diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 9a5279bd8..ee7346e00 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -53,6 +53,7 @@ A Helm chart to install the SPIRE agent. | `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | | `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `trustBundleHostPath` | If set, obtain trust bundle from a file on the host instead of from the ConfigMap | `""` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | | `server.address` | Address for Spire server | `""` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index fad025551..73a003ea6 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -41,6 +41,8 @@ agent: {{- if ne (len .Values.trustBundleURL) 0 }} trust_bundle_url: {{ .Values.trustBundleURL | quote }} trust_bundle_format: {{ .Values.trustBundleFormat | quote }} + {{- else if ne (len .Values.trustBundleHostPath) 0 }} + trust_bundle_path: {{ .Values.trustBundleHostPath | quote }} {{- else }} trust_bundle_path: "/run/spire/bundle/bundle.crt" {{- end }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index fd7a985e3..805c4c00b 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -265,8 +265,12 @@ spec: {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle - mountPath: /run/spire/bundle readOnly: true + {{- if ne (len .Values.trustBundleHostPath) 0 }} + mountPath: {{ .Values.trustBundleHostPath | dir | quote }} + {{- else }} + mountPath: /run/spire/bundle + {{- end }} {{- end }} {{- if .Values.nodeAttestor.tpmDirect.enabled }} - name: tpm-direct @@ -348,9 +352,14 @@ spec: {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle + {{- if ne (len .Values.trustBundleHostPath) 0 }} + hostPath: + path: {{ .Values.trustBundleHostPath | dir | quote }} + {{- else }} configMap: name: {{ printf "%s%s" (include "spire-lib.bundle-configmap" .) $nameSuffix | quote }} {{- end }} + {{- end }} {{- if .Values.nodeAttestor.tpmDirect.enabled }} - name: tpm-direct emptyDir: {} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 2b2d12beb..4b4e185ad 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -95,6 +95,8 @@ trustDomain: example.org trustBundleURL: "" ## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" trustBundleFormat: pem +## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap +trustBundleHostPath: "" ## @param bundleConfigMap Configmap name for Spire bundle bundleConfigMap: spire-bundle ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h.