From 9757f3acd8970023cc49b7f2164562733cedeef1 Mon Sep 17 00:00:00 2001 From: Prashant Mishra Date: Thu, 18 Jul 2024 03:51:56 +0530 Subject: [PATCH 1/7] initiating Workload Identity with Spire (#1) * initiating spire server Signed-off-by: PrimalPimmy Spire agent init Signed-off-by: PrimalPimmy bundle update Signed-off-by: PrimalPimmy bundle update Signed-off-by: PrimalPimmy bundle update Signed-off-by: PrimalPimmy CSI driver and spire server changes Signed-off-by: PrimalPimmy Added informer Signed-off-by: PrimalPimmy Added informer Signed-off-by: PrimalPimmy spiffe csi on agent Signed-off-by: PrimalPimmy spiffe csi with agent Signed-off-by: PrimalPimmy some fixes Signed-off-by: PrimalPimmy * removed rebase Signed-off-by: PrimalPimmy --------- Signed-off-by: PrimalPimmy fixed ver 1.10.0 Signed-off-by: PrimalPimmy Server reconfigure Signed-off-by: PrimalPimmy permissions needed to update configmap Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy added cluster-list and kubeconfig cm Signed-off-by: PrimalPimmy oidc insecure Signed-off-by: PrimalPimmy removed regional Signed-off-by: PrimalPimmy add spire namespace Signed-off-by: PrimalPimmy spire controller changes Signed-off-by: PrimalPimmy spire-system -> spire Signed-off-by: PrimalPimmy spire CRDs Signed-off-by: PrimalPimmy kustomization Signed-off-by: PrimalPimmy adding more crd Signed-off-by: PrimalPimmy adding more crd Signed-off-by: PrimalPimmy reverting some changes Signed-off-by: PrimalPimmy namespace change Signed-off-by: PrimalPimmy configmap change Signed-off-by: PrimalPimmy configmap change Signed-off-by: PrimalPimmy minor format fix Signed-off-by: PrimalPimmy trust domain change Signed-off-by: PrimalPimmy namespace change Signed-off-by: PrimalPimmy --- .../app/controller/clusterrole-bootstrap.yaml | 8 + .../app/controller/deployment-controller.yaml | 20 +- nephio/optional/spire-agent/Kptfile | 26 ++ nephio/optional/spire-agent/spiffe-csi.yaml | 133 ++++++++++ nephio/optional/spire-agent/spire-agent.yaml | 143 +++++++++++ nephio/optional/spire/Kptfile | 8 + nephio/optional/spire/README.md | 21 ++ nephio/optional/spire/cluster-list.yaml | 12 + .../spire/crd-rbac/leader_election_role.yaml | 16 ++ .../leader_election_role_binding.yaml | 13 + nephio/optional/spire/crd-rbac/role.yaml | 47 ++++ .../optional/spire/crd-rbac/role_binding.yaml | 12 + ...piffe.io_clusterfederatedtrustdomains.yaml | 99 ++++++++ .../crd/spire.spiffe.io_clusterspiffeids.yaml | 238 ++++++++++++++++++ .../spire.spiffe.io_clusterstaticentries.yaml | 102 ++++++++ ...re.spiffe.io_controllermanagerconfigs.yaml | 59 +++++ nephio/optional/spire/kubeconfigs.yaml | 6 + nephio/optional/spire/kustomization.yaml | 22 ++ nephio/optional/spire/oidc-dp-configmap.yaml | 16 ++ nephio/optional/spire/package-context.yaml | 8 + nephio/optional/spire/serconfig.yaml | 66 +++++ .../optional/spire/server-oidc-service.yaml | 14 ++ nephio/optional/spire/server-statefulset.yaml | 189 ++++++++++++++ .../spire-controller-manager-config.yaml | 25 ++ .../spire-controller-manager-webhook.yaml | 33 +++ nephio/optional/spire/spire-namespace.yaml | 4 + nephio/optional/spire/spire-service.yaml | 51 ++++ 27 files changed, 1389 insertions(+), 2 deletions(-) create mode 100644 nephio/optional/spire-agent/Kptfile create mode 100644 nephio/optional/spire-agent/spiffe-csi.yaml create mode 100644 nephio/optional/spire-agent/spire-agent.yaml create mode 100644 nephio/optional/spire/Kptfile create mode 100644 nephio/optional/spire/README.md create mode 100644 nephio/optional/spire/cluster-list.yaml create mode 100644 nephio/optional/spire/crd-rbac/leader_election_role.yaml create mode 100644 nephio/optional/spire/crd-rbac/leader_election_role_binding.yaml create mode 100644 nephio/optional/spire/crd-rbac/role.yaml create mode 100644 nephio/optional/spire/crd-rbac/role_binding.yaml create mode 100644 nephio/optional/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml create mode 100644 nephio/optional/spire/crd/spire.spiffe.io_clusterspiffeids.yaml create mode 100644 nephio/optional/spire/crd/spire.spiffe.io_clusterstaticentries.yaml create mode 100644 nephio/optional/spire/crd/spire.spiffe.io_controllermanagerconfigs.yaml create mode 100644 nephio/optional/spire/kubeconfigs.yaml create mode 100644 nephio/optional/spire/kustomization.yaml create mode 100644 nephio/optional/spire/oidc-dp-configmap.yaml create mode 100644 nephio/optional/spire/package-context.yaml create mode 100644 nephio/optional/spire/serconfig.yaml create mode 100644 nephio/optional/spire/server-oidc-service.yaml create mode 100644 nephio/optional/spire/server-statefulset.yaml create mode 100644 nephio/optional/spire/spire-controller-manager-config.yaml create mode 100644 nephio/optional/spire/spire-controller-manager-webhook.yaml create mode 100644 nephio/optional/spire/spire-namespace.yaml create mode 100644 nephio/optional/spire/spire-service.yaml diff --git a/nephio/core/nephio-operator/app/controller/clusterrole-bootstrap.yaml b/nephio/core/nephio-operator/app/controller/clusterrole-bootstrap.yaml index c9b56d8..cdf51cb 100644 --- a/nephio/core/nephio-operator/app/controller/clusterrole-bootstrap.yaml +++ b/nephio/core/nephio-operator/app/controller/clusterrole-bootstrap.yaml @@ -20,6 +20,14 @@ rules: - get - list - watch +- apiGroups: + - '*' + resources: + - configmaps + verbs: + - update + - list + - watch - apiGroups: - '*' resources: diff --git a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml index 34a6443..37ee9ec 100644 --- a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml +++ b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml @@ -25,7 +25,7 @@ spec: name: nephio-controller namespace: nephio-system spec: - containers: + containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -85,9 +85,19 @@ spec: value: "true" - name: ENABLE_NETWORKS value: "true" + - name: ENABLE_WORKLOADIDENTITY + value: "true" - name: CLIENT_PROXY_ADDRESS value: resource-backend-controller-grpc-svc.backend-system.svc.cluster.local:9999 - image: docker.io/nephio/nephio-operator:latest + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///spiffe-workload-api/spire-agent.sock + # Temporary image + image: docker.io/nephio/nephio-operator:ubuntu + imagePullPolicy: Never + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true livenessProbe: httpGet: path: /healthz @@ -114,4 +124,10 @@ spec: drop: - ALL serviceAccountName: nephio-controller + volumes: + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + readOnly: true + status: {} diff --git a/nephio/optional/spire-agent/Kptfile b/nephio/optional/spire-agent/Kptfile new file mode 100644 index 0000000..e8cdee9 --- /dev/null +++ b/nephio/optional/spire-agent/Kptfile @@ -0,0 +1,26 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: spire-agent + namespace: spire +packageMetadata: + shortDescription: "Kpt package for deploying spire-agent" + keywords: + - spire + - agent + - security + - identity + site: "https://spiffe.io" + maintainers: + - name: "Maintainer Name" + email: "maintainer@example.com" + licenses: + - Apache-2.0 + categories: + - security + - identity + version: "1.0.0" +inventory: + namespace: spire + inventoryID: spire-agent + diff --git a/nephio/optional/spire-agent/spiffe-csi.yaml b/nephio/optional/spire-agent/spiffe-csi.yaml new file mode 100644 index 0000000..520c569 --- /dev/null +++ b/nephio/optional/spire-agent/spiffe-csi.yaml @@ -0,0 +1,133 @@ +# Source: spire-agent/templates/csi-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spiffe-csi-driver + namespace: spire + +--- + +# Source: spire-agent/templates/spiffe-csi-driver.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spiffe-csi-driver + namespace: spire + labels: + app: spiffe-csi-driver +spec: + selector: + matchLabels: + app: spiffe-csi-driver + template: + metadata: + namespace: spire + labels: + app: spiffe-csi-driver + spec: + serviceAccountName: spiffe-csi-driver + containers: + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + # This volume is used to share the Workload API socket between the CSI + # driver and SPIRE agent. Note, an emptyDir volume could also be used + # (if the CSI driver and SPIRE agent shared a pod), however, + # this can lead to broken bind mounts in the workload + # containers if the agent pod is restarted (since the emptyDir + # directory on the node that was mounted into workload containers by + # the CSI driver belongs to the old pod instance and is no longer + # valid). + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral \ No newline at end of file diff --git a/nephio/optional/spire-agent/spire-agent.yaml b/nephio/optional/spire-agent/spire-agent.yaml new file mode 100644 index 0000000..6f2c134 --- /dev/null +++ b/nephio/optional/spire-agent/spire-agent.yaml @@ -0,0 +1,143 @@ +# ServiceAccount for the SPIRE agent +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire + +--- + +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] + +--- + +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io + + +--- + +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/spire-agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "kind" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + } + +--- + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.8.0 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-token + mountPath: /var/run/secrets/tokens + - name: spire-agent-socket-dir + mountPath: /run/spire/sockets + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + # This volume is used to share the Workload API socket between the CSI + # driver and SPIRE agent. Note, an emptyDir volume could also be used, + # however, this can lead to broken bind mounts in the workload + # containers if the agent pod is restarted (since the emptyDir + # directory on the node that was mounted into workload containers by + # the CSI driver belongs to the old pod instance and is no longer + # valid). + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate \ No newline at end of file diff --git a/nephio/optional/spire/Kptfile b/nephio/optional/spire/Kptfile new file mode 100644 index 0000000..d8a3bb9 --- /dev/null +++ b/nephio/optional/spire/Kptfile @@ -0,0 +1,8 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: spire + annotations: + config.kubernetes.io/local-config: "true" +info: + description: sample description diff --git a/nephio/optional/spire/README.md b/nephio/optional/spire/README.md new file mode 100644 index 0000000..0e12860 --- /dev/null +++ b/nephio/optional/spire/README.md @@ -0,0 +1,21 @@ +# spire + +## Description +sample description + +## Usage + +### Fetch the package +`kpt pkg get REPO_URI[.git]/PKG_PATH[@VERSION] spire` +Details: https://kpt.dev/reference/cli/pkg/get/ + +### View package content +`kpt pkg tree spire` +Details: https://kpt.dev/reference/cli/pkg/tree/ + +### Apply the package +``` +kpt live init spire +kpt live apply spire --reconcile-timeout=2m --output=table +``` +Details: https://kpt.dev/reference/cli/live/ diff --git a/nephio/optional/spire/cluster-list.yaml b/nephio/optional/spire/cluster-list.yaml new file mode 100644 index 0000000..63ffbbc --- /dev/null +++ b/nephio/optional/spire/cluster-list.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: clusters + namespace: spire +data: + clusters.conf: | + clusters= { + "kind" = { + service_account_allow_list = ["spire:spire-agent"] + } + } \ No newline at end of file diff --git a/nephio/optional/spire/crd-rbac/leader_election_role.yaml b/nephio/optional/spire/crd-rbac/leader_election_role.yaml new file mode 100644 index 0000000..96d3665 --- /dev/null +++ b/nephio/optional/spire/crd-rbac/leader_election_role.yaml @@ -0,0 +1,16 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: spire +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/nephio/optional/spire/crd-rbac/leader_election_role_binding.yaml b/nephio/optional/spire/crd-rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..3d276ab --- /dev/null +++ b/nephio/optional/spire/crd-rbac/leader_election_role_binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire diff --git a/nephio/optional/spire/crd-rbac/role.yaml b/nephio/optional/spire/crd-rbac/role.yaml new file mode 100644 index 0000000..b6f2ba4 --- /dev/null +++ b/nephio/optional/spire/crd-rbac/role.