From d45be00a85096b4b991a0c728414bf2efe45f578 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 16 Jan 2025 12:08:37 -0800 Subject: [PATCH 1/4] Initial swag at a spire-ha-agent chart Signed-off-by: Kevin Fox --- charts/spire-ha-agent/Chart.lock | 6 + charts/spire-ha-agent/Chart.yaml | 23 ++ charts/spire-ha-agent/README.md | 83 +++++++ charts/spire-ha-agent/templates/NOTES.txt | 1 + charts/spire-ha-agent/templates/_helpers.tpl | 137 ++++++++++++ .../spire-ha-agent/templates/daemonset.yaml | 207 ++++++++++++++++++ .../templates/serviceaccount.yaml | 13 ++ charts/spire-ha-agent/values.yaml | 198 +++++++++++++++++ 8 files changed, 668 insertions(+) create mode 100644 charts/spire-ha-agent/Chart.lock create mode 100644 charts/spire-ha-agent/Chart.yaml create mode 100644 charts/spire-ha-agent/README.md create mode 100644 charts/spire-ha-agent/templates/NOTES.txt create mode 100644 charts/spire-ha-agent/templates/_helpers.tpl create mode 100644 charts/spire-ha-agent/templates/daemonset.yaml create mode 100644 charts/spire-ha-agent/templates/serviceaccount.yaml create mode 100644 charts/spire-ha-agent/values.yaml diff --git a/charts/spire-ha-agent/Chart.lock b/charts/spire-ha-agent/Chart.lock new file mode 100644 index 000000000..69455ccac --- /dev/null +++ b/charts/spire-ha-agent/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: spire-lib + repository: file://../spire/charts/spire-lib + version: 0.1.0 +digest: sha256:e397a79d7d3b94b353f8458cb435f2cae9fd9495b367b9216958bff2771b801c +generated: "2024-11-08T00:50:47.925287061Z" diff --git a/charts/spire-ha-agent/Chart.yaml b/charts/spire-ha-agent/Chart.yaml new file mode 100644 index 000000000..2940cdc9a --- /dev/null +++ b/charts/spire-ha-agent/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: spire-ha-agent +description: A Helm chart to install the SPIRE HA agent. +type: application +version: 0.1.0 +appVersion: "0.0.7" +keywords: ["spiffe", "spire-ha-agent"] +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire-ha-agent +sources: + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com +dependencies: + - name: spire-lib + repository: file://../spire/charts/spire-lib + version: 0.1.0 diff --git a/charts/spire-ha-agent/README.md b/charts/spire-ha-agent/README.md new file mode 100644 index 000000000..b3f38710d --- /dev/null +++ b/charts/spire-ha-agent/README.md @@ -0,0 +1,83 @@ +# spire-ha-agent + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) + +A Helm chart to install the SPIRE HA agent. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | + +## Source Code + +* + + + +## Parameters + +### Chart parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-ha-agent` | +| `image.pullPolicy` | The image pull policy | `Always` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `singleSocket` | If in singleSocket mode, only one driver is used | `false` | +| `sockets.single.admin.hostPath` | Where the sockets are on disk when in single socket mode | `/var/run/spire/agent/sockets/main/csi.spiffe.io/admin` | +| `sockets.a.admin.hostPath` | Where the sockets are on disk | `/var/run/spire/agent/sockets/a/csi.spiffe.io/admin` | +| `sockets.b.admin.hostPath` | Where the sockets are on disk | `/var/run/spire/agent/sockets/b/csi.spiffe.io/admin` | +| `vsock` | Use a vsockets to expose the service rather then a unix socket | `false` | +| `port` | Port number to listen on | `999` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podLabels` | Labels to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:e16830b0cc7e9e3258588fbcb82714ee67d9043221632832d7504080151bb1d2` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `cid2PID.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `cid2PID.image.repository` | The repository within the registry | `kfox1111/misc3` | +| `cid2PID.image.pullPolicy` | The image pull policy | `Always` | +| `cid2PID.image.tag` | Overrides the image tag whose default is the chart appVersion | `cid2pid` | +| `cid2PID.busybox.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `cid2PID.busybox.image.repository` | The repository within the registry | `library/busybox` | +| `cid2PID.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `cid2PID.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | +| `cid2PID.busybox.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` | +| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | +| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:e16830b0cc7e9e3258588fbcb82714ee67d9043221632832d7504080151bb1d2` | +| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | diff --git a/charts/spire-ha-agent/templates/NOTES.txt b/charts/spire-ha-agent/templates/NOTES.txt new file mode 100644 index 000000000..dfe3e24a5 --- /dev/null +++ b/charts/spire-ha-agent/templates/NOTES.txt @@ -0,0 +1 @@ +Installed {{ .Chart.Name }}… diff --git a/charts/spire-ha-agent/templates/_helpers.tpl b/charts/spire-ha-agent/templates/_helpers.tpl new file mode 100644 index 000000000..bbe212a2b --- /dev/null +++ b/charts/spire-ha-agent/templates/_helpers.tpl @@ -0,0 +1,137 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "spire-ha-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "spire-ha-agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "spire-ha-agent.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-ha-agent.server.namespace" -}} + {{- if .Values.server.namespaceOverride -}} + {{- .Values.server.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-ha-agent.podMonitor.namespace" -}} + {{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }} + {{- .Values.telemetry.prometheus.podMonitor.namespace }} + {{- else if ne (len (dig "telemetry" "prometheus" "podMonitor" "namespace" "" .Values.global)) 0 }} + {{- .Values.global.telemetry.prometheus.podMonitor.namespace }} + {{- else }} + {{- include "spire-ha-agent.namespace" . }} + {{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "spire-ha-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "spire-ha-agent.labels" -}} +helm.sh/chart: {{ include "spire-ha-agent.chart" . | quote }} +{{ include "spire-ha-agent.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "spire-ha-agent.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spire-ha-agent.name" . | quote }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "spire-ha-agent.serviceAccountName" -}} +{{- default (printf "%s-agent" .Release.Name) .Values.serviceAccount.name }} +{{- end }} + +{{- define "spire-ha-agent.server-address" }} +{{- if and (ne (len (dig "spire" "upstreamSpireAddress" "" .Values.global)) 0) .Values.upstream }} +{{- print .Values.global.spire.upstreamSpireAddress }} +{{- else if .Values.server.address }} +{{- .Values.server.address }} +{{- else if .Values.server.nameOverride }} +{{ .Release.Name }}-{{ .Values.server.nameOverride }}.{{ include "spire-ha-agent.server.namespace" . }} +{{- else }} +{{ .Release.Name }}-server.{{ include "spire-ha-agent.server.namespace" . }} +{{- end }} +{{- end }} + +{{- define "spire-ha-agent.socket-path" -}} +{{- print .Values.socketPath }} +{{- end }} + +{{- define "spire-ha-agent.connect-by-hostname" -}} +{{- if ne .Values.kubeletConnectByHostname "" }} +{{- if eq (.Values.kubeletConnectByHostname | toString) "true" }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else if (dig "openshift" false .Values.global) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} + +{{- define "spire-ha-agent.socket-alternate-names" -}} +{{- $sockName := .Values.socketPath | base }} +{{- $l := deepCopy .Values.socketAlternate.names }} +{{- $l = without $l $sockName }} +names: +{{ $l | toYaml }} +{{- end }} diff --git a/charts/spire-ha-agent/templates/daemonset.yaml b/charts/spire-ha-agent/templates/daemonset.yaml new file mode 100644 index 000000000..23a5d2ed3 --- /dev/null +++ b/charts/spire-ha-agent/templates/daemonset.yaml @@ -0,0 +1,207 @@ +{{- $podSecurityContext := fromYaml (include "spire-lib.podsecuritycontext" .) }} +{{- $mainSecurityContext := deepCopy .Values.securityContext }} +{{- $socketAlternateNames := index (include "spire-ha-agent.socket-alternate-names" . | fromYaml) "names" }} +{{- $socketPath := include "spire-ha-agent.socket-path" . }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "spire-ha-agent.fullname" . | quote }} + namespace: {{ include "spire-ha-agent.namespace" . | quote}} + labels: + {{- include "spire-ha-agent.labels" . | nindent 4 }} + app.kubernetes.io/component: spire-ha-agent +spec: + selector: + matchLabels: + {{- include "spire-ha-agent.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: spire-ha-agent + {{- with .Values.updateStrategy }} + updateStrategy: + {{- if not (has .type (list "RollingUpdate" "OnDelete")) }} + {{- fail "updateStrategy.type can only be RollingUpdate or OnDelete"}} + {{- end }} + type: {{ .type }} + {{- if eq .type "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .rollingUpdate.maxUnavailable }} + {{- end }} + {{- end }} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-ha-agent + labels: + {{- include "spire-ha-agent.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: spire-ha-agent + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: {{ include "spire-ha-agent.serviceAccountName" . | quote }} + securityContext: + {{- toYaml $podSecurityContext | nindent 8 }} + {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} + {{- if ne (len .Values.hostAliases) 0 }} + hostAliases: + {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + initContainers: + {{- if not .Values.vsock }} + {{- if gt (len $socketAlternateNames) 0 }} + - name: ensure-alternate-names + image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy | quote }} + command: ["bash", "-xc"] + {{- /* 1. Look for symlinks pointing at the wrong place and remove them. 2. Make symlinks that don't exist. 3. If new socket is pointing at an existing symlink, remove old symlink. */}} + args: + - | + cd {{ $socketPath | dir }} + {{- range $socketAlternateNames }} + L=`readlink {{ . }}` + [ "x$L" != "x{{ $socketPath | base }}" ] && rm -f {{ . }} + [ ! -L {{ . }} ] && ln -s {{ $socketPath | base }} {{ . }} + {{- end }} + [ -L {{ $socketPath | base }} ] && rm -f {{ $socketPath | base }} + exit 0 + resources: + {{- toYaml .Values.socketAlternate.resources | nindent 12 }} + volumeMounts: + - name: spire-ha-agent-socket-dir + mountPath: {{ $socketPath | dir }} + securityContext: + runAsUser: 0 + runAsGroup: 0 + {{- end }} + {{- else }} + - name: setup-shell + image: {{ template "spire-lib.image" (dict "image" .Values.cid2PID.busybox.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.cid2PID.busybox.image.pullPolicy | quote }} + command: ["sh", "-xc"] + args: + - | + cp -a /bin/busybox /data + resources: + {{- toYaml .Values.cid2PID.busybox.resources | nindent 12 }} + volumeMounts: + - name: cid2pid + mountPath: /data + securityContext: + runAsUser: 0 + runAsGroup: 0 + - name: setup-cid2pid + image: {{ template "spire-lib.image" (dict "image" .Values.cid2PID.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.cid2PID.image.pullPolicy | quote }} + command: ["/data/busybox", "sh", "-xc"] + args: + - | + /data/busybox cp -a /usr/bin/cid2pid /data + /data/busybox rm -f /data/busybox + resources: + {{- toYaml .Values.cid2PID.resources | nindent 12 }} + volumeMounts: + - name: cid2pid + mountPath: /data + securityContext: + runAsUser: 0 + runAsGroup: 0 + {{- end }} + {{- if gt (len .Values.initContainers) 0 }} + {{- toYaml .Values.initContainers | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name | quote }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + securityContext: + privileged: true +#FIXME read permission to api socket + runAsUser: 0 + runAsGroup: 0 + #{- $mainSecurityContext | toYaml | nindent 12 }} + env: + {{- if .Values.singleSocket }} + - name: SPIRE_HA_AGENT_SINGLE + value: enabled + {{- end }} + {{- if .Values.vsock }} + - name: SPIRE_HA_AGENT_VSOCK + value: enabled + - name: SPIRE_HA_AGENT_PORT + value: {{ .Values.port | quote }} + {{- end }} + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: +# - name: spire-ha-agent-persistence +# mountPath: /var/lib/spire + {{- if .Values.vsock }} + - name: cid2pid + mountPath: /usr/bin/cid2pid + subPath: cid2pid + readOnly: true + {{- else }} + - name: spire-ha-agent-socket-dir + mountPath: /tmp/spire-ha-agent/public + readOnly: false + {{- end }} + - name: spire-ha-admin-socket-dir-upstream-a + mountPath: /var/run/spire/agent/sockets/a/private + {{- if not .Values.singleSocket }} + - name: spire-ha-admin-socket-dir-upstream-b + mountPath: /var/run/spire/agent/sockets/b/private + {{- end }} + - name: dev + mountPath: /dev + {{- if gt (len .Values.extraVolumeMounts) 0 }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if gt (len .Values.extraContainers) 0 }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if not .Values.vsock }} + - name: spire-ha-agent-socket-dir + hostPath: + path: {{ $socketPath | dir }} + type: DirectoryOrCreate + {{- end }} + - name: spire-ha-admin-socket-dir-upstream-a + hostPath: + path: {{ if .Values.singleSocket }}{{ .Values.sockets.single.admin.hostPath }}{{ else }}{{ .Values.sockets.a.admin.hostPath }}{{ end }} + type: DirectoryOrCreate + {{- if not .Values.singleSocket }} + - name: spire-ha-admin-socket-dir-upstream-b + hostPath: + path: {{ .Values.sockets.b.admin.hostPath }} + type: DirectoryOrCreate + {{- end }} + - name: dev + hostPath: + path: /dev + - name: cid2pid + emtpyDir: {} + {{- if gt (len .Values.extraVolumes) 0 }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} diff --git a/charts/spire-ha-agent/templates/serviceaccount.yaml b/charts/spire-ha-agent/templates/serviceaccount.yaml new file mode 100644 index 000000000..4944bdbdc --- /dev/null +++ b/charts/spire-ha-agent/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "spire-ha-agent.serviceAccountName" . | quote }} + namespace: {{ include "spire-ha-agent.namespace" . | quote }} + labels: + {{- include "spire-ha-agent.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire-ha-agent/values.yaml b/charts/spire-ha-agent/values.yaml new file mode 100644 index 000000000..25529d60e --- /dev/null +++ b/charts/spire-ha-agent/values.yaml @@ -0,0 +1,198 @@ +# Default configuration for Spire Agent +# SPDX-License-Identifier: APACHE-2.0 + +## @skip global +global: {} + +## @section Chart parameters +## +## @param image.registry The OCI registry to pull the image from +## @param image.repository The repository within the registry +## @param image.pullPolicy The image pull policy +## @param image.tag Overrides the image tag whose default is the chart appVersion +## +image: + registry: ghcr.io + repository: spiffe/spire-ha-agent + pullPolicy: Always # IfNotPresent + tag: "" + +## @param singleSocket If in singleSocket mode, only one driver is used +singleSocket: false + +## @param sockets.single.admin.hostPath Where the sockets are on disk when in single socket mode +## @param sockets.a.admin.hostPath Where the sockets are on disk +## @param sockets.b.admin.hostPath Where the sockets are on disk +sockets: + single: + admin: + hostPath: /var/run/spire/agent/sockets/main/csi.spiffe.io/admin + a: + admin: + hostPath: /var/run/spire/agent/sockets/a/csi.spiffe.io/admin + b: + admin: + hostPath: /var/run/spire/agent/sockets/b/csi.spiffe.io/admin + +## @param vsock Use a vsockets to expose the service rather then a unix socket +vsock: false + +## @param port Port number to listen on +port: 999 + +## @param imagePullSecrets [array] Pull secrets for images +imagePullSecrets: [] + +## @param nameOverride Name override +nameOverride: "" + +## @param namespaceOverride Namespace override +namespaceOverride: "" + +## @param fullnameOverride Fullname override +fullnameOverride: "" + +serviceAccount: + ## @param serviceAccount.create Specifies whether a service account should be created + create: true + ## @param serviceAccount.annotations [object] Annotations to add to the service account + annotations: {} + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + name: "" + +## @param podAnnotations [object] Annotations to add to pods +podAnnotations: {} + +## @param podLabels [object] Labels to add to pods +podLabels: {} + +## @param podSecurityContext [object] Pod security context +podSecurityContext: {} + # fsGroup: 2000 + +## @param securityContext [object] Security context +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +## @param resources [object] Resource requests and limits +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 50m + # memory: 64Mi + # limits: + # cpu: 100m + # memory: 128Mi + +## @param nodeSelector [object] Node selector +nodeSelector: {} + +## @param tolerations [array] List of tolerations +tolerations: [] + +## @param affinity [object] Node affinity +affinity: {} + +## @param updateStrategy.type The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. +## @param updateStrategy.rollingUpdate.maxUnavailable Max unavailable pods during update. Can be a number or a percentage. +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +# When running as non root, needed to ensure the socket path has the correct permissions. +# Set runAsUser to a non-zero value in podSecurityContext to run as non-root user. +fsGroupFix: + ## @param fsGroupFix.image.registry The OCI registry to pull the image from + ## @param fsGroupFix.image.repository The repository within the registry + ## @param fsGroupFix.image.pullPolicy The image pull policy + ## @param fsGroupFix.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: cgr.dev + repository: chainguard/bash + pullPolicy: Always + tag: latest@sha256:e16830b0cc7e9e3258588fbcb82714ee67d9043221632832d7504080151bb1d2 + + ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + +cid2PID: + ## @param cid2PID.image.registry The OCI registry to pull the image from + ## @param cid2PID.image.repository The repository within the registry + ## @param cid2PID.image.pullPolicy The image pull policy + ## @param cid2PID.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: docker.io + repository: kfox1111/misc3 + pullPolicy: Always + tag: cid2pid + + ## @param cid2PID.busybox.image.registry The OCI registry to pull the image from + ## @param cid2PID.busybox.image.repository The repository within the registry + ## @param cid2PID.busybox.image.pullPolicy The image pull policy + ## @param cid2PID.busybox.image.tag Overrides the image tag whose default is the chart appVersion + ## + busybox: + image: + registry: docker.io + repository: library/busybox + pullPolicy: IfNotPresent + tag: 1.36.1-uclibc + + ## @param cid2PID.busybox.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + +## @param socketPath The unix socket path to the spire-agent +socketPath: /run/spire/agent-sockets/spire-agent.sock + +socketAlternate: + ## @param socketAlternate.names List of alternate names for the socket that workloads might expect to be able to access in the driver mount. + names: + - socket + - spire-agent.sock + - api.sock + + ## @param socketAlternate.image.registry The OCI registry to pull the image from + ## @param socketAlternate.image.repository The repository within the registry + ## @param socketAlternate.image.pullPolicy The image pull policy + ## @param socketAlternate.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: cgr.dev + repository: chainguard/bash + pullPolicy: Always + tag: latest@sha256:e16830b0cc7e9e3258588fbcb82714ee67d9043221632832d7504080151bb1d2 + + ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + +## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. +priorityClassName: "" + +## @param extraEnvVars [array] Extra environment variables to be added to the Spire Agent container +extraEnvVars: [] + +## @param extraVolumes [array] Extra volumes to be mounted on Spire Agent pods +extraVolumes: [] + +## @param extraVolumeMounts [array] Extra volume mounts for Spire Agent pods +extraVolumeMounts: [] + +## @param extraContainers [array] Additional containers to create with Spire Agent pods +extraContainers: [] + +## @param initContainers [array] Additional init containers to create with Spire Agent pods +initContainers: [] +## @param hostAliases [array] Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ +hostAliases: [] From 6f331d4f8426b2fcec4b0aa75d0c98488411e866 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 16 Jan 2025 12:12:58 -0800 Subject: [PATCH 2/4] Fix default Signed-off-by: Kevin Fox --- charts/spire-ha-agent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire-ha-agent/values.yaml b/charts/spire-ha-agent/values.yaml index 25529d60e..424b7c838 100644 --- a/charts/spire-ha-agent/values.yaml +++ b/charts/spire-ha-agent/values.yaml @@ -14,7 +14,7 @@ global: {} image: registry: ghcr.io repository: spiffe/spire-ha-agent - pullPolicy: Always # IfNotPresent + pullPolicy: IfNotPresent tag: "" ## @param singleSocket If in singleSocket mode, only one driver is used From 7cfc379f11bd3a2ac2f61574e9ed5a407ad2fffe Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 16 Jan 2025 12:14:44 -0800 Subject: [PATCH 3/4] Fix docs Signed-off-by: Kevin Fox --- charts/spire-ha-agent/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire-ha-agent/README.md b/charts/spire-ha-agent/README.md index b3f38710d..2a012bee0 100644 --- a/charts/spire-ha-agent/README.md +++ b/charts/spire-ha-agent/README.md @@ -28,7 +28,7 @@ A Helm chart to install the SPIRE HA agent. | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/spire-ha-agent` | -| `image.pullPolicy` | The image pull policy | `Always` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `singleSocket` | If in singleSocket mode, only one driver is used | `false` | | `sockets.single.admin.hostPath` | Where the sockets are on disk when in single socket mode | `/var/run/spire/agent/sockets/main/csi.spiffe.io/admin` | From d89d95f8a507594c92af305c15017f515ef9f32d Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 16 Jan 2025 14:55:06 -0800 Subject: [PATCH 4/4] Use released cid2pid Signed-off-by: Kevin Fox --- charts/spire-ha-agent/README.md | 6 +++--- charts/spire-ha-agent/values.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/spire-ha-agent/README.md b/charts/spire-ha-agent/README.md index 2a012bee0..67ef87c2b 100644 --- a/charts/spire-ha-agent/README.md +++ b/charts/spire-ha-agent/README.md @@ -58,10 +58,10 @@ A Helm chart to install the SPIRE HA agent. | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:e16830b0cc7e9e3258588fbcb82714ee67d9043221632832d7504080151bb1d2` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `cid2PID.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `cid2PID.image.repository` | The repository within the registry | `kfox1111/misc3` | +| `cid2PID.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `cid2PID.image.repository` | The repository within the registry | `kfox1111/cid2pid` | | `cid2PID.image.pullPolicy` | The image pull policy | `Always` | -| `cid2PID.image.tag` | Overrides the image tag whose default is the chart appVersion | `cid2pid` | +| `cid2PID.image.tag` | Overrides the image tag whose default is the chart appVersion | `v0.0.3` | | `cid2PID.busybox.image.registry` | The OCI registry to pull the image from | `docker.io` | | `cid2PID.busybox.image.repository` | The repository within the registry | `library/busybox` | | `cid2PID.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire-ha-agent/values.yaml b/charts/spire-ha-agent/values.yaml index 424b7c838..1f9aa8839 100644 --- a/charts/spire-ha-agent/values.yaml +++ b/charts/spire-ha-agent/values.yaml @@ -133,10 +133,10 @@ cid2PID: ## @param cid2PID.image.tag Overrides the image tag whose default is the chart appVersion ## image: - registry: docker.io - repository: kfox1111/misc3 + registry: ghcr.io + repository: kfox1111/cid2pid pullPolicy: Always - tag: cid2pid + tag: v0.0.3 ## @param cid2PID.busybox.image.registry The OCI registry to pull the image from ## @param cid2PID.busybox.image.repository The repository within the registry