spiffe / helm-charts Goto Github PK

Not all clusters use cluster.local for the root dns for service discovery. It should be made overridable.

See https://github.com/spiffe/spire/blob/main/doc/spire_server.md#server-configuration-file

Would be great if we somehow can configure the admin_ids.

E.g. via spire-controller-manager CRDs? Maybe as a separate Helm chart to provision admin_ids CRDs so we can configure the same on spire-server.

Warning: Unexpected input(s) 'version', valid inputs are ['cosign-release', 'install-dir', 'use-sudo']

https://github.com/spiffe/helm-charts/actions/runs/4296328858/jobs/7487905678#step:4:1

The root of the chart is overriding the name of spire-agent by default:

spire-agent:
  nameOverride: agent

None of the other charts have this done. Is there a reason behind this? Should we remove it so its the default like the other charts?

There needs to be documentation on how to deploy a production ready system using the chart.

There is the option to switch to using a yaml based config instead of hcl to better integrate with values.

We should gather up the pros and cons in this issue so we can make a decision on which route we may want to go.

We have config to editors to try and ensure formatting issues don't come into the tree. But it seems like it can happen anyway. We need a blocking test to ensure it doesn't merge and the contributor knows to fix it.

Support the following SPIRE Server configurables:

• ca_ttl - The default CA/signing key TTL | 24h
• default_x509_svid_ttl - The default X509-SVID TTL
• default_jwt_svid_ttl -The default JWT-SVID TTL

Reference SPIRE Server configuration

The agent and server needs the option to add extra mounts and init containers.

Standard plugins should follow standard helm yaml syntax. To support custom plugins users have created we need a section where they can enter raw config for these plugins.

We should be able to install the components individually. When i try i see these errors:

SPIRE Agent:

$ helm template .
Error: template: spire-agent/templates/daemonset.yaml:1:19: executing "spire-agent/templates/daemonset.yaml" at <include (print $.Template.BasePath "/configmap.yaml") .>: error calling include: template: spire-agent/templates/configmap.yaml:55:12: executing "spire-agent/templates/configmap.yaml" at <dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global>: error calling dig: interface conversion: interface {} is nil, not map[string]interface {}

Use --debug flag to render out invalid YAML

SPIRE Server:

$ helm template .
Error: template: spire-server/templates/statefulset.yaml:1:19: executing "spire-server/templates/statefulset.yaml" at <include (print $.Template.BasePath "/configmap.yaml") .>: error calling include: template: spire-server/templates/configmap.yaml:85:12: executing "spire-server/templates/configmap.yaml" at <dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global>: error calling dig: interface conversion: interface {} is nil, not map[string]interface {}

Use --debug flag to render out invalid YAML

CSI Driver:

$ helm template .
Error: template: spiffe-csi-driver/templates/daemonset.yaml:102:21: executing "spiffe-csi-driver/templates/daemonset.yaml" at <include "spire.agent-socket-path" .>: error calling include: template: no template "spire.agent-socket-path" associated with template "gotpl"

Use --debug flag to render out invalid YAML

OIDC:

$ helm template .
Error: template: spiffe-oidc-discovery-provider/templates/configmap.yaml:33:45: executing "spiffe-oidc-discovery-provider/templates/configmap.yaml" at <include "spire.agent-socket-path" .>: error calling include: template: no template "spire.agent-socket-path" associated with template "gotpl"

Use --debug flag to render out invalid YAML

Some distro's put kubelets dir somewhere else. Need to make it configurable. CSI driver in particular.

• AWS Secrets manager
• AWS secret plugin
• https://spiffe.io/docs/latest/deploying/configuring/#configure-aws-certificate-manager

See following where to add:

• https://github.com/spiffe/helm-charts/blob/main/charts/spire/charts/spire-server/values.yaml#L94-L106
• https://github.com/spiffe/helm-charts/blob/main/charts/spire/charts/spire-server/templates/configmap.yaml#L61-L73

https://artifacthub.io/docs/topics/annotations/helm/

Need a templateable object for the subchart. It must be possible to expose the service outside the cluster.

There should be an optional ingress object for the spire server so it can be exposed outside the cluster.

Values like clusterName and clusterDomain and trustBundle are not overwriteable.

https://github.com/spiffe/helm-charts/blob/main/charts/spire/values.yaml#L14-L17

When defining different values for these, they are still using the values as defined in the main chart.

e.g.:

spire-server:
  clusterName: my-cluster
  clusterDomain: my-cluster-domain.com
  trust-bundle: my-trust-domain

The solution can probably be found in https://helm.sh/docs/chart_template_guide/subcharts_and_globals/

The spire-server can use a ca from cert-manager.

See
https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_cert_manager.md

See following where to add:

main/charts/spire/charts/spire-server/values.yaml#L94-L106
main/charts/spire/charts/spire-server/templates/configmap.yaml#L61-L73

Having a set of prebuilt values files (see examples) for use with various production deployments may prove too burdensome for the end users to be able to juggle.

