Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add basic CSI driver for the spiffe-helper #166

Draft
wants to merge 22 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/tests/charts.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,10 @@
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "16.0.3"
},
{
"name": "kyverno",
"repo": "https://kyverno.github.io/kyverno",
"version": "3.1.1"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not slip in a policy engine as an out-of-scope "extra" on a commit intended to add a CSI driver.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole hook is implemented as a kyverno mutating policy. Its needed to make it work at all.

Totally open to it needing its own golang based webhook implementation in the future, along with associated git repositories, a container, etc, to make it not depend on kyverno, but was looking at getting an implementation of the concept working in as minimal amount of time possible, and that lead to using an existing webhook engine.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The expansion of the charts to include Kyverno is something that probably should be discussed with a majority of the maintainers. I understand that it's part of this implementation, but its inclusion should be done with consensus, and at least some commentary on what the alternatives might be.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Completely agree.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I 100% believe Kyverno is NOT the right solution in the long run.

The right place for it though is not clear. There are several potential places

  1. kubernetes is working on gaining cel support for MutatingAdmissionPolicy. This would be the very best place to put it, I think. provided it supports all the needed functionality (unclear). But it isn't supported in k8s yet, let alone in all versions of k8s we support.
  2. It could be added to spire-controller-manager. Another webhook wouldn't be required then.
  3. Its own standalone repo/webhook - needs ssc support

I also don't think we should block users playing around with the concept and getting the api correct so that when we do identify a better way of implementing that api, we can switch out the kyverno based implementation with a better one without affecting users of it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it is worth, in our own clusters we manage Kyverno ourself, meaning I probably need a way to disable it here, for the remainder I understand the reason why you are adding it now.

Probably it should be something managed in the controller itself to have the webhook implemented there.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes use of Kyverno via a policy in the chart, but it doesn't install Kyvverno other then in the tests, to test the policy.

Longer term, it will be switched to kubernetes/kubernetes#127134 once it is a thing.

}
]
5 changes: 5 additions & 0 deletions .github/tests/pre-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,8 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod -
--namespace postgresql \
--values "${DEPS}/postgresql.yaml" \
--wait

# kyverno
"${helm_install[@]}" kyverno kyverno --version "$VERSION_KYVERNO" --repo "$HELM_REPO_KYVERNO" \
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
--namespace kyverno-system \
--wait
23 changes: 23 additions & 0 deletions charts/spiffe-helper-csi-driver/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
26 changes: 26 additions & 0 deletions charts/spiffe-helper-csi-driver/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: v2
name: spiffe-helper-csi-driver
description: >
A Helm chart for deploying the Spiffe Helper CSI Drier
type: application
version: 0.1.0
appVersion: "0.0.1"
keywords: ["spiffe-helper-csi-driver"]
home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
sources:
- https://github.com/spiffe/helm-charts/tree/main/charts/spire
icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
maintainers:
- name: marcofranssen
email: [email protected]
url: https://marcofranssen.nl
- name: kfox1111
email: [email protected]
- name: faisal-memon
email: [email protected]
- name: edwbuck
email: [email protected]
dependencies:
- name: spire-lib
repository: file://../spire/charts/spire-lib
version: 0.1.0
56 changes: 56 additions & 0 deletions charts/spiffe-helper-csi-driver/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# spire-helper-csi-driver

![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)

A *prototype* Helm chart to install the SPIFFE HELPER CSI Driver. It is useful only for testing at this point. Please do not use in production.

**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>

## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| marcofranssen | <[email protected]> | <https://marcofranssen.nl> |
| kfox1111 | <[email protected]> | |
| faisal-memon | <[email protected]> | |
| edwbuck | <[email protected]> | |

## Source Code

* <https://github.com/spiffe/helm-charts/tree/main/charts/spiffe-helpe-csi-driver>

## Prereqs:

Your cluster needs to have Kyverno installed. You can do that by running something like the following:

```
helm upgrade --install --create-namespace kyverno kyverno -n kyverno --repo https://kyverno.github.io/kyverno/ --version 3.1.1
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
```

You also need SPIRE installed. You can do that by running something like the following for a non production test cluster:

```
helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
```

## Build Instructions

Until there is an official release of this chart, before you can use it out of git, you have to run
```
cd charts/spiffe-helper-csi-driver
helm dep up
```

## Install Instructions
```
helm install -n spire-server spiffe-helper-csi-driver charts/spiffe-helper-csi-driver
```

## Example usage

See the examples/good directory for different ways of using the driver.

<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->

## Parameters
50 changes: 50 additions & 0 deletions charts/spiffe-helper-csi-driver/examples/bad/test-pod.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-test
spec:
# shareProcessNamespace: true
# hostPID: true
containers:
- name: nginx
image: nginx
command:
- /bin/sh
- -c
- |
echo $$$$ > $$SPIFFE_HELPER_PID_CERTS
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /certs/tls.crt;
ssl_certificate_key /certs/tls.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
exec nginx -g "daemon off;"
volumeMounts:
- name: certs
mountPath: /certs
ports:
- containerPort: 443
volumes:
- name: certs
csi:
driver: helper.spiffe.io
volumeAttributes:
renewSignal: SIGHUP
pidContainer: nginx

addIntermediatesToBundle: "true"

svidFileName: tls.crt
svidKeyFileName: tls.key
svidBundleFileName: ca.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# NOTE:
# This example shows how you can use a custom image for your sidecar
# enabling you to run specific commands whenever a certificate is updated.
apiVersion: v1
kind: Pod
metadata:
name: custom-sidecar
spec:
containers:
- name: busybox
image: busybox
command:
- /bin/sh
- -c
- 'while true; do sleep 1000; done'
volumeMounts:
- name: certs
mountPath: /certs
- name: sidecar
image: mysql
env:
- name: some-setting
value: foo
volumes:
- name: certs
csi:
driver: helper.spiffe.io
volumeAttributes:
customSidecar: sidecar
cmd: "bash"
cmdArgs: "-c \"echo rolled. Could do a mysql cli command here.\""
svidBundleFileName: ca.pem
svidFileName: tls.crt
svidKeyFileName: tls.key
49 changes: 49 additions & 0 deletions charts/spiffe-helper-csi-driver/examples/good/nginx.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
shareProcessNamespace: true
containers:
- name: nginx
image: nginx
command:
- /bin/sh
- -c
- |
echo $$$$ > $$SPIFFE_HELPER_PID_CERTS
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /certs/tls.crt;
ssl_certificate_key /certs/tls.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
exec nginx -g "daemon off;"
volumeMounts:
- name: certs
mountPath: /certs
ports:
- containerPort: 443
volumes:
- name: certs
csi:
driver: helper.spiffe.io
volumeAttributes:
renewSignal: SIGHUP
pidContainer: nginx

addIntermediatesToBundle: "true"

svidFileName: tls.crt
svidKeyFileName: tls.key
svidBundleFileName: ca.pem
Loading
Loading