Merge branch 'main' into production-settings-check

Signed-off-by: kfox1111 <[email protected]>
spiffe · Sep 18, 2023 · 894aa50 · 894aa50
2 parents 7298bbf + 800362a
commit 894aa50
Show file tree

Hide file tree

Showing 9 changed files with 320 additions and 200 deletions.
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -44,7 +44,7 @@ jobs:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -3,7 +3,7 @@ name: spire
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.12.0
+version: 0.13.0
 appVersion: "1.7.2"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts/tree/main/charts/spire

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -1,8 +1,6 @@
 # spire
 
-<!-- This README.md is generated. Please edit README.md.gotmpl -->
-
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
+![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -85,6 +83,8 @@ Now you can interact with the Spire agent socket from your own application. The
 | file://./charts/spire-server | spire-server | 0.1.0 |
 | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
 ## Parameters
 
 ### Global parameters

diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -163,6 +163,38 @@ plugins:
   {{- end }}
   {{- end }}
 
+  {{- with .Values.upstreamAuthority.vault }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }}
+  UpstreamAuthority:
+    vault:
+      plugin_data:
+        vault_addr: {{ .vaultAddr | quote }}
+        pki_mount_point: {{ .pkiMountPoint | quote }}
+        insecure_skip_verify: {{ .insecureSkipVerify }}
+        {{- if ne (.insecureSkipVerify | toString) "true" }}
+        ca_cert_path: "/run/spire/vault-upstream/ca.crt"
+        {{- end }}
+        {{- if ne .namespace "" }}
+        namespace: {{ .namespace | quote }}
+        {{- end }}
+
+        {{- $vaultAuthMethodUsed := 0 }}
+        {{- with .k8sAuth }}
+        {{- if eq (.enabled | toString) "true" }}
+        {{- $vaultAuthMethodUsed = add1 $vaultAuthMethodUsed }}
+        k8s_auth:
+          k8s_auth_mount_point: {{ .k8sAuthMountPoint | quote }}
+          k8s_auth_role_name: {{ .k8sAuthRoleName | quote }}
+          token_path: "/var/run/secrets/tokens/spire-server"
+        {{- end }}
+        {{- end }}
+        {{- if gt $vaultAuthMethodUsed 1 }}
+        {{- fail "You can only enable a single authentication mechanism to an upstream Vault." }}
+        {{- end }}
+  {{- end }}
+  {{- end }}  
+
   {{- with .Values.upstreamAuthority.awsPCA }}
   {{- if eq (.enabled | toString) "true" }}
   {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }}

diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml
@@ -49,6 +49,9 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
       initContainers:
       {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }}
         - name: wait
@@ -167,7 +170,19 @@ spec:
               subPath: policy.json
               readOnly: true
             {{ end }}
-            {{ end }}
+            {{- end }}
+            {{- with .Values.upstreamAuthority.vault }}
+            {{- if eq (.enabled | toString) "true" }}
+            {{- if eq (.k8sAuth.enabled | toString) "true" }}
+            - name: spire-psat
+              mountPath: /var/run/secrets/tokens
+            {{- end }}
+            {{- if ne (.insecureSkipVerify | toString) "true" }}
+            - name: vault-ca
+              mountPath: /run/spire/vault-upstream
+            {{- end }}
+            {{- end }}
+            {{- end }}
             {{- if gt (len .Values.extraVolumeMounts) 0 }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -354,6 +369,33 @@ spec:
             path: {{ .Values.persistence.hostPath }}
             type: Directory
         {{- end }}
+        {{- with .Values.upstreamAuthority.vault }}
+        {{- if eq (.enabled | toString) "true" }}
+        {{- if ne (.insecureSkipVerify | toString) "true" }}
+        {{- if eq (.caCert.type | lower) "configmap" }}
+        - name: vault-ca
+          configMap:
+            name: {{ .caCert.name }}
+        {{- else if eq (.caCert.type | lower) "secret" }}
+        - name: vault-ca
+          secret:
+            secretName: {{ .caCert.name }}
+            optional: false
+        {{- end }}
+        {{- end -}}
+        {{- if eq (.k8sAuth.enabled | toString) "true" }}
+        - name: spire-psat
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-server
+                expirationSeconds: {{ .k8sAuth.token.expiry }}
+                {{- if ne .k8sAuth.token.audience "" }}
+                audience: {{ .k8sAuth.token.audience }}
+                {{- end }}
+        {{- end }}
+        {{- end -}}
+        {{- end -}}
   {{- if eq .Values.persistence.type "pvc" }}
   volumeClaimTemplates:
     - metadata:

