |
+| spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image |
+| spire-server.tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. |
+| spire-server.tornjak.resources | object | `{}` |  |
+| spire-server.tornjak.service.annotations | object | `{}` |  |
+| spire-server.tornjak.service.port | int | `10000` |  |
+| spire-server.tornjak.service.type | string | `"ClusterIP"` |  |
 | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
 | spire-server.upstreamAuthority.certManager.enabled | bool | `false` |  |
 | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |
@@ -355,5 +365,24 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. |
 | spire-server.upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info |
 | spire-server.upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. |
+| tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. |
+| tornjak-frontend.fullnameOverride | string | `""` |  |
+| tornjak-frontend.image.pullPolicy | string | `"IfNotPresent"` |  |
+| tornjak-frontend.image.registry | string | `"ghcr.io"` |  |
+| tornjak-frontend.image.repository | string | `"spiffe/tornjak-frontend"` |  |
+| tornjak-frontend.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| tornjak-frontend.imagePullSecrets | list | `[]` |  |
+| tornjak-frontend.labels | object | `{}` |  |
+| tornjak-frontend.nameOverride | string | `""` |  |
+| tornjak-frontend.namespaceOverride | string | `""` |  |
+| tornjak-frontend.podSecurityContext | object | `{}` |  |
+| tornjak-frontend.securityContext | object | `{}` |  |
+| tornjak-frontend.service.annotations | object | `{}` |  |
+| tornjak-frontend.service.port | int | `3000` |  |
+| tornjak-frontend.service.type | string | `"ClusterIP"` |  |
+| tornjak-frontend.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| tornjak-frontend.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator |
 
 ----------------------------------------------
@@ -75,7 +75,7 @@ A Helm chart to install the SPIRE server.
 | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
 | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
 | image.repository | string | `"spiffe/spire-server"` | The repository within the registry |
-| image.version | string | `""` |  |
+| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | initContainers | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
@@ -106,6 +106,14 @@ A Helm chart to install the SPIRE server.
 | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
+| tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information |
+| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) |
+| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image |
+| tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. |
+| tornjak.resources | object | `{}` |  |
+| tornjak.service.annotations | object | `{}` |  |
+| tornjak.service.port | int | `10000` |  |
+| tornjak.service.type | string | `"ClusterIP"` |  |
 | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
 | upstreamAuthority.certManager.enabled | bool | `false` |  |
 | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |

@@ -4,3 +4,20 @@ Installed {{ .Chart.Name }}…
 
   kubectl exec -n {{ .Release.Namespace }} {{ include "spire-server.fullname" . }}-0 -c spire-server -- \
     spire-server entry show
+
+{{- if eq (.Values.tornjak.enabled | toString) "true" }}
+
+Installed {{ include "spire-tornjak.fullname" . }}…
+
+### WARNING ###
+
+Tornjak runs without authentication and is therefore NOT suitable to run in production environments.
+Only use in test environments!
+
+Access Tornjak:
+
+    kubectl -n {{ include "spire-server.namespace" . }} port-forward service/{{ include "spire-tornjak.backend" . }} {{ .Values.tornjak.service.port }}:10000
+
+Open browser to: http://localhost:{{ .Values.tornjak.service.port }}
+
+{{- end }}
@@ -153,3 +153,19 @@ Create the name of the service account to use
 {{- end }}
 {{- $config | toYaml }}
 {{- end }}
+
+{{/*
+Tornjak specific section
+*/}}
+
+{{- define "spire-tornjak.fullname" -}}
+{{ include "spire-server.fullname" . | trimSuffix "-server" }}-tornjak
+{{- end }}
+
+{{- define "spire-tornjak.config" -}}
+{{ include "spire-tornjak.fullname" . }}-config
+{{- end }}
+
+{{- define "spire-tornjak.backend" -}}
+{{ include "spire-tornjak.fullname" . }}-backend
+{{- end }}
@@ -1,6 +1,7 @@
 {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
 {{- $configSum2 := (include (print $.Template.BasePath "/secret.yaml") . | sha256sum) }}
 {{- $configSum3 := (include (print $.Template.BasePath "/controller-manager-configmap.yaml") . | sha256sum) }}
+{{- $configSumTornjak := (include (print $.Template.BasePath "/tornjak-config.yaml") . | sha256sum) }}
 {{- $fullname := include "spire-server.fullname" . }}
 apiVersion: apps/v1
 kind: StatefulSet
@@ -26,6 +27,7 @@ spec:
         checksum/config: {{ $configSum }}
         checksum/config2: {{ $configSum2 }}
         checksum/config3: {{ $configSum3 }}
+        checksum/configTornjak: {{ $configSumTornjak }}
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -155,6 +157,49 @@ spec:
               mountPath: /tmp
               readOnly: false
         {{- end }}
+
+        {{- if eq (.Values.tornjak.enabled | toString) "true" }}
+        - name: tornjak
+          securityContext:
+            {{- toYaml .Values.controllerManager.securityContext | nindent 12 }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }}
+          startupProbe:
+            httpGet:
+              scheme: HTTP
+              port: 10000
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          args:
+            - -c
+            - /run/spire/config/server.conf
+            - -t
+            - /run/spire/tornjak-config/server.conf
+          ports:
+            - name: tornjak
+              containerPort: 10000
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.tornjak.resources | nindent 12 }}
+          volumeMounts:
+            - name: {{ include "spire-tornjak.config" . }}
+              mountPath: /run/spire/tornjak-config
+            - name: spire-server-socket
+              mountPath: /tmp/spire-server/private
+              readOnly: true
+            - name: spire-config
+              mountPath: /run/spire/config
+              readOnly: true
+            {{- if eq (.Values.dataStorage.enabled | toString) "true" }}
+            - name: spire-data
+              mountPath: /run/spire/data
+              readOnly: false
+            {{- end }}
+        {{- end }}
+
         {{- if gt (len .Values.extraContainers) 0 }}
         {{- toYaml .Values.extraContainers | nindent 8 }}
         {{- end }}
@@ -192,6 +237,14 @@ spec:
           configMap:
             name: {{ include "spire-controller-manager.fullname" . }}
         {{- end }}
+        {{- if eq (.Values.tornjak.enabled | toString) "true" }}
+        {{- if .Values.tornjak.config }}
+        - name: {{ include "spire-tornjak.config" . }}
+          configMap:
+            defaultMode: 420
+            name: {{ include "spire-tornjak.config" . }}
+        {{- end }}
+        {{- end }}
         {{- if gt (len .Values.extraVolumes) 0 }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}

