From d16baa67929934a011b9e5909a9ca1a8b175f820 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 26 Dec 2023 17:12:44 -0800 Subject: [PATCH 1/7] Add basic CSI driver for the spire-helper This adds a prototype level helm chart for a virtual csi driver that makes it significantly easier to integrate existing software running on Kubernetes with SPIRE. Signed-off-by: Kevin Fox --- charts/spiffe-helper-csi-driver/.helmignore | 23 + charts/spiffe-helper-csi-driver/Chart.yaml | 22 + charts/spiffe-helper-csi-driver/README.md | 32 ++ .../examples/bad/test-pod.yaml | 50 ++ .../examples/good/test-pod.yaml | 49 ++ .../examples/good/test2-pod.yaml | 49 ++ .../examples/good/test3-pod.yaml | 52 ++ .../files/clusterpolicy.yaml | 495 ++++++++++++++++++ .../templates/_spire-lib.tpl | 26 + .../templates/clusterpolicy.yaml | 4 + charts/spiffe-helper-csi-driver/values.yaml | 13 + 11 files changed, 815 insertions(+) create mode 100644 charts/spiffe-helper-csi-driver/.helmignore create mode 100644 charts/spiffe-helper-csi-driver/Chart.yaml create mode 100644 charts/spiffe-helper-csi-driver/README.md create mode 100644 charts/spiffe-helper-csi-driver/examples/bad/test-pod.yaml create mode 100644 charts/spiffe-helper-csi-driver/examples/good/test-pod.yaml create mode 100644 charts/spiffe-helper-csi-driver/examples/good/test2-pod.yaml create mode 100644 charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml create mode 100644 charts/spiffe-helper-csi-driver/files/clusterpolicy.yaml create mode 100644 charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl create mode 100644 charts/spiffe-helper-csi-driver/templates/clusterpolicy.yaml create mode 100644 charts/spiffe-helper-csi-driver/values.yaml diff --git a/charts/spiffe-helper-csi-driver/.helmignore b/charts/spiffe-helper-csi-driver/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/spiffe-helper-csi-driver/Chart.yaml b/charts/spiffe-helper-csi-driver/Chart.yaml new file mode 100644 index 000000000..566a94f36 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +name: spiffe-helper-csi-driver +description: > + A Helm chart for deploying the Spiffe Helper CSI Drier +type: application +version: 0.1.0 +appVersion: "0.0.1" +keywords: ["spiffe-helper-csi-driver"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spiffe-helper-csi-driver/README.md b/charts/spiffe-helper-csi-driver/README.md new file mode 100644 index 000000000..2177b2120 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/README.md @@ -0,0 +1,32 @@ +# spire-helper-csi-driver + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) + +A Helm chart to install the SPIFFE HELPER CSI Driver. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + +## Prereqs: + +Your cluster needs to have Kyverno installed. You can do that by running something like the following: + +``` +helm upgrade --install --create-namespace kyverno kyverno -n kyverno --repo https://kyverno.github.io/kyverno/ --version 3.1.1 +``` + + + +## Parameters diff --git a/charts/spiffe-helper-csi-driver/examples/bad/test-pod.yaml b/charts/spiffe-helper-csi-driver/examples/bad/test-pod.yaml new file mode 100644 index 000000000..8c06686c5 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/examples/bad/test-pod.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-test +spec: + # shareProcessNamespace: true + # hostPID: true + containers: + - name: nginx + image: nginx + command: + - /bin/sh + - -c + - | + echo $$$$ > $$SPIFFE_HELPER_PID_CERTS + cat > /etc/nginx/conf.d/ssl.conf < $$SPIFFE_HELPER_PID_CERTS + cat > /etc/nginx/conf.d/ssl.conf < $$SPIFFE_HELPER_PID_CERTS + cat > /etc/nginx/conf.d/ssl.conf < /etc/nginx/conf.d/ssl.conf < /config/helper-init.conf + - exit_when_ready = true + - agent_address = "/spiffe-workload-api/spire-agent.sock" + - cert_dir = "/certs" + helperSidecarBase: + - "/bin/sh" + - "-c" + - (echo "$0"; for i in "$@"; do echo "$i"; done) > /config/helper-sidecar.conf + - agent_address = "/spiffe-workload-api/spire-agent.sock" + - cert_dir = "/certs" + confDocInit: {} + confDocSidecar: {} + helperVolumeNeeded: false + validationFailure: false +#FIXME +# More checks here and validation below: +# * cmd and cmdArgs should only be used if customSidecar is set +# * customSidecar and pidContainer can't be used together +# * renewSignal requires pidContainer +# * check for unknown volumeAttributes +# * all 3 svid options need to all be specified. + - name: check-pid-container + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.spec.volumes[?csi && csi.driver == 'helper.spiffe.io' && csi.volumeAttributes && csi.volumeAttributes.pidContainer] || `[]` | length(@) }}" + operator: GreaterThan + value: 0 + - key: "{{ request.object.spec.shareProcessNamespace || request.object.spec.hostPID || `false` }}" + operator: NotEqual + value: true + mutate: + patchesJson6902: | + - op: add + path: /tmp/validationFailure + value: true + - name: build-names + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: "request.object.spec.volumes[?csi && csi.driver == 'helper.spiffe.io']" + patchesJson6902: | + - op: add + path: /tmp/names/-1 + value: {{ element }} + - name: copy-non-driver-volumes + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: "request.object.spec.volumes[? !(csi && csi.driver == 'helper.spiffe.io')]" + patchesJson6902: | + - op: add + path: /tmp/volumes/-1 + value: {{ element }} + - name: build-helper-needed + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: "request.object.spec.volumes[?csi && csi.driver == 'helper.spiffe.io' && csi.volumeAttributes && csi.volumeAttributes.customSidecar]" + patchesJson6902: | + - op: replace + path: /tmp/helperVolumeNeeded + value: true + - name: build-confdocs + match: + any: + - resources: + kinds: + - Pod + context: + - name: rename + variable: + value: + addIntermediatesToBundle: add_intermediates_to_bundle + cmd: cmd + cmdArgs: cmd_args + customSidecar: customSidecar + #jwtAudience: jwt_audience + #jwtBundleFileName: jwt_bundle_file_name + #jwtSVIDFileName: jwt_svid_file_name + pidContainer: pidContainer + renewSignal: renew_signal + svidFileName: svid_file_name + svidKeyFileName: svid_key_file_name + svidBundleFileName: svid_bundle_file_name + - name: initMatch + variable: + value: + addIntermediatesToBundle: true + cmd: false + cmdArgs: false + customSidecar: false + #jwtAudience: true + #jwtBundleFileName: true + #jwtSVIDFileName: true + pidContainer: false + renewSignal: false + svidBundleFileName: true + svidFileName: true + svidKeyFileName: true + - name: sidecarMatch + variable: + value: + addIntermediatesToBundle: true + cmd: true + cmdArgs: true + customSidecar: false + #jwtAudience: true + #jwtBundleFileName: true + #jwtSVIDFileName: true + pidContainer: false + renewSignal: true + svidBundleFileName: true + svidFileName: true + svidKeyFileName: true + mutate: + foreach: + - list: "request.object.spec.volumes[?csi && csi.driver == 'helper.spiffe.io']" + foreach: + #FIXME Ensure volumeAttrbutes always exists? + - list: "items(element.csi.volumeAttributes, 'key', 'value')[]" + preconditions: + any: + - key: "{{ initMatch.{{ element.key }} }}" + operator: Equals + value: true + patchesJson6902: | + - path: "/tmp/confDocInit/{{ element0.name }}/-" + op: add + value: {{ rename.{{ element.key }} }} = {{ (element.value != 'true' && join('"', ['', element.value, ''])) || 'true' }} + - list: "items(element.csi.volumeAttributes, 'key', 'value')[]" + preconditions: + any: + - key: "{{ sidecarMatch.{{ element.key }} }}" + operator: Equals + value: true + patchesJson6902: | + - path: "/tmp/confDocSidecar/{{ element0.name }}/-" + op: add + value: |- + {{ rename.