From a8f163cd8386ed8bcd62e0ab89c197ae1db761f2 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Tue, 8 Aug 2023 19:02:24 +0100 Subject: [PATCH 1/8] Adds AWS KMS KeyManager support Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 6 ++++ charts/spire/charts/spire-server/README.md | 6 ++++ .../spire-server/templates/configmap.yaml | 35 +++++++++++++++++-- charts/spire/charts/spire-server/values.yaml | 10 ++++++ 4 files changed, 55 insertions(+), 2 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index ff09e5315..903f9df89 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -362,6 +362,12 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| spire-server.keyManager.awsKMS.enabled | bool | `false` | | +| spire-server.keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` | | +| spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` | | +| spire-server.keyManager.awsKMS.region | string | `""` | | +| spire-server.keyManager.disk.enabled | bool | `true` | | +| spire-server.keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` | | | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | | spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index b97982e6a..a8f0295d5 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -160,6 +160,12 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| keyManager.awsKMS.enabled | bool | `false` | | +| keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` | | +| keyManager.awsKMS.keyPolicyFile | string | `""` | | +| keyManager.awsKMS.region | string | `""` | | +| keyManager.disk.enabled | bool | `true` | | +| keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` | | | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | | livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index f751e8202..9dda0f4a0 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -1,5 +1,6 @@ {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} +{{- $keyManagerUsed := 0 }} {{- $root := . }} server: bind_address: "0.0.0.0" @@ -46,11 +47,41 @@ plugins: service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }} {{- end }} {{- end }} - + + {{- with .Values.keyManager.disk }} + {{- if eq (.enabled | toString) "true" }} + {{- $keyManagerUsed = add1 $keyManagerUsed }} KeyManager: - disk: plugin_data: - keys_path: "/run/spire/data/keys.json" + keys_path: {{ .keysPath | quote }} + {{- end }} + {{- end }} + + {{- with .Values.keyManager.awsKMS }} + {{- if eq (.enabled | toString) "true" }} + {{- $keyManagerUsed = add1 $keyManagerUsed }} + KeyManager: + - aws_kms: + plugin_data: + region: {{ .region | quote }} + key_metadata_file: {{ .keyMetadataFile | quote }} + {{- if ne .accessKeyID "" }} + access_key_id: {{ .accessKeyID | quote }} + {{- end }} + {{- if ne .secretAccessKey "" }} + secret_access_key: {{ .secretAccessKey | quote }} + {{- end }} + {{- if ne .keyPolicyFile "" }} + key_policy_file: {{ .keyPolicyFile | quote }} + {{- end }} + + {{- end }} + {{- end }} + +{{- if ne $keyManagerUsed 1 }} +{{- fail "You have to enable exactly one Key Manager." }} +{{- end }} Notifier: - k8sbundle: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 2c4039b22..486f108ae 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -175,6 +175,16 @@ ca_subject: organization: Example common_name: example.org +keyManager: + disk: + enabled: true + keysPath: "/run/spire/data/keys.json" + awsKMS: + enabled: false + region: "" + keyMetadataFile: "/run/spire/data/aws-kms-key-metadata" + keyPolicyFile: "" + upstreamAuthority: disk: enabled: false From 12d7fc95a80896b0d877e3e782d3cd5e3f7b3b60 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Wed, 9 Aug 2023 13:23:55 +0100 Subject: [PATCH 2/8] Make aws_kms.key_metadata_file non configurable Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 1 - charts/spire/charts/spire-server/README.md | 1 - charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- charts/spire/charts/spire-server/values.yaml | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 903f9df89..efdf1c7c0 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -363,7 +363,6 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | | spire-server.keyManager.awsKMS.enabled | bool | `false` | | -| spire-server.keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` | | | spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` | | | spire-server.keyManager.awsKMS.region | string | `""` | | | spire-server.keyManager.disk.enabled | bool | `true` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a8f0295d5..d465770aa 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -161,7 +161,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | | keyManager.awsKMS.enabled | bool | `false` | | -| keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` | | | keyManager.awsKMS.keyPolicyFile | string | `""` | | | keyManager.awsKMS.region | string | `""` | | | keyManager.disk.enabled | bool | `true` | | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 