andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/f5/nginx-service-mesh/templates/spire-server.yaml

372 lines
10 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["spire-bundle"]
verbs: ["get", "patch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
{{- if .Values.mtls.upstreamAuthority.certManager }}
- apiGroups: ["cert-manager.io"]
resources: ["certificaterequests"]
verbs: ["get", "list", "create", "delete"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-server.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-server.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups: [""]
resources: ["endpoints", "pods", "nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-workload-registrar.security.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }}
---
apiVersion: v1
kind: Secret
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
type: Opaque
data:
{{- if (include "ua-secret-name" .) }}
{{ include "ua-secret-name" . }}: {{ include "ua-secret-value" . }}{{ end }}
{{- if (include "ua-vault-env-name" .) }}
{{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
labels:
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }}
{{ if (include "ua-upstream-cert" .) -}}
{{ include "ua-upstream-cert" . }}{{ end }}
{{ if (include "ua-upstream-client-cert" .) -}}
{{ include "ua-upstream-client-cert" . }}{{ end }}
{{ if (include "ua-upstream-bundle" .) -}}
{{ include "ua-upstream-bundle" . }}{{ end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ports:
- name: api
protocol: TCP
port: 8081
targetPort: 8081
selector:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
---
apiVersion: v1
kind: Service
metadata:
name: k8s-workload-registrar
labels:
app.kubernetes.io/name: k8s-workload-registrar
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ports:
- name: webhook
protocol: TCP
port: 443
targetPort: 9443
selector:
app.kubernetes.io/name: spire-server
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-workload-registrar.security.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spiffe.io/webhook: "true"
webhooks:
- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc
clientConfig:
service:
name: k8s-workload-registrar
namespace: {{ .Release.Namespace }}
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
sideEffects: None
admissionReviewVersions: ["v1"]
rules:
- apiGroups: ["spiffeid.spiffe.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["spiffeids"]
scope: Namespaced
---
apiVersion: apps/v1
{{- if eq .Values.mtls.persistentStorage "on" }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: spire-server
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
{{- if eq .Values.mtls.persistentStorage "on" }}
serviceName: spire-server
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: spire-server
app.kubernetes.io/part-of: nginx-service-mesh
spec:
serviceAccountName: spire-server
shareProcessNamespace: true
containers:
- name: spire-server
image: {{ include "spire.image-server" . }}/spire-server:1.5.6
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- -config
- /run/spire/config/server.conf
ports:
- name: spire-server
protocol: TCP
containerPort: 8081
{{- if (include "ua-vault-env-name" .) }}
env:
- name: {{ include "ua-vault-env-name" . }}
valueFrom:
secretKeyRef:
name: spire-server
key: {{ include "ua-vault-env-name" . }}
{{- end }}
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
{{- if (include "ua-secret-mountpath" .) }}
- name: spire-secrets
mountPath: {{ include "ua-secret-mountpath" . }}
readOnly: true
{{- end }}
- name: spire-data
mountPath: /run/spire/data
readOnly: false
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: false
livenessProbe:
httpGet:
port: 8082
path: /live
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
httpGet:
port: 8082
path: /ready
initialDelaySeconds: 5
periodSeconds: 5
- name: k8s-workload-registrar
image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.5.6
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
args:
- -config
- /run/spire/config/k8s-workload-registrar.conf
ports:
- name: webhook
protocol: TCP
containerPort: 9443
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: k8s-workload-registrar-config
mountPath: /run/spire/config
readOnly: true
- name: spire-server-socket
mountPath: /run/spire/sockets
readOnly: true
volumes:
- name: spire-config
configMap:
name: spire-server
{{- if (include "ua-secret-name" .) }}
- name: spire-secrets
secret:
secretName: spire-server
items:
- key: {{ include "ua-secret-name" . }}
path: {{ include "ua-secret-name" . }}
{{- end }}
- name: spire-server-socket
emptyDir: {}
- name: k8s-workload-registrar-config
configMap:
name: k8s-workload-registrar
{{- if eq .Values.mtls.persistentStorage "off" }}
- name: spire-data
emptyDir: { }
{{- end }}
{{- if eq .Values.mtls.persistentStorage "on" }}
volumeClaimTemplates:
- metadata:
name: spire-data
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
{{- end }}
{{- if eq .Values.environment "openshift" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
rules:
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames: ["nginx-mesh-spire-server-permissions"]
verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:nginx-mesh-spire-server-permissions
subjects:
- kind: ServiceAccount
name: spire-server
namespace: {{ .Release.Namespace }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nginx-mesh-spire-server-permissions
labels:
app.kubernetes.io/part-of: nginx-service-mesh
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
volumes:
- configMap
- secret
- emptyDir
- persistentVolumeClaim
{{- end }}
Reference in New Issue View Git Blame Copy Permalink