I'm proposing a possible change. First we come up with an api like:

global:
  spire:
    # - Select a list of predefined sets of values to automatically default to.
    tags:
    - production
    - expose-oidc-ingress-nginx
    - expose-spire-server-ingress-nginx

What settings are for what tags are not really important at the moment.

Each chart would look for a set of tags that it supports and use the merge function to add some extra defaults into values, preferring what the user specified over its own values.

Running spire-server with following as shown in production example fails:

spire-server:
  securityContext:
    runAsNonRoot: true
  podSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000

See spire-server log:

time="2023-03-20T12:39:20Z" level=error msg="Fatal run error" error="datastore-sql: unable to open database file: permission denied"
time="2023-03-20T12:39:20Z" level=error msg="Server crashed" error="datastore-sql: unable to open database file: permission denied"

In order to run multiple spire-server replicas we need to add support for a external database (postgres).

To be checked is how this works with the spire-controller-manager, that has to run in the same pod at the moment due to the hard requirement of needing to connect to the spire-server socket.

The very common convention is to have a persistence flag for dealing with volumes. This chart is using dataStorage instead. We should probably consider changing this flag before 1.0.

https://kubernetes.io/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/

Do we want to put out a new release after each merged PR? Do we want to decide more manually when to release?

Add charts to the matrix similar like we do the scenarios.

     strategy:
       fail-fast: false
       matrix:
         # Choose tags corresponding to the version of Kind being used.
         # At a minimum, we should test the currently supported versions of
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
           - v1.26.0
           - v1.25.3
           - v1.24.7
           - v1.23.13
           - v1.22.15
           - v1.21.14
+        charts:
+          - ${{ fromJson(needs.build-matrix.outputs.charts) }}
         values:
           - ${{ fromJson(needs.build-matrix.outputs.tests) }}

This will allow us to test more root level charts later on.

Suggested is to introduce one folder level so we can group the test scenarios per chart.

tree .github/tests      
.github/tests
└── spire
    ├── extras
    │   └── values.yaml
    ├── no-spire-controller-manager
    │   └── values.yaml
    ├── prometheus
    …

AWS PCA is a widely used for an upstream CA. The official SPIRE helm chart should support the AWS PCA plugin.

https://spiffe.io/docs/latest/deploying/configuring/#configure-aws-certificate-manager

See following where to add:

• https://github.com/spiffe/helm-charts/blob/main/charts/spire/charts/spire-server/values.yaml#L94-L106
• https://github.com/spiffe/helm-charts/blob/main/charts/spire/charts/spire-server/templates/configmap.yaml#L61-L73

We should have a quick test to ensure the spire versions are all set to the same version.

To get more safetynets in place it might make sense to add a couple of tests to:

charts/spire/charts/spire-agent/templates/tests.

What would be a useful testcase here?

Reference configurable on spire server: https://github.com/spiffe/spire/blob/main/doc/spire_server.md#:~:text=ca_key_type,by%20jwt_key_type)

Other charts we hard code the socket path config. Should we do the same for csi driver?

It would be very useful to demonstrate how we can start a workload that can obtain its own identity from SPIRE Agent using CSI driver

AWS PCA is a widely used for an upstream CA. The official SPIRE helm chart should support the AWS PCA plugin.

To improve documentation of the values, we should include some comments in the style # -- description of value to document the different values in the charts.

See https://github.com/norwoodj/helm-docs for more details on usage.

Run ./helm-docs.sh to update the README.md with enhanced documentation.

The Spire-Agent sub-chart currently has the hard-coded line skip_kubelet_verification = true for its k8s workload attestor.

This could be an installation order thing where spire-controller-manager is replaced while the CRD is being deployed at the same time. Subsequent run to perform the upgrade makes the install succeed.

$ helm  upgrade -n spire-system --install --values ../../../philips-labs/helm-charts/.local/spire-values.yaml spire ./charts/spire
Error: UPGRADE FAILED: cannot patch "spire-controller-manager-service-account-based" with kind ClusterSPIFFEID: Internal error occurred: failed calling webhook "vclusterspiffeid.kb.io": failed to call webhook: Post "https://spire-controller-manager-webhook.spire-system.svc:443/validate-spire-spiffe-io-v1alpha1-clusterspiffeid?timeout=10s": no endpoints available for service "spire-controller-manager-webhook"
$ helm  upgrade -n spire-system --install --values ../../../philips-labs/helm-charts/.local/spire-values.yaml spire ./charts/spire
Release "spire" has been upgraded. Happy Helming!
NAME: spire
LAST DEPLOYED: Wed Mar  1 11:32:51 2023
NAMESPACE: spire-system
STATUS: deployed
REVISION: 3
NOTES:
Installed spire…

How to reproduce.