9dda0f4a0..183b21967 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -65,7 +65,7 @@ plugins: - aws_kms: plugin_data: region: {{ .region | quote }} - key_metadata_file: {{ .keyMetadataFile | quote }} + key_metadata_file: "/run/spire/data/aws-kms-key-metadata" {{- if ne .accessKeyID "" }} access_key_id: {{ .accessKeyID | quote }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 486f108ae..d30e7e4e1 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -182,7 +182,6 @@ keyManager: awsKMS: enabled: false region: "" - keyMetadataFile: "/run/spire/data/aws-kms-key-metadata" keyPolicyFile: "" upstreamAuthority: From 726f6041d0942a6b55df82302847aaf5ce4c9c2b Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Wed, 9 Aug 2023 13:27:10 +0100 Subject: [PATCH 3/8] Make keymanager disk.keys_path non configurable Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 1 - charts/spire/charts/spire-server/README.md | 1 - charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- charts/spire/charts/spire-server/values.yaml | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index efdf1c7c0..3a2eeb648 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -366,7 +366,6 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` | | | spire-server.keyManager.awsKMS.region | string | `""` | | | spire-server.keyManager.disk.enabled | bool | `true` | | -| spire-server.keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` | | | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | | spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d465770aa..7501cbef8 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -164,7 +164,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | keyManager.awsKMS.keyPolicyFile | string | `""` | | | keyManager.awsKMS.region | string | `""` | | | keyManager.disk.enabled | bool | `true` | | -| keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` | | | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | | livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 183b21967..4329b5405 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -54,7 +54,7 @@ plugins: KeyManager: - disk: plugin_data: - keys_path: {{ .keysPath | quote }} + keys_path: "/run/spire/data/keys.json" {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index d30e7e4e1..ec8dbc4fc 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -178,7 +178,6 @@ ca_subject: keyManager: disk: enabled: true - keysPath: "/run/spire/data/keys.json" awsKMS: enabled: false region: "" From 447dc5d8735258666a7bfba46accbcd5a628d99a Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Thu, 10 Aug 2023 14:05:35 +0100 Subject: [PATCH 4/8] Use aws kms keys as env vars from a secret rather than injecting them as plain text in the config map Signed-off-by: Maximiliano Churichi --- .gitignore | 1 + .../charts/spire-server/templates/aws-secret.yaml | 14 ++++++++++++++ .../charts/spire-server/templates/configmap.yaml | 6 +++--- .../charts/spire-server/templates/statefulset.yaml | 14 ++++++++++++++ charts/spire/charts/spire-server/values.yaml | 2 ++ 5 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/aws-secret.yaml diff --git a/.gitignore b/.gitignore index 1ad54ad80..beb5ec80d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ bin/ .idea/ +.vscode/ *.swp charts/**/*.tgz .DS_Store diff --git a/charts/spire/charts/spire-server/templates/aws-secret.yaml b/charts/spire/charts/spire-server/templates/aws-secret.yaml new file mode 100644 index 000000000..ae51eee10 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/aws-secret.yaml @@ -0,0 +1,14 @@ +{{- if or (ne .Values.keyManager.awsKMS.accessKeyID "") (ne .Values.keyManager.awsKMS.secretAccessKey "") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "spire-server.fullname" . }}-aws-kms + namespace: {{ include "spire-server.namespace" . }} +data: + {{- if ne .Values.keyManager.awsKMS.accessKeyID "" }} + AWS_KMS_ACCESS_KEY_ID: {{ .Values.keyManager.awsKMS.accessKeyID | b64enc }} + {{- end }} + {{- if ne .Values.keyManager.awsKMS.secretAccessKey "" }} + AWS_KMS_SECRET_ACCESS_KEY: {{ .Values.keyManager.awsKMS.secretAccessKey | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 4329b5405..60513aa08 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -67,10 +67,10 @@ plugins: region: {{ .region | quote }} key_metadata_file: "/run/spire/data/aws-kms-key-metadata" {{- if ne .accessKeyID "" }} - access_key_id: {{ .accessKeyID | quote }} + access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" {{- end }} {{- if ne .secretAccessKey "" }} - secret_access_key: {{ .secretAccessKey | quote }} + secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" {{- end }} {{- if ne .keyPolicyFile "" }} key_policy_file: {{ .keyPolicyFile | quote }} @@ -80,7 +80,7 @@ plugins: {{- end }} {{- if ne $keyManagerUsed 1 }} -{{- fail "You have to enable exactly one Key Manager." }} +{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }} {{- end }} Notifier: diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index f8cfd7129..031862e82 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -84,6 +84,20 @@ spec: name: {{ $fullname }}-dbpw key: DBPW {{- end }} + {{- if ne .Values.keyManager.awsKMS.accessKeyID "" }} + - name: AWS_KMS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ $fullname }}-aws-kms + key: AWS_KMS_ACCESS_KEY_ID + {{- end }} + {{- if ne .Values.keyManager.awsKMS.secretAccessKey "" }} + - name: AWS_KMS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $fullname }}-aws-kms + key: AWS_KMS_SECRET_ACCESS_KEY + {{- end }} ports: - name: grpc containerPort: 8081 diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index ec8dbc4fc..7d3c2cbe0 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -182,6 +182,8 @@ keyManager: enabled: false region: "" keyPolicyFile: "" + accessKeyID: "" + secretAccessKey: "" upstreamAuthority: disk: From f539715b6aedb6c9f1b2af7273f8c83ded9f4d04 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Thu, 10 Aug 2023 14:24:21 +0100 Subject: [PATCH 5/8] Update docs Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 2 ++ charts/spire/charts/spire-server/README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index 3a2eeb648..e7d1727fd 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -362,9 +362,11 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| spire-server.keyManager.awsKMS.accessKeyID | string | `""` | | | spire-server.keyManager.awsKMS.enabled | bool | `false` | | | spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` | | | spire-server.keyManager.awsKMS.region | string | `""` | | +| spire-server.keyManager.awsKMS.secretAccessKey | string | `""` | | | spire-server.keyManager.disk.enabled | bool | `true` | | | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 7501cbef8..aa4f7d139 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -160,9 +160,11 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| keyManager.awsKMS.accessKeyID | string | `""` | | | keyManager.awsKMS.enabled | bool | `false` | | | keyManager.awsKMS.keyPolicyFile | string | `""` | | | keyManager.awsKMS.region | string | `""` | | +| keyManager.awsKMS.secretAccessKey | string | `""` | | | keyManager.disk.enabled | bool | `true` | | | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | From 3e1ab37f1d6016b5bbdd732abe600455b3a487ba Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Fri, 11 Aug 2023 16:23:23 +0100 Subject: [PATCH 6/8] Make aws kms key policy configurable through either ConfigMap or raw policy string Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 8 +++++--- charts/spire/charts/spire-server/README.md | 8 +++++--- .../templates/aws-kms-configmap.yaml | 10 ++++++++++ .../{aws-secret.yaml => aws-kms-secret.yaml} | 0 .../spire-server/templates/configmap.yaml | 4 ++-- .../spire-server/templates/statefulset.yaml | 19 +++++++++++++++++++ charts/spire/charts/spire-server/values.yaml | 9 ++++++++- 7 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/aws-kms-configmap.yaml rename charts/spire/charts/spire-server/templates/{aws-secret.yaml => aws-kms-secret.yaml} (100%) diff --git a/charts/spire/README.md b/charts/spire/README.md index e7d1727fd..e42716693 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -362,11 +362,13 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | -| spire-server.keyManager.awsKMS.accessKeyID | string | `""` | | +| spire-server.keyManager.awsKMS.accessKeyID | string | `""` | Access key ID for the AWS account. If empty, the default credential chain will be used. | | spire-server.keyManager.awsKMS.enabled | bool | `false` | | -| spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` | | +| spire-server.keyManager.awsKMS.keyPolicy | object | `{"existingConfigMap":"","policy":""}` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | +| spire-server.keyManager.awsKMS.keyPolicy.existingConfigMap | string | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | +| spire-server.keyManager.awsKMS.keyPolicy.policy | string | `""` | Key policy in JSON format. | | spire-server.keyManager.awsKMS.region | string | `""` | | -| spire-server.keyManager.awsKMS.secretAccessKey | string | `""` | | +| spire-server.keyManager.awsKMS.secretAccessKey | string | `""` | Secret access key for the AWS account. If empty, the default credential chain will be used. | | spire-server.keyManager.disk.enabled | bool | `true` | | | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index aa4f7d139..fc39c5d02 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -160,11 +160,13 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | -| keyManager.awsKMS.accessKeyID | string | `""` | | +| keyManager.awsKMS.accessKeyID | string | `""` | Access key ID for the AWS account. If empty, the default credential chain will be used. | | keyManager.awsKMS.enabled | bool | `false` | | -| keyManager.awsKMS.keyPolicyFile | string | `""` | | +| keyManager.awsKMS.keyPolicy | object | `{"existingConfigMap":"","policy":""}` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | +| keyManager.awsKMS.keyPolicy.existingConfigMap | string | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | +| keyManager.awsKMS.keyPolicy.policy | string | `""` | Key policy in JSON format. | | keyManager.awsKMS.region | string | `""` | | -| keyManager.awsKMS.secretAccessKey | string | `""` | | +| keyManager.awsKMS.secretAccessKey | string | `""` | Secret access key for the AWS account. If empty, the default credential chain will be used. | | keyManager.disk.enabled | bool | `true` | | | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | diff --git a/charts/spire/charts/spire-server/templates/aws-kms-configmap.yaml b/charts/spire/charts/spire-server/templates/aws-kms-configmap.yaml new file mode 100644 index 000000000..a7edc7ac8 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/aws-kms-configmap.yaml @@ -0,0 +1,10 @@ +{{- if ne .Values.keyManager.awsKMS.keyPolicy.policy "" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire-server.fullname" . }}-aws-kms + namespace: {{ include "spire-server.namespace" . }} +data: + policy.json: | + {{ .Values.keyManager.awsKMS.keyPolicy.policy | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/aws-secret.yaml b/charts/spire/charts/spire-server/templates/aws-kms-secret.yaml similarity index 100% rename from charts/spire/charts/spire-server/templates/aws-secret.yaml rename to charts/spire/charts/spire-server/templates/aws-kms-secret.yaml diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 60513aa08..0ab04f1f8 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -72,8 +72,8 @@ plugins: {{- if ne .secretAccessKey "" }} secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" {{- end }} - {{- if ne .keyPolicyFile "" }} - key_policy_file: {{ .keyPolicyFile | quote }} + {{- if or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "") }} + key_policy_file: "/run/spire/data/aws-kms-key-policy.json" {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 031862e82..b6b4cbb54 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -142,6 +142,14 @@ spec: mountPath: /run/spire/upstream_ca readOnly: false {{ end }} + {{- with .Values.keyManager.awsKMS }} + {{- if and (eq (.enabled | toString) "true") (or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "")) }} + - name: aws-kms-key-policy + mountPath: /run/spire/data/aws-kms-key-policy.json + subPath: policy.json + readOnly: true + {{ end }} + {{ end }} {{- if gt (len .Values.extraVolumeMounts) 0 }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} @@ -286,6 +294,17 @@ spec: secret: secretName: {{ include "spire-server.upstream-ca-secret" . }} {{- end }} + {{- with .Values.keyManager.awsKMS }} + {{- if and (eq (.enabled | toString) "true") (or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "")) }} + - name: aws-kms-key-policy + configMap: + {{- if ne .keyPolicy.policy "" }} + name: {{ $fullname }}-aws-kms + {{- else if ne .keyPolicy.existingConfigMap "" }} + name: {{ .keyPolicy.existingConfigMap }} + {{- end }} + {{- end }} + {{- end }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }} - name: controller-manager-config configMap: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 7d3c2cbe0..972d4e261 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -181,8 +181,15 @@ keyManager: awsKMS: enabled: false region: "" - keyPolicyFile: "" + # -- Policy to use when creating keys. If no policy is specified, a default policy will be used. + keyPolicy: + # -- Key policy in JSON format. + policy: "" + # -- Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. + existingConfigMap: "" + # -- Access key ID for the AWS account. If empty, the default credential chain will be used. accessKeyID: "" + # -- Secret access key for the AWS account. If empty, the default credential chain will be used. secretAccessKey: "" upstreamAuthority: From 2c1b2e53b3dcff68e60d5f53afefba50b7bec467 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Mon, 14 Aug 2023 11:38:10 +0100 Subject: [PATCH 7/8] Refactor aws kms secret Signed-off-by: Maximiliano Churichi --- .../spire-server/templates/aws-kms-secret.