temp commit

Author: telliere

k8s/hpcs-nginx-service.yaml

@@ -0,0 +1,14 @@
+# Service definition for the admission webhook
+apiVersion: v1
+kind: Service
+metadata:
+  name: hpcs-nginx
+  namespace: spire
+spec:
+  type: LoadBalancer
+  selector:
+    app: spire-server
+  ports:
+    - name: https
+      port: 443
+      targetPort: hpcs-nginx

k8s/nginx-configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hpcs-nginx
+  namespace: spire
+data:
+  nginx.conf: |
+    events {}
+    http {
+      access_log /tmp/access.log;
+      error_log /tmp/error.log;
+      server {
+        listen 443 ssl;
+        server_name localhost;
+        ssl_certificate /certs/selfsigned.crt;
+        ssl_certificate_key /certs/selfsigned.key;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        location / {
+        proxy_pass http://unix:/run/server.sock ;
+        }
+      }
+    }

k8s/server-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-server
+  namespace: spire

k8s/server-cluster-role.yaml

@@ -0,0 +1,28 @@
+# ClusterRole to allow spire-server node attestor to query Token Review API
+# and to be able to push certificate bundles to a configmap
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["patch", "get", "list"]
+
+---
+# Binds above cluster role to spire-server service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: spire
+roleRef:
+  kind: ClusterRole
+  name: spire-server-trust-role
+  apiGroup: rbac.authorization.k8s.io

k8s/server-configmap.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+
+kind: ConfigMap
+metadata:
+  name: spire-bundle
+  namespace: spire
+
+--- 
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-server
+  namespace: spire
+data:
+  server.conf: |
+    server {
+      bind_address = "0.0.0.0"
+      bind_port = "8081"
+      socket_path = "/tmp/spire-server/private/api.sock"
+      trust_domain = "lumi-hpcs"
+      data_dir = "/run/spire/data"
+      log_level = "DEBUG"
+      ca_key_type = "rsa-2048"
+
+      jwt_issuer = "spire-server"
+      default_jwt_svid_ttl = "1h"
+
+      ca_subject = {
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "",
+      }
+    }
+
+    plugins {
+      DataStore "sql" {
+        plugin_data {
+          database_type = "sqlite3"
+          connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+      }
+
+      NodeAttestor "k8s_sat" {
+        plugin_data {
+          clusters = {
+            "cluster" = {
+              use_token_review_api_validation = true
+              service_account_allow_list = ["spire:spire-agent"]
+            }
+          }
+        }
+      }
+
+      KeyManager "disk" {
+        plugin_data {
+          keys_path = "/run/spire/data/keys.json"
+        }
+      }
+
+      Notifier "k8sbundle" {
+        plugin_data {
+        }
+      }
+    }
+
+    health_checks {
+      listener_enabled = true
+      bind_address = "0.0.0.0"
+      bind_port = "8080"
+      live_path = "/live"
+      ready_path = "/ready"
+    }

k8s/server-statefulset.yaml

@@ -0,0 +1,119 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: spire-server
+  namespace: spire
+  labels:
+    app: spire-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spire-server
+  serviceName: spire-server
+  template:
+    metadata:
+      namespace: spire
+      labels:
+        app: spire-server
+    spec:
+      serviceAccountName: spire-server
+      shareProcessNamespace: true
+      containers:
+        - name: hpcs-nginx
+          image: nginx
+          ports:
+            - containerPort: 443
+              name: hpcs-nginx
+          volumeMounts:
+            - name: nginx-config
+              mountPath: /etc/nginx/
+              readOnly: true
+            - name: spire-server-socket
+              mountPath: /tmp/spire-server/private
+              readOnly: false
+            - name: nginx-certs
+              mountPath: /certs
+              readOnly: true
+        - name: spire-server
+          image: ghcr.io/spiffe/spire-server:1.9.0
+          args:
+            - -config
+            - /run/spire/config/server.conf
+          ports:
+            - containerPort: 8081
+          volumeMounts:
+            - name: spire-config
+              mountPath: /run/spire/config
+              readOnly: true
+            - name: spire-data
+              mountPath: /run/spire/data
+              readOnly: false
+            - name: spire-server-socket
+              mountPath: /tmp/spire-server/private
+              readOnly: false
+          livenessProbe:
+            httpGet:
+              path: /live
+              port: 8080
+            failureThreshold: 2
+            initialDelaySeconds: 15
+            periodSeconds: 60
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 5
+        - name: spire-oidc
+          image: ghcr.io/spiffe/oidc-discovery-provider:1.9.0
+          args:
+          - -config
+          - /run/spire/oidc/config/oidc-discovery-provider.conf
+          volumeMounts:
+          - name: spire-server-socket
+            mountPath: /tmp/spire-server/private
+            readOnly: true
+          - name: spire-oidc-config
+            mountPath: /run/spire/oidc/config/
+            readOnly: true
+          - name: spire-data
+            mountPath: /run/spire/data
+            readOnly: false
+          readinessProbe:
+            httpGet:
+              path: /keys # TODO: Change this to /ready when using 1.5.2+
+              port: 8008
+            failureThreshold: 5
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+      volumes:
+        - name: nginx-config
+          configMap:
+            name: hpcs-nginx
+        - name: spire-config
+          configMap:
+            name: spire-server
+        - name: spire-server-socket
+          hostPath:
+            path: /run/spire/sockets/server
+            type: DirectoryOrCreate
+        - name: spire-oidc-config
+          configMap:
+            name: oidc-discovery-provider
+        - name: nginx-certs
+          hostPath:
+            path: /Users/telliere/LUMI-SD/nginx.conf.d
+            type: DirectoryOrCreate
+  volumeClaimTemplates:
+    - metadata:
+        name: spire-data
+        namespace: spire
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi

k8s/spire-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: spire

k8s/spire-oidc-configmap.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oidc-discovery-provider
+  namespace: spire
+data:
+  oidc-discovery-provider.conf: |
+    log_level = "debug"
+    domains = ["spire-oidc"]
+    listen_socket_path = "/server.sock"
+
+    server_api {
+        address = "unix:///tmp/spire-server/private/api.sock"
+    }