@@ -0,0 +1,22 @@
+{{- if eq (.Values.tornjak.enabled | toString) "true" }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "spire-tornjak.fullname" . }}-test-connection"
+  namespace: {{ include "spire-server.namespace" . }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  securityContext:
+    {{- toYaml .Values.podSecurityContext | nindent 4 }}
+  containers:
+    - name: curl-tornjak-backend
+      image: cgr.dev/chainguard/bash:latest
+      command: ['curl']
+      args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}']
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+  restartPolicy: Never
+{{- end }}
@@ -0,0 +1,23 @@
+{{- if eq (.Values.tornjak.enabled | toString) "true" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spire-tornjak.config" . }}
+  namespace: {{ include "spire-server.namespace" . }}
+data:
+  server.conf: |
+    server {
+      metadata = "insert metadata"
+    }
+
+    plugins {
+    {{- if .Values.tornjak.config.dataStore }}
+      DataStore "sql" {
+        plugin_data {
+          drivername = "{{ .Values.tornjak.config.dataStore.driver }}"
+          filename = "{{ .Values.tornjak.config.dataStore.file }}"
+        }
+      }
+    {{- end }}
+    }
+{{- end }}
@@ -0,0 +1,22 @@
+{{- if eq (.Values.tornjak.enabled | toString) "true" }}
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spire-server.namespace" . }}
+  name: {{ include "spire-tornjak.backend" . }}
+  {{- with .Values.tornjak.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.tornjak.service.type }}
+  selector:
+   {{- include "spire-server.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: {{ include "spire-tornjak.backend" . }}
+      port: {{ .Values.tornjak.service.port }}
+      targetPort: tornjak
+      protocol: TCP
+{{- end }}
@@ -12,7 +12,7 @@ image:
   repository: spiffe/spire-server
   # -- The image pull policy
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- Overrides the image tag whose default is the chart appVersion.
   version: ""
 
 imagePullSecrets: []
@@ -255,3 +255,35 @@ nodeAttestor:
   k8sPsat:
     enabled: true
     serviceAccountAllowList: []
+
+# tornjak - Tornjak specific configuration
+tornjak:
+  # -- Deploys Tornjak API (backend)
+  enabled: false
+  # -- Tornjak API image
+  image:
+    registry: ghcr.io
+    repository: spiffe/tornjak-backend
+    pullPolicy: IfNotPresent
+    # -- Overrides the image tag whose default is the chart appVersion.
+    version: "v1.2.0"
+  service:
+    type: ClusterIP
+    port: 10000
+    annotations: {}
+  config:
+    # -- persistent DB for storing Tornjak specific information
+    dataStore:
+      driver: "sqlite3"
+      file: "/run/spire/data/tornjak.sqlite3"
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: tornjak-frontend
+description: A Helm chart to deploy Tornjak frontend
+type: application
+version: 0.1.0
+appVersion: "v1.2.0"
+home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/tornjak
+icon: https://raw.githubusercontent.com/spiffe/tornjak/main/logos/logo%2Btornjak.2132x1291.png
+maintainers:
+  - name: mrsabath
+    email: mrsabath@gmail.com
+    url: https://mrsabath.github.io