first k8s plan for hpcs

Author: telliere

k8s/hpcs-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hpcs

k8s/hpcs-server-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hpcs-server
+  namespace: hpcs

k8s/hpcs-server-configmap.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hpcs-server
+  namespace: hpcs
+data:
+  hpcs-server.conf: |
+    [spire-server]
+    address = localhost
+    port = 8081
+    trust-domain = hpcs
+    pre-command = ""
+    spire-server-bin = spire-server
+
+    [spire-agent]
+    spire-agent-socket = /run/sockets/agent/agent.sock
+
+    [vault]
+    url = http://vault:8200
+    server-role = hpcs-server
+
+  agent.conf: |
+    agent {
+      data_dir = "./data/agent"
+      log_level = "DEBUG"
+      trust_domain = "hpcs"
+      server_address = "spire-server"
+      server_port = 8081
+      socket_path = "/var/run/sockets/agent/agent.sock"
+      admin_socket_path = "/var/run/sockets/admin/admin.sock"
+
+      # Insecure bootstrap is NOT appropriate for production use but is ok for
+      # simple testing/evaluation purposes.
+      insecure_bootstrap = true
+    }
+
+    plugins {
+      KeyManager "disk" {
+            plugin_data {
+                directory = "./data/agent"
+            }
+        }
+
+      NodeAttestor "k8s_psat" {
+        plugin_data {
+          cluster = "docker-desktop"
+        }
+      }
+
+      WorkloadAttestor "k8s" {
+        plugin_data {
+        }
+      }
+
+      WorkloadAttestor "unix" {
+        plugin_data {
+          discover_workload_path = true
+        }
+      }
+    }

k8s/hpcs-server-statefulset.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: hpcs-server
+  namespace: hpcs
+  labels:
+    app: hpcs-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hpcs-server
+  serviceName: hpcs-server
+  template:
+    metadata:
+      namespace: hpcs
+      labels:
+        app: hpcs-server
+    spec:
+      serviceAccountName: hpcs-server
+      shareProcessNamespace: true
+      containers:
+        - name: hpcs-server
+          image: ghcr.io/cscfi/hpcs/server:k8s_plan
+          command:
+            - sleep
+          args:
+            - "30000"
+            # - ./app.py
+            # - --config
+            # - /tmp/hpcs-server.conf
+          volumeMounts:
+          - name: hpcs-server-configs
+            mountPath: /tmp/
+            readOnly: false
+          - name: hpcs-spire-sockets
+            mountPath: /var/run/sockets
+            readOnly: false
+          - name: hpcs-spire-agent-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+      volumes:
+        - name: hpcs-server-configs
+          configMap:
+            name: hpcs-server
+        - name: hpcs-spire-sockets
+          hostPath:
+            path: /run/spire/sockets
+            type: DirectoryOrCreate
+        - name: hpcs-spire-agent-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server
+  volumeClaimTemplates:
+    - metadata:
+        name: spire-agent-data
+        namespace: hpcs
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi

k8s/hpcs-spire-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hpcs-spire
+  namespace: hpcs

k8s/spire-oidc-configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-oidc
+  namespace: hpcs
+data:
+  oidc-discovery-provider.conf: |
+    log_level = "debug"
+    domains = ["spire-oidc"]
+    listen_socket_path = "/tmp/spire-server/private/oidc-api.sock"
+
+    server_api {
+        address = "unix:///tmp/spire-server/private/api.sock"
+    }
+
+    health_checks {}

k8s/spire-oidc-service.yaml

@@ -0,0 +1,14 @@
+# Service definition for spire-oidc (expose the OIDC socket)
+apiVersion: v1
+kind: Service
+metadata:
+  name: spire-oidc
+  namespace: hpcs
+spec:
+  type: LoadBalancer
+  selector:
+    app: spire-server
+  ports:
+    - name: https
+      port: 443
+      targetPort: hpcs-nginx

k8s/spire-server-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-server
+  namespace: hpcs

k8s/spire-server-cluster-role.yaml

@@ -0,0 +1,28 @@
+# ClusterRole to allow spire-server node attestor to query Token Review API
+# and to be able to push certificate bundles to a configmap
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["configmaps","pods","nodes"]
+  verbs: ["patch", "get", "list"]
+
+---
+# Binds above cluster role to spire-server service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: hpcs
+roleRef:
+  kind: ClusterRole
+  name: spire-server-trust-role
+  apiGroup: rbac.authorization.k8s.io

k8s/spire-server-configmap.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+
+kind: ConfigMap
+metadata:
+  name: spire-bundle
+  namespace: hpcs
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-server
+  namespace: hpcs
+data:
+  server.conf: |
+    server {
+      bind_address = "0.0.0.0"
+      bind_port = "8081"
+      socket_path = "/tmp/spire-server/private/api.sock"
+      trust_domain = "hpcs"
+      data_dir = "/run/spire/data"
+      log_level = "DEBUG"
+      ca_key_type = "rsa-2048"
+
+      jwt_issuer = "spire-server"
+      default_jwt_svid_ttl = "1h"
+
+      ca_subject = {
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "",
+      }
+    }
+
+    plugins {
+      DataStore "sql" {
+        plugin_data {
+          database_type = "sqlite3"
+          connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+      }
+
+      NodeAttestor "k8s_psat" {
+        plugin_data {
+          clusters = {
+            "docker-desktop" = {
+              use_token_review_api_validation = true
+              service_account_allow_list = ["hpcs:hpcs-server"]
+            }
+          }
+        }
+      }
+
+      KeyManager "disk" {
+        plugin_data {
+          keys_path = "/run/spire/data/keys.json"
+        }
+      }
+
+      Notifier "k8sbundle" {
+        plugin_data {
+            namespace = "hpcs"
+        }
+      }
+    }
+
+    health_checks {
+      listener_enabled = true
+      bind_address = "0.0.0.0"
+      bind_port = "8080"
+      live_path = "/live"
+      ready_path = "/ready"
+    }

k8s/spire-server-nginx-configmap.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hpcs-nginx
+  namespace: hpcs
+data:
+  nginx.conf: |
+    events {}
+    http {
+      access_log /tmp/access.log;
+      error_log /tmp/error.log;
+
+      upstream spire-oidc {
+        server unix:/tmp/spire-server/private/oidc-api.sock;
+      }
+
+      server{
+        listen 443 ssl;
+        ssl_certificate /certs/selfsigned.crt;
+        ssl_certificate_key /certs/selfsigned.key;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        location / {
+          proxy_pass http://spire-oidc;
+        }
+      }
+    }

k8s/spire-server-service.yaml

@@ -0,0 +1,14 @@
+# Service definition for spire server
+apiVersion: v1
+kind: Service
+metadata:
+  name: spire-server
+  namespace: hpcs
+spec:
+  type: LoadBalancer
+  selector:
+    app: spire-server
+  ports:
+    - name: tcp-spire
+      port: 8081
+      targetPort: spire-server