183 lines
4.7 KiB
YAML
183 lines
4.7 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: spire-agent
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
imagePullSecrets:
|
|
- name: {{ include "registry-key-name" . }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: spire-agent.security.builtin.nsm.nginx
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "nodes", "nodes/proxy"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: spire-agent.security.builtin.nsm.nginx
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: spire-agent.security.builtin.nsm.nginx
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: spire-agent
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: spire-agent
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
data:
|
|
agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }}
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: spire-agent
|
|
labels:
|
|
app.kubernetes.io/name: spire-agent
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: spire-agent
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: spire-agent
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
spec:
|
|
serviceAccountName: spire-agent
|
|
hostPID: true
|
|
hostNetwork: true
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
initContainers:
|
|
- name: init
|
|
image: {{ include "curl.image-server" . }}/curl
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
# passing dummy value forces telnet connection to exit on success with code 48
|
|
while $(curl -t 'DUMMY=1' -s telnet://spire-server:8081); [ $? -ne 48 ]; do
|
|
sleep 1
|
|
done
|
|
containers:
|
|
- name: spire-agent
|
|
image: {{ include "spire.image-server" . }}/spire-agent:1.5.6
|
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
|
args:
|
|
- -config
|
|
- /run/spire/config/agent.conf
|
|
volumeMounts:
|
|
- name: spire-config
|
|
mountPath: /run/spire/config
|
|
readOnly: true
|
|
- name: spire-bundle
|
|
mountPath: /run/spire/bundle
|
|
readOnly: true
|
|
- name: spire-agent-socket
|
|
mountPath: /run/spire/sockets
|
|
- name: spire-token
|
|
mountPath: /var/run/secrets/tokens
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 8080
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 60
|
|
timeoutSeconds: 3
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 8080
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
volumes:
|
|
- name: spire-config
|
|
configMap:
|
|
name: spire-agent
|
|
- name: spire-bundle
|
|
configMap:
|
|
name: spire-bundle
|
|
- name: spire-agent-socket
|
|
hostPath:
|
|
path: /run/spire/sockets
|
|
type: DirectoryOrCreate
|
|
- name: spire-token
|
|
projected:
|
|
sources:
|
|
- serviceAccountToken:
|
|
audience: spire-server
|
|
expirationSeconds: 7200
|
|
path: spire-agent
|
|
{{- if eq .Values.environment "openshift" }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
rules:
|
|
- apiGroups: ["security.openshift.io"]
|
|
resources: ["securitycontextconstraints"]
|
|
resourceNames: ["nginx-mesh-spire-agent-permissions"]
|
|
verbs: ["use"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:openshift:scc:nginx-mesh-spire-agent-permissions
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: spire-agent
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: security.openshift.io/v1
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
name: nginx-mesh-spire-agent-permissions
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
allowHostDirVolumePlugin: true
|
|
allowHostIPC: false
|
|
allowHostPID: true
|
|
allowHostNetwork: true
|
|
allowHostPorts: false
|
|
allowPrivilegedContainer: false
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
readOnlyRootFilesystem: false
|
|
runAsUser:
|
|
type: RunAsAny
|
|
fsGroup:
|
|
type: MustRunAs
|
|
volumes:
|
|
- configMap
|
|
- hostPath
|
|
- projected
|
|
- secret
|
|
{{- end }}
|