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] diff --git a/nephio/optional/spire/crd-rbac/role_binding.yaml b/nephio/optional/spire/crd-rbac/role_binding.yaml new file mode 100644 index 0000000..6487b6d --- /dev/null +++ b/nephio/optional/spire/crd-rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire diff --git a/nephio/optional/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/nephio/optional/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 0000000..c660284 --- /dev/null +++ b/nephio/optional/spire/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set which Controller Class will act on this object + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + \ No newline at end of file diff --git a/nephio/optional/spire/crd/spire.spiffe.io_clusterspiffeids.yaml b/nephio/optional/spire/crd/spire.spiffe.io_clusterspiffeids.yaml new file mode 100644 index 0000000..71cbcfb --- /dev/null +++ b/nephio/optional/spire/crd/spire.spiffe.io_clusterspiffeids.yaml @@ -0,0 +1,238 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + className: + description: Set which Controller Class will act on this object + type: string + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + \ No newline at end of file diff --git a/nephio/optional/spire/crd/spire.spiffe.io_clusterstaticentries.yaml b/nephio/optional/spire/crd/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 0000000..4ff26a9 --- /dev/null +++ b/nephio/optional/spire/crd/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set which Controller Class will act on this object + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + \ No newline at end of file diff --git a/nephio/optional/spire/crd/spire.spiffe.io_controllermanagerconfigs.yaml b/nephio/optional/spire/crd/spire.spiffe.io_controllermanagerconfigs.yaml new file mode 100644 index 0000000..ba8f18a --- /dev/null +++ b/nephio/optional/spire/crd/spire.spiffe.io_controllermanagerconfigs.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to remove/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/nephio/optional/spire/kubeconfigs.yaml b/nephio/optional/spire/kubeconfigs.yaml new file mode 100644 index 0000000..2231683 --- /dev/null +++ b/nephio/optional/spire/kubeconfigs.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubeconfigs + namespace: spire +data: {} diff --git a/nephio/optional/spire/kustomization.yaml b/nephio/optional/spire/kustomization.yaml new file mode 100644 index 0000000..00efa8c --- /dev/null +++ b/nephio/optional/spire/kustomization.yaml @@ -0,0 +1,22 @@ +resources: +- spire/spiffe-csi-driver.yaml +- spire/spire-namespace.yaml +- crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml +- crd/spire.spiffe.io_clusterspiffeids.yaml +- crd/spire.spiffe.io_clusterstaticentries.yaml +- crd-rbac/role.yaml +- crd-rbac/role_binding.yaml +- crd-rbac/leader_election_role.yaml +- crd-rbac/leader_election_role_binding.yaml +- spire/spire-server.yaml +- spire/spire-agent.yaml +- spire/spire-controller-manager-webhook.yaml + +generatorOptions: + disableNameSuffixHash: true + +configMapGenerator: +- name: spire-controller-manager-config + namespace: spire + files: + - spire/spire-controller-manager-config.yaml \ No newline at end of file diff --git a/nephio/optional/spire/oidc-dp-configmap.yaml b/nephio/optional/spire/oidc-dp-configmap.yaml new file mode 100644 index 0000000..992aa49 --- /dev/null +++ b/nephio/optional/spire/oidc-dp-configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oidc-discovery-provider + namespace: spire +data: + oidc-discovery-provider.conf: | + log_level = "INFO" + # TODO: Replace MY_DISCOVERY_DOMAIN with the FQDN of the Discovery Provider that you will configure in DNS + domains = ["localhost"] + allow_insecure_scheme = true + insecure_addr = "localhost:8888" + server_api { + address = "unix:///tmp/spire-server/private/api.sock" + } + health_checks {} diff --git a/nephio/optional/spire/package-context.yaml b/nephio/optional/spire/package-context.yaml new file mode 100644 index 0000000..a736e6b --- /dev/null +++ b/nephio/optional/spire/package-context.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: package-context + annotations: + config.kubernetes.io/local-config: "true" +data: + namespace: spire diff --git a/nephio/optional/spire/serconfig.yaml b/nephio/optional/spire/serconfig.yaml new file mode 100644 index 0000000..ad633ca --- /dev/null +++ b/nephio/optional/spire/serconfig.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/run/spire/data" + log_level = "DEBUG" + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + } + + jwt_issuer = "oidc-discovery.accuknox.com" + ca_key_type = "rsa-2048" + + # Creates the iss claim in JWT-SVIDs. + # TODO: Replace MY_DISCOVERY_DOMAIN with the FQDN of the Discovery Provider that you will configure in DNS + } + + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data_file= "/run/spire/clusters/clusters.conf" + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } + diff --git a/nephio/optional/spire/server-oidc-service.yaml b/nephio/optional/spire/server-oidc-service.yaml new file mode 100644 index 0000000..389902c --- /dev/null +++ b/nephio/optional/spire/server-oidc-service.yaml @@ -0,0 +1,14 @@ +# Service definition for the admission webhook +apiVersion: v1 +kind: Service +metadata: + name: spire-oidc + namespace: spire +spec: + type: LoadBalancer + selector: + app: spire-server + ports: + - name: http + port: 8888 + targetPort: spire-oidc-port diff --git a/nephio/optional/spire/server-statefulset.yaml b/nephio/optional/spire/server-statefulset.yaml new file mode 100644 index 0000000..5258ceb --- /dev/null +++ b/nephio/optional/spire/server-statefulset.yaml @@ -0,0 +1,189 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire + +--- + +# Required cluster role to allow spire-server to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "patch", "watch", "list"] + +--- + +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire + +--- + + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + serviceName: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.10.0 + args: + - -config + - /run/spire/config/server.conf + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: clusters + mountPath: /run/spire/clusters + readOnly: false + - name: kubeconfigs + mountPath: /run/spire/kubeconfigs + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: informer + image: primalpimmy/informer:latest + imagePullPolicy: Always + securityContext: + capabilities: + add: + - SYS_PTRACE + stdin: true + tty: true + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:nightly + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + args: + - "--config=spire-controller-manager-config.yaml" + volumeMounts: + - name: spire-server-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + - name: spire-oidc + image: ghcr.io/spiffe/oidc-discovery-provider:1.10.0 + args: + - -config + - /run/spire/oidc/config/oidc-discovery-provider.conf + ports: + - containerPort: 8888 + name: spire-oidc-port + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: spire-oidc-config + mountPath: /run/spire/oidc/config/ + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + readinessProbe: + httpGet: + path: /ready # TODO: Change this to /ready when using 1.5.2+ + port: 8008 + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-oidc-config + configMap: + name: oidc-discovery-provider + - name: spire-secrets + secret: + secretName: spire-server + - name: clusters + configMap: + name: clusters + - name: kubeconfigs + configMap: + name: kubeconfigs + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: spire + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/nephio/optional/spire/spire-controller-manager-config.yaml b/nephio/optional/spire/spire-controller-manager-config.yaml new file mode 100644 index 0000000..4b505ca --- /dev/null +++ b/nephio/optional/spire/spire-controller-manager-config.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager-config + namespace: spire +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8082 + health: + healthProbeBindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: spire + clusterName: kind + trustDomain: example.org + ignoreNamespaces: + - kube-system + - kube-public + - spire-system + - local-path-storage + diff --git a/nephio/optional/spire/spire-controller-manager-webhook.yaml b/nephio/optional/spire/spire-controller-manager-webhook.yaml new file mode 100644 index 0000000..9da7187 --- /dev/null +++ b/nephio/optional/spire/spire-controller-manager-webhook.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None \ No newline at end of file diff --git a/nephio/optional/spire/spire-namespace.yaml b/nephio/optional/spire/spire-namespace.yaml new file mode 100644 index 0000000..c6ba349 --- /dev/null +++ b/nephio/optional/spire/spire-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: spire diff --git a/nephio/optional/spire/spire-service.yaml b/nephio/optional/spire/spire-service.yaml new file mode 100644 index 0000000..80a005f --- /dev/null +++ b/nephio/optional/spire/spire-service.