{{ element.key }} }} = {{ (element.value != 'true' && join('"', ['', replace_all(element.value, '"', '\"'), ''])) || 'true' }} + - name: clear-volumes + match: + any: + - resources: + kinds: + - Pod + preconditions: + any: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + patchesJson6902: | + - op: replace + path: "/spec/volumes" + value: [] + - name: build-spiffe-helper-volume + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + - key: "{{ request.object.tmp.helperVolumeNeeded }}" + operator: equal + value: true + mutate: + patchesJson6902: | + - op: add + path: /spec/initContainers/0 + value: + name: "spiffe-helper-prep" + image: @SPIFFE_HELPER_IMAGE@ + command: + - "/spiffe-helper-tmp/busybox" + - "sh" + - "-c" + - "/spiffe-helper-tmp/busybox cp -a /spiffe-helper /spiffe-helper-tmp/ && /spiffe-helper-tmp/busybox rm -f /spiffe-helper-tmp/busybox" + volumeMounts: + - name: "spiffe-helper" + mountPath: /spiffe-helper-tmp + - op: add + path: /spec/initContainers/0 + value: + name: "spiffe-helper-busybox" + image: @BUSYBOX_IMAGE@ + command: + - "sh" + - "-c" + - "cp /bin/busybox /spiffe-helper" + volumeMounts: + - name: "spiffe-helper" + mountPath: /spiffe-helper + - path: /spec/volumes/- + op: add + value: + name: spiffe-helper + emptyDir: {} + - name: add-sidecar + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + foreach: + - list: "request.object.tmp.names" + preconditions: + any: + - key: "{{ element.csi.volumeAttributes.customSidecar || '' }}" + operator: Equals + value: '' + #FIXME Don't add if owner is not a job + patchesJson6902: | + - op: add + path: /spec/containers/- + value: + name: "spiffe-helper-refresh-tls-{{ element.name }}" + image: @SPIFFE_HELPER_IMAGE@ + volumeMounts: + - name: "{{ element.name }}" + mountPath: /certs + - name: "spiffe-helper-conf-{{ element.name }}" + mountPath: /etc/spiffe-helper.conf + subPath: helper-sidecar.conf + readOnly: true + - name: "spiffe-helper-spire-agent" + mountPath: /spiffe-workload-api + readOnly: true + {{ element.csi.volumeAttributes.pidContainer && '- {"name": "spiffe-helper-pid-{{ element.name }}", "mountPath": "/pid", "readOnly": true}' || '' }} + - name: xxx + match: + any: + - resources: + kinds: + - Pod + preconditions: + any: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + foreach: + - list: "request.object.tmp.names" + patchesJson6902: | + - op: add + path: /spec/volumes/-1 + value: + name: "{{ element.name }}" + emptyDir: {} + - op: add + path: /spec/volumes/-1 + value: + name: "spiffe-helper-conf-{{ element.name }}" + emptyDir: {} + - op: add + path: /spec/initContainers/0 + value: + name: "spiffe-helper-tls-{{ element.name }}" + image: @SPIFFE_HELPER_IMAGE@ + volumeMounts: + - name: "{{ element.name }}" + mountPath: /certs + - name: "spiffe-helper-conf-{{ element.name }}" + mountPath: /etc/spiffe-helper.conf + subPath: helper-init.conf + readOnly: true + - name: "spiffe-helper-spire-agent" + mountPath: /spiffe-workload-api + readOnly: true + - op: add + path: /spec/initContainers/0 + value: + name: "spiffe-helper-conf-sidecar-{{ element.name }}" + image: @BUSYBOX_IMAGE@ + command: {{ [request.object.tmp.helperSidecarBase, request.object.tmp.confDocSidecar.{{ element.name }}, [element.csi.volumeAttributes.pidContainer && 'pid_file_name = "/pid/pid"' || '' ]][] }} + volumeMounts: + - name: "spiffe-helper-conf-{{ element.name }}" + mountPath: /config + - op: add + path: /spec/initContainers/0 + value: + name: "spiffe-helper-conf-init-{{ element.name }}" + image: @BUSYBOX_IMAGE@ + command: {{ [request.object.tmp.helperInitBase, request.object.tmp.confDocInit.{{ element.name }}][] }} + volumeMounts: + - name: "spiffe-helper-conf-{{ element.name }}" + mountPath: /config + - name: add-non-driver-volumes + match: + any: + - resources: + kinds: + - Pod + preconditions: + any: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + foreach: + - list: "request.object.tmp.volumes" + patchesJson6902: | + - op: add + path: /spec/volumes/-1 + value: {{ element }} + - name: add-pid-container-bits + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + foreach: + - list: "request.object.tmp.names" + foreach: + #FIXME Ensure volumeAttrbutes always exists? + - list: "request.object.spec.containers" + preconditions: + any: + - key: "{{ element.name }}" + operator: Equals + value: "{{ element0.csi.volumeAttributes.pidContainer || '' }}" + patchesJson6902: | + - path: /spec/containers/{{ elementIndex1 }}/volumeMounts/- + op: add + value: + name: spiffe-helper-pid-{{ element0.name }} + mountPath: /spiffe-helper-pid-{{ element0.name }} + - path: /spec/containers/{{ elementIndex1 }}/env/- + op: add + value: + name: SPIFFE_HELPER_PID_{{ to_upper(element0.name) }} + value: /spiffe-helper-pid-{{ element0.name }}/pid + #FIXME Ensure volumeAttrbutes always exists? + - list: "request.object.spec.containers" + preconditions: + any: + - key: "{{ element.name }}" + operator: Equals + value: "{{ element0.csi.volumeAttributes.customSidecar || '' }}" + patchesJson6902: | + - path: /spec/containers/{{ elementIndex1 }}/command + op: add + value: + - /spiffe-helper/spiffe-helper + - -config + - /etc/spiffe-helper.conf + - path: /spec/containers/{{ elementIndex1 }}/volumeMounts/- + op: add + value: + name: "{{ element0.name }}" + mountPath: /certs + - path: /spec/containers/{{ elementIndex1 }}/volumeMounts/- + op: add + value: + name: "spiffe-helper-conf-{{ element0.name }}" + mountPath: /etc/spiffe-helper.conf + subPath: helper-sidecar.conf + readOnly: true + - path: /spec/containers/{{ elementIndex1 }}/volumeMounts/- + op: add + value: + name: "spiffe-helper-spire-agent" + mountPath: /spiffe-workload-api + readOnly: true + - path: /spec/containers/{{ elementIndex1 }}/volumeMounts/- + op: add + value: + name: "spiffe-helper" + mountPath: /spiffe-helper + readOnly: true + - name: add-pid-volume + match: + any: + - resources: + kinds: + - Pod + preconditions: + any: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + mutate: + foreach: + - list: "request.object.tmp.names" + #FIXME Ensure volumeAttrbutes always exists? Add only if needed + patchesJson6902: | + - path: /spec/volumes/- + op: add + value: + name: spiffe-helper-pid-{{ element.name }} + emptyDir: {} + - name: remove-tmp + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.tmp.validationFailure }}" + operator: NotEquals + value: true + - key: "{{ length(request.object.tmp.names) }}" + operator: GreaterThan + value: 0 + mutate: + patchesJson6902: | + - op: add + path: /spec/volumes/-1 + value: + name: spiffe-helper-spire-agent + csi: + driver: csi.spiffe.io + readOnly: true + - op: remove + path: "/tmp" + - name: validate-pid-container + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.spec.volumes[?csi && csi.driver == 'helper.spiffe.io' && csi.volumeAttributes && csi.volumeAttributes.pidContainer] || `[]` | length(@) }}" + operator: GreaterThan + value: 0 + validate: + message: "Pods using the csi spiffe-helper driver with pidContainer feature must use either shareProcessNamespace: true or hostPID: true" + deny: + conditions: + all: + - key: "{{ request.object.spec.shareProcessNamespace || request.object.spec.hostPID || `false` }}" + operator: NotEqual + value: true diff --git a/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl b/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl new file mode 100644 index 000000000..3ed589794 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl @@ -0,0 +1,26 @@ +{{- define "spire-lib.registry" }} +{{- if ne (len (dig "spire" "image" "registry" "" .global)) 0 }} +{{- print .global.spire.image.registry "/"}} +{{- else if ne (len (.image.registry)) 0 }} +{{- print .image.registry "/"}} +{{- end }} +{{- end }} + +{{- define "spire-lib.image" -}} +{{- $registry := include "spire-lib.registry" . }} +{{- $repo := .image.repository }} +{{- $tag := (default .image.tag .image.version) | toString }} +{{- if eq (substr 0 7 $tag) "sha256:" }} +{{- printf "%s/%s@%s" $registry $repo $tag }} +{{- else if .appVersion }} +{{- $appVersion := .appVersion }} +{{- if and (hasKey . "ubi") (dig "openshift" false .global) }} +{{- $appVersion = printf "ubi-%s" $appVersion }} +{{- end }} +{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }} +{{- else if $tag }} +{{- printf "%s%s:%s" $registry $repo $tag }} +{{- else }} +{{- printf "%s%s" $registry $repo }} +{{- end }} +{{- end }} diff --git a/charts/spiffe-helper-csi-driver/templates/clusterpolicy.yaml