$ helm -n spire-system uninstall spire
$ git checkout release
$ helm upgrade -n spire-system --install --values ../../../philips-labs/helm-charts/.local/spire-values.yaml spire ./charts/spire
Release "spire" has been installed. Happy Helming!
NAME: spire
LAST DEPLOYED: Wed Mar  1 11:32:51 2023
NAMESPACE: spire-system
STATUS: deployed
REVISION: 1
NOTES:
Installed spire…
$ git checkout main
$ helm upgrade -n spire-system --install --values ../../../philips-labs/helm-charts/.local/spire-values.yaml spire ./charts/spire
Error: UPGRADE FAILED: cannot patch "spire-controller-manager-service-account-based" with kind ClusterSPIFFEID: Internal error occurred: failed calling webhook "vclusterspiffeid.kb.io": failed to call webhook: Post "https://spire-controller-manager-webhook.spire-system.svc:443/validate-spire-spiffe-io-v1alpha1-clusterspiffeid?timeout=10s": no endpoints available for service "spire-controller-manager-webhook"
$ helm upgrade -n spire-system --install --values ../../../philips-labs/helm-charts/.local/spire-values.yaml spire ./charts/spire
Release "spire" has been upgraded. Happy Helming!
NAME: spire
LAST DEPLOYED: Wed Mar  1 11:35:51 2023
NAMESPACE: spire-system
STATUS: deployed
REVISION: 2
NOTES:
Installed spire…

Maybe we can control some things with the rollout strategy on the spire-server statefulset.

cert-manager should be an option to get certificates for the spire-controller-manager webhook so they can be standardized over all the webhooks on the cluster.

This doesn't work:

kubectl exec -it spire-server-0 -- spire-server entry show

Currently, you have to do:

kubectl exec -it spire-server-0 -- /opt/spire/bin/spire-server entry show -socketPath /run/spire/server-sockets/spire-server.sock

We should set things up in the pod so that its easier to administrate and the former command works.

Prometheus is one of the most common monitoring stacks for Kubernetes. The chart should be deployable with support for Prometheus to be able to fetch metrics.

In some situations the spire-oidc-discovery-provider fails to boot on a fresh install.

Unable to attach or mount volumes: unmounted volumes=[spiffe-workload-api], unattached volumes=[kube-api-access-xmq62 spiffe-workload-api spire-oidc-sockets spire-oidc-config]: timed out waiting for the condition

Killing the pod does the trick to retry and fix it as a workaround, but would be great if we can fix this in a way it just always succeeds on a fresh install.

Are more people able to reproduce this?

This has to be pushed to both the registry for he oci releases as well to the gh-pages branch.

See https://artifacthub.io/docs/topics/repositories/helm-charts/

With the HPE helm charts we configured namespace similar to the name: https://github.com/alexandrealvino/spire-helm-charts/blob/main/helm/spire/spire-server/templates/statefulset.yaml#L5

And then had a section in the helpers.tpl to allow release namespace to overridden by a namespaceOverride variable specified in the values.yaml: https://github.com/alexandrealvino/spire-helm-charts/blob/main/helm/spire/spire-server/values.yaml#L8-L9

The helpers.tpl has a small snippet that brings it together: https://github.com/alexandrealvino/spire-helm-charts/blob/main/helm/spire/spire-server/templates/_helpers.tpl#L26-L35

To ensure contributors have read the CONTRIBUTING.md it would be good to have a PR template that adds following at a minimum:

Please describe the changes of your PR here.

- [ ] I have read the [CONTRIBUTING.md](CONTRIBUTING.md) and comply with those guidelines.
- [ ] I have added tests

Any suggestions on making the PR template better are welcome.

Ensure all configmaps have corresponding annotations on the pods to enable automatic rollouts.

It may be beneficial to the user to be able to enable what workload attestors they want to use:

  workloadAttesters:
    k8s:
      enabled: false
    unix:
      enabled: true

Suggested by @kfox1111 here: #14 (comment)

As listed above, when setting custom values for spire-agent.socketPath or spiffe-csi-driver.agentSocketPath, the custom values are not properly rendered in the resulting manifest, instead using the default values.

I have also noticed this occur for the health check port option spiffe-csi-driver.healthChecks.port for the SPIFFE-CSI Driver subchart.

I ran the following helm command to recreate this issue:

helm template mychart spiffe/spire --set spire-agent.socketPath="/custom/agent-sockets/spire-agent.sock" \
  --set spiffe-csi-driver.agentSocketPath="/custom/agent-sockets/spire-agent.sock" \
  --set spiffe-csi-driver.healthChecks.port=10000

Before 1.0, we need to ensure all images can be overridden to point to local mirrors.

Some organizations will have a root spire server and then want to bind their K8s clusters to it. The chart should support having an upstream spire server.

Is it possible to use csi driver for this?