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire + annotations: + metallb.universe.tf/ip-allocated-from-pool: nephio + metallb.universe.tf/loadBalancerIPs: 172.18.0.222 +spec: + type: LoadBalancer + ports: + - name: grpc + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server + + +--- +# Service definition for SPIRE server bundle endpoint +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: spire +spec: + type: NodePort + ports: + - name: api + port: 8443 + protocol: TCP + selector: + app: spire-server + + +--- +# +# Service definition for SPIRE controller manager webhook +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: spire +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server \ No newline at end of file From fe95ae2397b6c96a6557ce1a0a5a200187a048c1 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Mon, 17 Feb 2025 23:39:03 +0530 Subject: [PATCH 2/7] remove kustomization file Signed-off-by: PrimalPimmy --- nephio/optional/spire/kustomization.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 nephio/optional/spire/kustomization.yaml diff --git a/nephio/optional/spire/kustomization.yaml b/nephio/optional/spire/kustomization.yaml deleted file mode 100644 index 00efa8c..0000000 --- a/nephio/optional/spire/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -resources: -- spire/spiffe-csi-driver.yaml -- spire/spire-namespace.yaml -- crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml -- crd/spire.spiffe.io_clusterspiffeids.yaml -- crd/spire.spiffe.io_clusterstaticentries.yaml -- crd-rbac/role.yaml -- crd-rbac/role_binding.yaml -- crd-rbac/leader_election_role.yaml -- crd-rbac/leader_election_role_binding.yaml -- spire/spire-server.yaml -- spire/spire-agent.yaml -- spire/spire-controller-manager-webhook.yaml - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- name: spire-controller-manager-config - namespace: spire - files: - - spire/spire-controller-manager-config.yaml \ No newline at end of file From 10ef03c862ca4c7561834339f38bb8cf285c7930 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Mon, 17 Feb 2025 23:41:56 +0530 Subject: [PATCH 3/7] SPIFFE Identity feature will be off by default Signed-off-by: PrimalPimmy --- .../nephio-operator/app/controller/deployment-controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml index 37ee9ec..885398c 100644 --- a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml +++ b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml @@ -86,7 +86,7 @@ spec: - name: ENABLE_NETWORKS value: "true" - name: ENABLE_WORKLOADIDENTITY - value: "true" + value: "false" - name: CLIENT_PROXY_ADDRESS value: resource-backend-controller-grpc-svc.backend-system.svc.cluster.local:9999 - name: SPIFFE_ENDPOINT_SOCKET From 966632e1cec52e5665d447b4d4d7a26893232dc5 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Tue, 18 Feb 2025 13:25:50 +0530 Subject: [PATCH 4/7] kpt fix Signed-off-by: PrimalPimmy --- nephio/optional/spire-agent/Kptfile | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/nephio/optional/spire-agent/Kptfile b/nephio/optional/spire-agent/Kptfile index e8cdee9..fc33b1d 100644 --- a/nephio/optional/spire-agent/Kptfile +++ b/nephio/optional/spire-agent/Kptfile @@ -1,26 +1,8 @@ apiVersion: kpt.dev/v1 kind: Kptfile metadata: - name: spire-agent - namespace: spire -packageMetadata: - shortDescription: "Kpt package for deploying spire-agent" - keywords: - - spire - - agent - - security - - identity - site: "https://spiffe.io" - maintainers: - - name: "Maintainer Name" - email: "maintainer@example.com" - licenses: - - Apache-2.0 - categories: - - security - - identity - version: "1.0.0" -inventory: - namespace: spire - inventoryID: spire-agent - + name: spire + annotations: + config.kubernetes.io/local-config: "true" +info: + description: spire-agent From 82d92e9a39dc61c3e759582ba4c54c4df5baf1bc Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Tue, 18 Feb 2025 14:54:47 +0530 Subject: [PATCH 5/7] Service Account generation Signed-off-by: PrimalPimmy --- .../spire-restrictedSA/ClusterRole.yaml | 8 ++++++ .../ClusterRoleBinding.yaml | 25 +++++++++++++++++++ nephio/optional/spire-restrictedSA/Kptfile | 8 ++++++ .../optional/spire-restrictedSA/Secret.yaml | 8 ++++++ .../spire-restrictedSA/ServiceAccount.yaml | 5 ++++ 5 files changed, 54 insertions(+) create mode 100644 nephio/optional/spire-restrictedSA/ClusterRole.yaml create mode 100644 nephio/optional/spire-restrictedSA/ClusterRoleBinding.yaml create mode 100644 nephio/optional/spire-restrictedSA/Kptfile create mode 100644 nephio/optional/spire-restrictedSA/Secret.yaml create mode 100644 nephio/optional/spire-restrictedSA/ServiceAccount.yaml diff --git a/nephio/optional/spire-restrictedSA/ClusterRole.yaml b/nephio/optional/spire-restrictedSA/ClusterRole.yaml new file mode 100644 index 0000000..2c18ea7 --- /dev/null +++ b/nephio/optional/spire-restrictedSA/ClusterRole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-reader +rules: +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] diff --git a/nephio/optional/spire-restrictedSA/ClusterRoleBinding.yaml b/nephio/optional/spire-restrictedSA/ClusterRoleBinding.yaml new file mode 100644 index 0000000..aa802aa --- /dev/null +++ b/nephio/optional/spire-restrictedSA/ClusterRoleBinding.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-agent-tokenreview-binding +subjects: +- kind: ServiceAccount + name: spirekubeconfig + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-agent-pod-reader-binding +subjects: +- kind: ServiceAccount + name: spirekubeconfig + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pod-reader diff --git a/nephio/optional/spire-restrictedSA/Kptfile b/nephio/optional/spire-restrictedSA/Kptfile new file mode 100644 index 0000000..121bd4c --- /dev/null +++ b/nephio/optional/spire-restrictedSA/Kptfile @@ -0,0 +1,8 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: restricted-SA + annotations: + config.kubernetes.io/local-config: "true" +info: + description: restricted-SA diff --git a/nephio/optional/spire-restrictedSA/Secret.yaml b/nephio/optional/spire-restrictedSA/Secret.yaml new file mode 100644 index 0000000..d89abd3 --- /dev/null +++ b/nephio/optional/spire-restrictedSA/Secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: agent-sa-secret + namespace: spire + annotations: + kubernetes.io/service-account.name: spirekubeconfig +type: kubernetes.io/service-account-token diff --git a/nephio/optional/spire-restrictedSA/ServiceAccount.yaml b/nephio/optional/spire-restrictedSA/ServiceAccount.yaml new file mode 100644 index 0000000..dc10f18 --- /dev/null +++ b/nephio/optional/spire-restrictedSA/ServiceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spirekubeconfig + namespace: spire From 6677d477512609ecc51f9683547c608447a9b2a7 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Tue, 18 Feb 2025 15:05:33 +0530 Subject: [PATCH 6/7] removed spire-agent cm Signed-off-by: PrimalPimmy --- nephio/optional/spire-agent/spire-agent.yaml | 41 -------------------- 1 file changed, 41 deletions(-) diff --git a/nephio/optional/spire-agent/spire-agent.yaml b/nephio/optional/spire-agent/spire-agent.yaml index 6f2c134..9f2f40f 100644 --- a/nephio/optional/spire-agent/spire-agent.yaml +++ b/nephio/optional/spire-agent/spire-agent.yaml @@ -36,47 +36,6 @@ roleRef: --- -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/spire/sockets/spire-agent.sock" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - cluster = "kind" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - skip_kubelet_verification = true - } - } - } - ---- - apiVersion: apps/v1 kind: DaemonSet metadata: From df2e17372b77612989b1afea0d16fb5f785be022 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Tue, 18 Feb 2025 21:39:00 +0530 Subject: [PATCH 7/7] Changing image to latest Signed-off-by: PrimalPimmy --- .../nephio-operator/app/controller/deployment-controller.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml index 885398c..af32588 100644 --- a/nephio/core/nephio-operator/app/controller/deployment-controller.yaml +++ b/nephio/core/nephio-operator/app/controller/deployment-controller.yaml @@ -92,8 +92,8 @@ spec: - name: SPIFFE_ENDPOINT_SOCKET value: unix:///spiffe-workload-api/spire-agent.sock # Temporary image - image: docker.io/nephio/nephio-operator:ubuntu - imagePullPolicy: Never + image: docker.io/nephio/nephio-operator:latest + imagePullPolicy: Always volumeMounts: - name: spiffe-workload-api mountPath: /spiffe-workload-api