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/aws-kms-secret.yaml b/charts/spire/charts/spire-server/templates/aws-kms-secret.yaml index ae51eee10..3477dccb8 100644 --- a/charts/spire/charts/spire-server/templates/aws-kms-secret.yaml +++ b/charts/spire/charts/spire-server/templates/aws-kms-secret.yaml @@ -1,14 +1,17 @@ -{{- if or (ne .Values.keyManager.awsKMS.accessKeyID "") (ne .Values.keyManager.awsKMS.secretAccessKey "") }} +{{- $root := . }} +{{- with .Values.keyManager.awsKMS }} +{{- if or (ne .accessKeyID "") (ne .secretAccessKey "") }} apiVersion: v1 kind: Secret metadata: - name: {{ include "spire-server.fullname" . }}-aws-kms - namespace: {{ include "spire-server.namespace" . }} + name: {{ include "spire-server.fullname" $root }}-aws-kms + namespace: {{ include "spire-server.namespace" $root }} data: - {{- if ne .Values.keyManager.awsKMS.accessKeyID "" }} - AWS_KMS_ACCESS_KEY_ID: {{ .Values.keyManager.awsKMS.accessKeyID | b64enc }} + {{- if ne .accessKeyID "" }} + AWS_KMS_ACCESS_KEY_ID: {{ .accessKeyID | b64enc }} {{- end }} - {{- if ne .Values.keyManager.awsKMS.secretAccessKey "" }} - AWS_KMS_SECRET_ACCESS_KEY: {{ .Values.keyManager.awsKMS.secretAccessKey | b64enc }} + {{- if ne .secretAccessKey "" }} + AWS_KMS_SECRET_ACCESS_KEY: {{ .secretAccessKey | b64enc }} {{- end }} {{- end }} +{{- end }} From 2218b2be471e05d59cfdeb65d652504705868e8e Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Wed, 16 Aug 2023 16:04:30 +0100 Subject: [PATCH 8/8] Document aws kms credentials configuration alternatives Signed-off-by: Maximiliano Churichi --- charts/spire/README.md | 8 ++++---- charts/spire/charts/spire-server/README.md | 8 ++++---- charts/spire/charts/spire-server/values.yaml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index fba9e494a..efa20f4ec 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -341,13 +341,13 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain | -| spire-server.keyManager.awsKMS.accessKeyID | string | `""` | Access key ID for the AWS account. If empty, the default credential chain will be used. | +| spire-server.keyManager.awsKMS.accessKeyID | Optional | `""` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | | spire-server.keyManager.awsKMS.enabled | bool | `false` | | | spire-server.keyManager.awsKMS.keyPolicy | object | `{"existingConfigMap":"","policy":""}` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | -| spire-server.keyManager.awsKMS.keyPolicy.existingConfigMap | string | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | -| spire-server.keyManager.awsKMS.keyPolicy.policy | string | `""` | Key policy in JSON format. | +| spire-server.keyManager.awsKMS.keyPolicy.existingConfigMap | Optional | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | +| spire-server.keyManager.awsKMS.keyPolicy.policy | Optional | `""` | Key policy in JSON format. | | spire-server.keyManager.awsKMS.region | string | `""` | | -| spire-server.keyManager.awsKMS.secretAccessKey | string | `""` | Secret access key for the AWS account. If empty, the default credential chain will be used. | +| spire-server.keyManager.awsKMS.secretAccessKey | Optional | `""` | Secret access key for the AWS account. | | spire-server.keyManager.disk.enabled | bool | `true` | | | spire-server.keyManager.memory.enabled | bool | `false` | | | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 1733e0cfc..067191262 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -160,13 +160,13 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain | -| keyManager.awsKMS.accessKeyID | string | `""` | Access key ID for the AWS account. If empty, the default credential chain will be used. | +| keyManager.awsKMS.accessKeyID | Optional | `""` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | | keyManager.awsKMS.enabled | bool | `false` | | | keyManager.awsKMS.keyPolicy | object | `{"existingConfigMap":"","policy":""}` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | -| keyManager.awsKMS.keyPolicy.existingConfigMap | string | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | -| keyManager.awsKMS.keyPolicy.policy | string | `""` | Key policy in JSON format. | +| keyManager.awsKMS.keyPolicy.existingConfigMap | Optional | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | +| keyManager.awsKMS.keyPolicy.policy | Optional | `""` | Key policy in JSON format. | | keyManager.awsKMS.region | string | `""` | | -| keyManager.awsKMS.secretAccessKey | string | `""` | Secret access key for the AWS account. If empty, the default credential chain will be used. | +| keyManager.awsKMS.secretAccessKey | Optional | `""` | Secret access key for the AWS account. | | keyManager.disk.enabled | bool | `true` | | | keyManager.memory.enabled | bool | `false` | | | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index a02e11100..8dfdad740 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -185,13 +185,13 @@ keyManager: region: "" # -- Policy to use when creating keys. If no policy is specified, a default policy will be used. keyPolicy: - # -- Key policy in JSON format. + # -- (Optional) Key policy in JSON format. policy: "" - # -- Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. + # -- (Optional) Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. existingConfigMap: "" - # -- Access key ID for the AWS account. If empty, the default credential chain will be used. + # -- (Optional) Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. accessKeyID: "" - # -- Secret access key for the AWS account. If empty, the default credential chain will be used. + # -- (Optional) Secret access key for the AWS account. secretAccessKey: "" upstreamAuthority: