--- apiVersion: v1 kind: ServiceAccount metadata: name: spire-agent labels: app.kubernetes.io/part-of: nginx-service-mesh imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spire-agent.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: [""] resources: ["pods", "nodes", "nodes/proxy"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spire-agent.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spire-agent.security.builtin.nsm.nginx subjects: - kind: ServiceAccount name: spire-agent namespace: {{ .Release.Namespace }} --- apiVersion: v1 kind: ConfigMap metadata: name: spire-agent labels: app.kubernetes.io/part-of: nginx-service-mesh data: agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }} --- apiVersion: apps/v1 kind: DaemonSet metadata: name: spire-agent labels: app.kubernetes.io/name: spire-agent app.kubernetes.io/part-of: nginx-service-mesh spec: selector: matchLabels: app.kubernetes.io/name: spire-agent app.kubernetes.io/part-of: nginx-service-mesh template: metadata: labels: app.kubernetes.io/name: spire-agent app.kubernetes.io/part-of: nginx-service-mesh spec: serviceAccountName: spire-agent hostPID: true hostNetwork: true dnsPolicy: ClusterFirstWithHostNet initContainers: - name: init image: {{ include "curl.image-server" . }}/curl command: - /bin/sh - -c - | # passing dummy value forces telnet connection to exit on success with code 48 while $(curl -t 'DUMMY=1' -s telnet://spire-server:8081); [ $? -ne 48 ]; do sleep 1 done containers: - name: spire-agent image: {{ include "spire.image-server" . }}/spire-agent:1.5.6 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - -config - /run/spire/config/agent.conf volumeMounts: - name: spire-config mountPath: /run/spire/config readOnly: true - name: spire-bundle mountPath: /run/spire/bundle readOnly: true - name: spire-agent-socket mountPath: /run/spire/sockets - name: spire-token mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live port: 8080 failureThreshold: 2 initialDelaySeconds: 15 periodSeconds: 60 timeoutSeconds: 3 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 5 volumes: - name: spire-config configMap: name: spire-agent - name: spire-bundle configMap: name: spire-bundle - name: spire-agent-socket hostPath: path: /run/spire/sockets type: DirectoryOrCreate - name: spire-token projected: sources: - serviceAccountToken: audience: spire-server expirationSeconds: 7200 path: spire-agent {{- if eq .Values.environment "openshift" }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:openshift:scc:nginx-mesh-spire-agent-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["nginx-mesh-spire-agent-permissions"] verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:nginx-mesh-spire-agent-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:nginx-mesh-spire-agent-permissions subjects: - kind: ServiceAccount name: spire-agent namespace: {{ .Release.Namespace }} --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: nginx-mesh-spire-agent-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh allowHostDirVolumePlugin: true allowHostIPC: false allowHostPID: true allowHostNetwork: true allowHostPorts: false allowPrivilegedContainer: false seLinuxContext: type: MustRunAs readOnlyRootFilesystem: false runAsUser: type: RunAsAny fsGroup: type: MustRunAs volumes: - configMap - hostPath - projected - secret {{- end }}