Skip to content

Commit

Permalink
Add external spire-controller-managers (#284)
Browse files Browse the repository at this point in the history 
* Complete Server K8S PSAT support

Add all the SPIRE Server supported options for the K8S PSAT attestor. This retains the
ease of use for configuring local cluster support while adding the ability to configure
multiple/external clusters as well. Kubeconfig support is added in its own config block
as it will be used/shared with spire-controller-manager support in the future.

Signed-off-by: Kevin Fox <[email protected]>

* Fix merge conflict

Signed-off-by: Kevin Fox <[email protected]>

* Add support for integration tests in the tests/integration dir

Signed-off-by: Kevin Fox <[email protected]>

* Fix split issue and typo

Signed-off-by: Kevin Fox <[email protected]>

* Add basic psat test

Signed-off-by: Kevin Fox <[email protected]>

* Fix linter

Signed-off-by: Kevin Fox <[email protected]>

* Fix up test

Signed-off-by: Kevin Fox <[email protected]>

* Add missing file

Signed-off-by: Kevin Fox <[email protected]>

* Better encode config

Signed-off-by: Kevin Fox <[email protected]>

* Update charts/spire/charts/spire-server/values.yaml

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Update docs

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Update charts/spire/charts/spire-server/values.yaml

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Add external k8s bundler

Adds support to sync the CA bundle to configmaps in external
Kubernetes clusters

Signed-off-by: Kevin Fox <[email protected]>

* Update default

Signed-off-by: Kevin Fox <[email protected]>

* Fix config file layout. Incorperate feedback.

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Update based on parent pr feedback

Signed-off-by: Kevin Fox <[email protected]>

* Reformat config file

Signed-off-by: Kevin Fox <[email protected]>

* Fix some things

Signed-off-by: Kevin Fox <[email protected]>

* Reconfigure kind

Signed-off-by: Kevin Fox <[email protected]>

* More debugging

Signed-off-by: Kevin Fox <[email protected]>

* Fix up kind

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Add external spire-controller-managers

Only one external controller manager is supported at a time until
spiffe/spire#4898 is resolved.

Signed-off-by: Kevin Fox <[email protected]>

* Fix tests

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Upgrade to spire-controller-manager 0.5.0

Signed-off-by: Kevin Fox <[email protected]>

* Update for released 0.5.0

Signed-off-by: Kevin Fox <[email protected]>

* Merge in some of the id prefix pr

Signed-off-by: Kevin Fox <[email protected]>

* Entry ID Prefix (#287)

* Add Entry ID Prefix support

Signed-off-by: Kevin Fox <[email protected]>

* Mulitcluster test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Implement cleanup setting too

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Bump up test container

Signed-off-by: Kevin Fox <[email protected]>

* Swith to testing with nightly

Signed-off-by: Kevin Fox <[email protected]>

* Fix value name

Signed-off-by: Kevin Fox <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

---------

Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Fix up doc formatting

Signed-off-by: Kevin Fox <[email protected]>

* Fix merge conflict

Signed-off-by: Kevin Fox <[email protected]>

* Update charts/spire/charts/spire-server/values.yaml

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

---------

Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: kfox1111 <[email protected]>
Co-authored-by: Faisal Memon <[email protected]>
  • Loading branch information
@kfox1111 @faisal-memon
kfox1111 and faisal-memon authored May 2, 2024
1 parent ee12404 commit 8fef1bd
Show file tree
Hide file tree
Showing 16 changed files with 400 additions and 132 deletions.
2 changes: 1 addition & 1 deletion .github/tests/common.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
#### Logs
\`\`\`shell
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
\`\`\`
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/helm-chart-ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,8 +300,7 @@ jobs:

- name: Install and test integration
run: |
kubectl create namespace spire-server
helm install -n spire-server spire-crds charts/spire-crds
helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
${{ matrix.integrationtest }}/run-tests.sh
upgrade-test:
Expand Down
13 changes: 7 additions & 6 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,12 +255,13 @@ Now you can interact with the Spire agent socket from your own application. The

### Spire server parameters

| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------------------- | ------------- |
| `spire-server.enabled` | Flag to enable Spire server | `true` |
| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- |
| `spire-server.enabled` | Flag to enable Spire server | `true` |
| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `spire-server.externalControllerManagers.enabled` | Enable external controller manager support | `true` |

### Spire agent parameters

Expand Down
16 changes: 16 additions & 0 deletions charts/spire/charts/spire-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,22 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another chart instance on the k8s cluster with webhooks enabled. | `true` |
| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` |
| `controllerManager.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` |
| `externalControllerManagers.enabled` | Flag to enable external controller managers | `false` |
| `externalControllerManagers.defaults.reconcile.clusterSPIFFEIDs` | Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server | `true` |
| `externalControllerManagers.defaults.reconcile.clusterStaticEntries` | Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server | `false` |
| `externalControllerManagers.defaults.reconcile.clusterFederatedTrustDomains` | Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server | `false` |
| `externalControllerManagers.defaults.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` |
| `externalControllerManagers.defaults.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` |
| `externalControllerManagers.defaults.entryIDPrefixCleanup` | consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `false` |
| `externalControllerManagers.defaults.parentIDTemplate` | The template that is used to register workloads. | `spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}` |
| `externalControllerManagers.defaults.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` |
| `externalControllerManagers.defaults.extraEnv` | Extra environment variables to add to the controller manager | `[]` |
| `externalControllerManagers.defaults.resources` | Resource requests and limits for controller manager | `{}` |
| `externalControllerManagers.defaults.securityContext` | Security context | `{}` |
| `externalControllerManagers.defaults.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` |
| `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` |
| `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` |
| `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
Expand Down
Loading

0 comments on commit 8fef1bd

Please sign in to comment.