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -25,13 +25,13 @@ image:
 ## @param imagePullSecrets [array] Pull secrets for images
 imagePullSecrets: []
 
-## @param nameOverride Name override 
+## @param nameOverride Name override
 nameOverride: ""
 
-## @param namespaceOverride Namespace override 
+## @param namespaceOverride Namespace override
 namespaceOverride: ""
 
-## @param fullnameOverride Fullname override 
+## @param fullnameOverride Fullname override
 fullnameOverride: ""
 
 ## @param serviceAccount.create Specifies whether a service account should be created
@@ -59,6 +59,9 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
+## @param priorityClassName Priority class assigned to statefulset pods
+priorityClassName: ""
+
 ## @param service.type Type of the Spire server service created
 ## @param service.port Port for the created service
 ## @param service.annotations [object] Annotations to add to the service object
@@ -327,6 +330,35 @@ upstreamAuthority:
       address: ""
       ## @param upstreamAuthority.spire.server.port Port for upstream Spire server
       port: 8081
+  vault:
+    ## @param upstreamAuthority.vault.enabled Enable Hashicorp Vault as upstream CA
+    enabled: false
+    ## @param upstreamAuthority.vault.vaultAddr The URL of the Vault server. (e.g., https://vault.example.com:8443/)
+    vaultAddr: ""
+    ## @param upstreamAuthority.vault.namespace Name of the Vault namespace. This is only available in the Vault Enterprise.
+    namespace: ""
+    ## @param upstreamAuthority.vault.pkiMountPoint Name of the mount point where PKI secret engine is mounted
+    pkiMountPoint: "pki"
+      ## @param upstreamAuthority.vault.insecureSkipVerify If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault
+    insecureSkipVerify: false
+    caCert:
+      ## @param upstreamAuthority.vault.caCert.type Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt`
+      type: Secret
+      ## @param upstreamAuthority.vault.caCert.name Name of the Kubernetes resource containing the Vault server certificate
+      name: vault-ca
+
+    k8sAuth:
+      ## @param upstreamAuthority.vault.k8sAuth.enabled Enable k8s authentication to Hashicorp Vault
+      enabled: false
+      ## @param upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint Name of the mount point where the Kubernetes auth method is mounted
+      k8sAuthMountPoint: "kubernetes"
+      ## @param upstreamAuthority.vault.k8sAuth.k8sAuthRoleName Required - Name of the Vault role. The plugin authenticates against the named role
+      k8sAuthRoleName: ""
+      token:
+        ## @param upstreamAuthority.vault.k8sAuth.token.audience Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info.
+        audience: "vault"
+        ## @param upstreamAuthority.vault.k8sAuth.token.expiry Expiry time in seconds for the token
+        expiry: 7200
 
 notifier:
   k8sbundle:

diff --git a/examples/production/values.yaml b/examples/production/values.yaml
@@ -25,6 +25,7 @@ spire-server:
       drop: [ALL]
     seccompProfile:
       type: RuntimeDefault
+  priorityClassName: system-cluster-critical
 
   logLevel: info
 

diff --git a/release-chart.sh b/release-chart.sh
@@ -107,7 +107,7 @@ git pull
 git checkout --track -B "${branch_name}" main
 commits_since_previous_release="$(git log "${chart}-${current_version}..HEAD" --pretty=format:'* %h %s')"
 "${SED}" -i "s/version: ${current_version}/version: ${new_version}/" "charts/${chart}/Chart.yaml"
-./helm-docs.sh
+"${SED}" -i "s/${current_version}/${new_version}/" "charts/${chart}/README.md"
 git add "charts/${chart}/"{Chart.yaml,README.md}
 git commit -m "Bump ${chart} Helm Chart version from ${current_version} to ${new_version}" \
   -m "${commits_since_previous_release}" \