b/charts/spiffe-helper-csi-driver/templates/clusterpolicy.yaml new file mode 100644 index 000000000..bd3b78191 --- /dev/null +++ b/charts/spiffe-helper-csi-driver/templates/clusterpolicy.yaml @@ -0,0 +1,4 @@ +{{- $cp := .Files.Get "files/clusterpolicy.yaml" }} +{{- $spiffe_helper_image := include "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} +{{- $busybox_image := include "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }} +{{- $cp | replace "@SPIFFE_HELPER_IMAGE@" $spiffe_helper_image | replace "@BUSYBOX_IMAGE@" $busybox_image }} diff --git a/charts/spiffe-helper-csi-driver/values.yaml b/charts/spiffe-helper-csi-driver/values.yaml new file mode 100644 index 000000000..b03742f1e --- /dev/null +++ b/charts/spiffe-helper-csi-driver/values.yaml @@ -0,0 +1,13 @@ +global: {} + +spiffeHelper: + image: + registry: docker.io + repository: kfox1111/misc + tag: spiffe-helper-test3 + +busybox: + image: + registry: docker.io + repository: busybox + tag: 1.36.1-uclibc From 10921ee7e91b818c9bbb66fa7a1dcaa3ae70751c Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 26 Dec 2023 17:20:55 -0800 Subject: [PATCH 2/7] Remove extra comments Signed-off-by: Kevin Fox --- charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml b/charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml index f8f276be2..2aae96f89 100644 --- a/charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml +++ b/charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml @@ -42,8 +42,6 @@ spec: csi: driver: helper.spiffe.io volumeAttributes: - # cmd and cmdArgs should only work with customSidecar - # customSidecar and pidContainer can't be used together customSidecar: sidecar cmd: "bash" cmdArgs: "-c \"echo rolled\"" From fb7ac8a78890220f5d35dd063d3d64db3bd92664 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 27 Dec 2023 07:16:53 -0800 Subject: [PATCH 3/7] Fix tests Signed-off-by: Kevin Fox --- .github/tests/charts.json | 5 +++++ .github/tests/pre-install.sh | 5 +++++ charts/spiffe-helper-csi-driver/values.yaml | 9 +++++++++ 3 files changed, 19 insertions(+) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 9e0ee8603..8ce8fce65 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -23,5 +23,10 @@ "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", "version": "13.2.25" + }, + { + "name": "kyverno", + "repo": "https://kyverno.github.io/kyverno", + "version": "3.1.1" } ] diff --git a/.github/tests/pre-install.sh b/.github/tests/pre-install.sh index bed4f1d6e..c5dc806d2 100755 --- a/.github/tests/pre-install.sh +++ b/.github/tests/pre-install.sh @@ -47,3 +47,8 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod - --namespace postgresql \ --values "${DEPS}/postgresql.yaml" \ --wait + +# kyverno +"${helm_install[@]}" kyverno kyverno --version "$VERSION_KYVERNO" --repo "$HELM_REPO_KYVERNO" \ + --namespace kyverno-system \ + --wait diff --git a/charts/spiffe-helper-csi-driver/values.yaml b/charts/spiffe-helper-csi-driver/values.yaml index b03742f1e..ac278ee33 100644 --- a/charts/spiffe-helper-csi-driver/values.yaml +++ b/charts/spiffe-helper-csi-driver/values.yaml @@ -1,11 +1,20 @@ +## @skip global global: {} +## @param spiffeHelper.image.registry The OCI registry to pull the image from +## @param spiffeHelper.image.repository The repository within the registry +## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion +## spiffeHelper: image: registry: docker.io repository: kfox1111/misc tag: spiffe-helper-test3 +## @param busybox.image.registry The OCI registry to pull the image from +## @param busybox.image.repository The repository within the registry +## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion +## busybox: image: registry: docker.io From f3e9594fc80005551d8d8696f548d34137d50989 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 27 Dec 2023 08:27:55 -0800 Subject: [PATCH 4/7] Update docs and examples Signed-off-by: Kevin Fox --- charts/spiffe-helper-csi-driver/README.md | 16 ++++++ .../examples/good/custom-sidecar-pod.yaml | 34 +++++++++++++ .../good/{test-pod.yaml => nginx.yaml} | 2 +- .../examples/good/test2-pod.yaml | 49 ------------------ .../examples/good/test3-pod.yaml | 50 ------------------- 5 files changed, 51 insertions(+), 100 deletions(-) create mode 100644 charts/spiffe-helper-csi-driver/examples/good/custom-sidecar-pod.yaml rename charts/spiffe-helper-csi-driver/examples/good/{test-pod.yaml => nginx.yaml} (98%) delete mode 100644 charts/spiffe-helper-csi-driver/examples/good/test2-pod.yaml delete mode 100644 charts/spiffe-helper-csi-driver/examples/good/test3-pod.yaml diff --git a/charts/spiffe-helper-csi-driver/README.md b/charts/spiffe-helper-csi-driver/README.md index 2177b2120..8254f267d 100644 --- a/charts/spiffe-helper-csi-driver/README.md +++ b/charts/spiffe-helper-csi-driver/README.md @@ -27,6 +27,22 @@ Your cluster needs to have Kyverno installed. You can do that by running somethi helm upgrade --install --create-namespace kyverno kyverno -n kyverno --repo https://kyverno.github.io/kyverno/ --version 3.1.1 ``` +You also need SPIRE installed. You can do that by running something like the following for a non production test cluster: + +``` +helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ +``` + +## Install Instructions +``` +helm install -n spire-server spiffe-helper-csi-driver charts/spiffe-helper-csi-driver +``` + +## Example usage + +See the examples/good directory for different ways of using the driver. + ## Parameters diff --git a/charts/spiffe-helper-csi-driver/examples/good/custom-sidecar-pod.yaml b/charts/spiffe-helper-csi-driver/examples/good/custom-sidecar-pod.yaml new file mode 100644 index 000000000..f3c25018d --- /dev/null +++ b/charts/spiffe-helper-csi-driver/examples/good/custom-sidecar-pod.yaml @@ -0,0 +1,34 @@ +# NOTE: +# This example shows how you can use a custom image for your sidecar +# enabling you to run specific commands whenever a certificate is updated. +apiVersion: v1 +kind: Pod +metadata: + name: custom-sidecar +spec: + containers: + - name: busybox + image: busybox + command: + - /bin/sh + - -c + - 'while true; do sleep 1000; done' + volumeMounts: + - name: certs + mountPath: /certs + - name: sidecar + image: mysql + env: + - name: some-setting + value: foo + volumes: + - name: certs + csi: + driver: helper.spiffe.io + volumeAttributes: + customSidecar: sidecar + cmd: "bash" + cmdArgs: "-c \"echo rolled. Could do a mysql cli command here.\"" + svidBundleFileName: ca.pem + svidFileName: tls.crt + svidKeyFileName: tls.key diff --git a/charts/spiffe-helper-csi-driver/examples/good/test-pod.yaml b/charts/spiffe-helper-csi-driver/examples/good/nginx.yaml similarity index 98% rename from charts/spiffe-helper-csi-driver/examples/good/test-pod.yaml rename to charts/spiffe-helper-csi-driver/examples/good/nginx.yaml index 94760d549..5aa078b8d 100644 --- a/charts/spiffe-helper-csi-driver/examples/good/test-pod.yaml +++ b/charts/spiffe-helper-csi-driver/examples/good/nginx.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: good-test + name: nginx spec: shareProcessNamespace: true containers: diff --git a/charts/spiffe-helper-csi-driver/examples/good/test2-pod.yaml b/charts/spiffe-helper-csi-driver/examples/good/test2-pod.yaml deleted file mode 100644 index 9b690bc02..000000000 --- a/charts/spiffe-helper-csi-driver/examples/good/test2-pod.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-test2 -spec: - hostPID: true - containers: - - name: nginx - image: nginx - command: - - /bin/sh - - -c - - | - echo $$$$ > $$SPIFFE_HELPER_PID_CERTS - cat > /etc/nginx/conf.d/ssl.conf < /etc/nginx/conf.d/ssl.conf < Date: Wed, 22 May 2024 14:41:29 -0700 Subject: [PATCH 5/7] Update charts/spiffe-helper-csi-driver/values.yaml Signed-off-by: kfox1111 --- charts/spiffe-helper-csi-driver/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spiffe-helper-csi-driver/values.yaml b/charts/spiffe-helper-csi-driver/values.yaml index ac278ee33..4f651bc7d 100644 --- a/charts/spiffe-helper-csi-driver/values.yaml +++ b/charts/spiffe-helper-csi-driver/values.yaml @@ -1,7 +1,7 @@ ## @skip global global: {} -## @param spiffeHelper.image.registry The OCI registry to pull the image from +## @param spiffeHelper.image.registry The OCI registry to pull the spiffe helper image from ## @param spiffeHelper.image.repository The repository within the registry ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion ## From 85ac35d38b1f6a41d85d3ad82d4a8ce2c5162196 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 22 May 2024 14:47:40 -0700 Subject: [PATCH 6/7] Merge remaining bits from main Signed-off-by: Kevin Fox --- charts/spiffe-helper-csi-driver/Chart.yaml | 4 +++ charts/spiffe-helper-csi-driver/README.md | 8 ++++++ .../templates/_spire-lib.tpl | 26 ------------------- 3 files changed, 12 insertions(+), 26 deletions(-) delete mode 100644 charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl diff --git a/charts/spiffe-helper-csi-driver/Chart.yaml b/charts/spiffe-helper-csi-driver/Chart.yaml index 566a94f36..b405875ab 100644 --- a/charts/spiffe-helper-csi-driver/Chart.yaml +++ b/charts/spiffe-helper-csi-driver/Chart.yaml @@ -20,3 +20,7 @@ maintainers: email: fymemon@yahoo.com - name: edwbuck email: edwbuck@gmail.com +dependencies: + - name: spire-lib + repository: file://../spire/charts/spire-lib + version: 0.1.0 diff --git a/charts/spiffe-helper-csi-driver/README.md b/charts/spiffe-helper-csi-driver/README.md index 8254f267d..0d59c204a 100644 --- a/charts/spiffe-helper-csi-driver/README.md +++ b/charts/spiffe-helper-csi-driver/README.md @@ -34,6 +34,14 @@ helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github. helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ ``` +## Build Instructions + +Until there is an official release of this chart, before you can use it out of git, you have to run +``` +cd charts/spiffe-helper-csi-driver +helm dep up +``` + ## Install Instructions ``` helm install -n spire-server spiffe-helper-csi-driver charts/spiffe-helper-csi-driver diff --git a/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl b/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl deleted file mode 100644 index 3ed589794..000000000 --- a/charts/spiffe-helper-csi-driver/templates/_spire-lib.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{{- define "spire-lib.registry" }} -{{- if ne (len (dig "spire" "image" "registry" "" .global)) 0 }} -{{- print .global.spire.image.registry "/"}} -{{- else if ne (len (.image.registry)) 0 }} -{{- print .image.registry "/"}} -{{- end }} -{{- end }} - -{{- define "spire-lib.image" -}} -{{- $registry := include "spire-lib.registry" . }} -{{- $repo := .image.repository }} -{{- $tag := (default .image.tag .image.version) | toString }} -{{- if eq (substr 0 7 $tag) "sha256:" }} -{{- printf "%s/%s@%s" $registry $repo $tag }} -{{- else if .appVersion }} -{{- $appVersion := .appVersion }} -{{- if and (hasKey . "ubi") (dig "openshift" false .global) }} -{{- $appVersion = printf "ubi-%s" $appVersion }} -{{- end }} -{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }} -{{- else if $tag }} -{{- printf "%s%s:%s" $registry $repo $tag }} -{{- else }} -{{- printf "%s%s" $registry $repo }} -{{- end }} -{{- end }} From 4aa44f6fa87b1d172098efe7d9ed004767f66410 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 21 Oct 2024 05:02:12 -0700 Subject: [PATCH 7/7] Update charts/spiffe-helper-csi-driver/README.md Signed-off-by: kfox1111 --- charts/spiffe-helper-csi-driver/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spiffe-helper-csi-driver/README.md b/charts/spiffe-helper-csi-driver/README.md index 0d59c204a..7b8db6c1d 100644 --- a/charts/spiffe-helper-csi-driver/README.md +++ b/charts/spiffe-helper-csi-driver/README.md @@ -2,7 +2,7 @@ ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) -A Helm chart to install the SPIFFE HELPER CSI Driver. +A *prototype* Helm chart to install the SPIFFE HELPER CSI Driver. It is useful only for testing at this point. Please do not use in production. **Homepage:**