diff --git a/helm-charts/0.26.1/charts/spire/templates/spire-agent-config-map.yaml b/helm-charts/0.26.1/charts/spire/templates/spire-agent-config-map.yaml index a9cdac01..e8c9b8f3 100644 --- a/helm-charts/0.26.1/charts/spire/templates/spire-agent-config-map.yaml +++ b/helm-charts/0.26.1/charts/spire/templates/spire-agent-config-map.yaml @@ -18,39 +18,48 @@ metadata: namespace: {{ .Values.global.spire.namespace }} data: agent.conf: | - agent { - data_dir = "/run/spire" - log_level = {{ .Values.global.spire.logLevel | quote }} - server_address = {{ .Values.global.spire.serverAddress | quote }} - server_port = {{ .Values.global.spire.serverPort | quote }} - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "9982" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "vsecm-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } + { + "agent": { + "data_dir": "/run/spire", + "log_level": {{ .Values.global.spire.logLevel | quote }}, + "server_address": {{ .Values.global.spire.serverAddress | quote }}, + "server_port": {{ .Values.global.spire.serverPort | quote }}, + "socket_path": "/run/spire/sockets/agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": {{ .Values.global.spire.trustDomain | quote }} + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "skip_kubelet_verification": true + } + } + } + ] } } diff --git a/helm-charts/0.26.1/charts/spire/templates/spire-server-config-map.yaml b/helm-charts/0.26.1/charts/spire/templates/spire-server-config-map.yaml index 375dfda2..8565fd9f 100644 --- a/helm-charts/0.26.1/charts/spire/templates/spire-server-config-map.yaml +++ b/helm-charts/0.26.1/charts/spire/templates/spire-server-config-map.yaml @@ -16,71 +16,76 @@ metadata: namespace: {{ .Values.global.spire.serverNamespace }} data: server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = {{ .Values.global.spire.trustDomain | quote }} - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - + { + "server": { + "bind_address": "0.0.0.0", + "bind_port": "8081", + "trust_domain": {{ .Values.global.spire.trustDomain | quote }}, + "data_dir": "/run/spire/server/data", + "log_level": "DEBUG", + "federation": { + "bundle_endpoint": { + "address": "0.0.0.0", + "port": 8443 + } {{- if .Values.experimental.eventsBasedCache }} - experimental { - events_based_cache = true - } -{{- end }} - - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "8080" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" + }, + "experimental": { + "events_based_cache": true } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - "vsecm-cluster" = { - service_account_allow_list = ["{{ .Values.global.spire.namespace }}:spire-agent"] +{{- else }} + } +{{- end }} + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "database_type": "sqlite3", + "connection_string": "/run/spire/server/data/datastore.sqlite3" + } } } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - config_map = "spire-bundle" - namespace = "{{ .Values.global.spire.namespace }}" - } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": { + "vsecm-cluster": { + "service_account_allow_list": ["{{ .Values.global.spire.namespace }}:spire-agent"] + } + } + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/server/data/keys.json" + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "{{ .Values.global.spire.namespace }}" + } + } + } + ] } } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } diff --git a/k8s/0.26.1/spire.yaml b/k8s/0.26.1/spire.yaml index 93de48f8..07493c07 100644 --- a/k8s/0.26.1/spire.yaml +++ b/k8s/0.26.1/spire.yaml @@ -96,40 +96,49 @@ metadata: namespace: spire-system data: agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server.spire-server.svc.cluster.local" - server_port = "8081" - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "vsecm.com" - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "9982" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "vsecm-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } + { + "agent": { + "data_dir": "/run/spire", + "log_level": "DEBUG", + "server_address": "spire-server.spire-server.svc.cluster.local", + "server_port": "8081", + "socket_path": "/run/spire/sockets/agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "vsecm.com" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "skip_kubelet_verification": true + } + } + } + ] } } --- @@ -238,68 +247,72 @@ metadata: namespace: spire-server data: server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "vsecm.com" - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - - } - - health_checks { - bind_address = "0.0.0.0" - bind_port = "8080" - listener_enabled = true - live_path = "/live" - ready_path = "/ready" - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" + { + "server": { + "bind_address": "0.0.0.0", + "bind_port": "8081", + "trust_domain": "vsecm.com", + "data_dir": "/run/spire/server/data", + "log_level": "DEBUG", + "federation": { + "bundle_endpoint": { + "address": "0.0.0.0", + "port": 8443 + } } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - "vsecm-cluster" = { - service_account_allow_list = ["spire-system:spire-agent"] + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "database_type": "sqlite3", + "connection_string": "/run/spire/server/data/datastore.sqlite3" + } } } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - config_map = "spire-bundle" - namespace = "spire-system" - } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": { + "vsecm-cluster": { + "service_account_allow_list": ["spire-system:spire-agent"] + } + } + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/server/data/keys.json" + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "spire-system" + } + } + } + ] } } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } --- # Source: vsecm/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml # /*