--- apiVersion: v1 kind: ServiceAccount metadata: name: spire-server labels: app.kubernetes.io/part-of: nginx-service-mesh imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spire-server.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: [""] resources: ["pods", "nodes"] verbs: ["get"] - apiGroups: [""] resources: ["configmaps"] resourceNames: ["spire-bundle"] verbs: ["get", "patch"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get", "list", "patch", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "patch", "watch"] {{- if .Values.mtls.upstreamAuthority.certManager }} - apiGroups: ["cert-manager.io"] resources: ["certificaterequests"] verbs: ["get", "list", "create", "delete"] {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spire-server.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spire-server.security.builtin.nsm.nginx subjects: - kind: ServiceAccount name: spire-server namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: k8s-workload-registrar.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: [""] resources: ["endpoints", "pods", "nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["spiffeid.spiffe.io"] resources: ["spiffeids"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["spiffeid.spiffe.io"] resources: ["spiffeids/status"] verbs: ["get", "patch", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-workload-registrar.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: k8s-workload-registrar.security.builtin.nsm.nginx subjects: - kind: ServiceAccount name: spire-server namespace: {{ .Release.Namespace }} {{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }} --- apiVersion: v1 kind: Secret metadata: name: spire-server labels: app.kubernetes.io/part-of: nginx-service-mesh type: Opaque data: {{- if (include "ua-secret-name" .) }} {{ include "ua-secret-name" . }}: {{ include "ua-secret-value" . }}{{ end }} {{- if (include "ua-vault-env-name" .) }} {{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }} {{- end }} --- apiVersion: v1 kind: ConfigMap metadata: name: spire-bundle labels: app.kubernetes.io/part-of: nginx-service-mesh --- apiVersion: v1 kind: ConfigMap metadata: name: spire-server labels: app.kubernetes.io/part-of: nginx-service-mesh data: server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }} {{ if (include "ua-upstream-cert" .) -}} {{ include "ua-upstream-cert" . }}{{ end }} {{ if (include "ua-upstream-client-cert" .) -}} {{ include "ua-upstream-client-cert" . }}{{ end }} {{ if (include "ua-upstream-bundle" .) -}} {{ include "ua-upstream-bundle" . }}{{ end }} --- apiVersion: v1 kind: ConfigMap metadata: name: k8s-workload-registrar labels: app.kubernetes.io/part-of: nginx-service-mesh data: k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }} --- apiVersion: v1 kind: Service metadata: name: spire-server labels: app.kubernetes.io/name: spire-server app.kubernetes.io/part-of: nginx-service-mesh spec: ports: - name: api protocol: TCP port: 8081 targetPort: 8081 selector: app.kubernetes.io/name: spire-server app.kubernetes.io/part-of: nginx-service-mesh --- apiVersion: v1 kind: Service metadata: name: k8s-workload-registrar labels: app.kubernetes.io/name: k8s-workload-registrar app.kubernetes.io/part-of: nginx-service-mesh spec: ports: - name: webhook protocol: TCP port: 443 targetPort: 9443 selector: app.kubernetes.io/name: spire-server --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: k8s-workload-registrar.security.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh spiffe.io/webhook: "true" webhooks: - name: k8s-workload-registrar.{{ .Release.Namespace }}.svc clientConfig: service: name: k8s-workload-registrar namespace: {{ .Release.Namespace }} path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid" sideEffects: None admissionReviewVersions: ["v1"] rules: - apiGroups: ["spiffeid.spiffe.io"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE", "DELETE"] resources: ["spiffeids"] scope: Namespaced --- apiVersion: apps/v1 {{- if eq .Values.mtls.persistentStorage "on" }} kind: StatefulSet {{- else }} kind: Deployment {{- end }} metadata: name: spire-server labels: app.kubernetes.io/name: spire-server app.kubernetes.io/part-of: nginx-service-mesh spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: spire-server app.kubernetes.io/part-of: nginx-service-mesh {{- if eq .Values.mtls.persistentStorage "on" }} serviceName: spire-server {{- end }} template: metadata: labels: app.kubernetes.io/name: spire-server app.kubernetes.io/part-of: nginx-service-mesh spec: serviceAccountName: spire-server shareProcessNamespace: true containers: - name: spire-server image: {{ include "spire.image-server" . }}/spire-server:1.5.6 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - -config - /run/spire/config/server.conf ports: - name: spire-server protocol: TCP containerPort: 8081 {{- if (include "ua-vault-env-name" .) }} env: - name: {{ include "ua-vault-env-name" . }} valueFrom: secretKeyRef: name: spire-server key: {{ include "ua-vault-env-name" . }} {{- end }} volumeMounts: - name: spire-config mountPath: /run/spire/config readOnly: true {{- if (include "ua-secret-mountpath" .) }} - name: spire-secrets mountPath: {{ include "ua-secret-mountpath" . }} readOnly: true {{- end }} - name: spire-data mountPath: /run/spire/data readOnly: false - name: spire-server-socket mountPath: /run/spire/sockets readOnly: false livenessProbe: httpGet: port: 8082 path: /live failureThreshold: 2 initialDelaySeconds: 15 periodSeconds: 60 timeoutSeconds: 3 readinessProbe: httpGet: port: 8082 path: /ready initialDelaySeconds: 5 periodSeconds: 5 - name: k8s-workload-registrar image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.5.6 imagePullPolicy: {{ .Values.registry.imagePullPolicy }} args: - -config - /run/spire/config/k8s-workload-registrar.conf ports: - name: webhook protocol: TCP containerPort: 9443 env: - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: k8s-workload-registrar-config mountPath: /run/spire/config readOnly: true - name: spire-server-socket mountPath: /run/spire/sockets readOnly: true volumes: - name: spire-config configMap: name: spire-server {{- if (include "ua-secret-name" .) }} - name: spire-secrets secret: secretName: spire-server items: - key: {{ include "ua-secret-name" . }} path: {{ include "ua-secret-name" . }} {{- end }} - name: spire-server-socket emptyDir: {} - name: k8s-workload-registrar-config configMap: name: k8s-workload-registrar {{- if eq .Values.mtls.persistentStorage "off" }} - name: spire-data emptyDir: { } {{- end }} {{- if eq .Values.mtls.persistentStorage "on" }} volumeClaimTemplates: - metadata: name: spire-data namespace: {{ .Release.Namespace }} spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi {{- end }} {{- if eq .Values.environment "openshift" }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:openshift:scc:nginx-mesh-spire-server-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh rules: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["nginx-mesh-spire-server-permissions"] verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:nginx-mesh-spire-server-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:nginx-mesh-spire-server-permissions subjects: - kind: ServiceAccount name: spire-server namespace: {{ .Release.Namespace }} --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: nginx-mesh-spire-server-permissions labels: app.kubernetes.io/part-of: nginx-service-mesh allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false seLinuxContext: type: MustRunAs readOnlyRootFilesystem: false runAsUser: type: RunAsAny volumes: - configMap - secret - emptyDir - persistentVolumeClaim {{- end }}