From f2d958b6db80c5864daa6f137f4b3a875bd875f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Mon, 8 Jul 2024 21:35:34 -0700 Subject: [PATCH] typo fix (#1062) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- docs/content/timeline/changelog.md | 2 +- helm-charts/0.26.2/README.md | 2 +- ...clusterrole-spire-server-spire-server.yaml | 2 +- .../templates/daemonset-spire-agent.yaml | 6 +- .../daemonset-spire-spiffe-csi-driver.yaml | 2 +- .../hook-job-spire-server-post-install.yaml | 2 +- .../hook-job-spire-server-post-upgrade.yaml | 2 +- .../hook-job-spire-server-pre-upgrade.yaml | 2 +- ...ok-preinstall-csidriver-csi.spiffe.io.yaml | 2 +- ...ook-preinstall-namespace-spire-server.yaml | 2 +- ...ook-preinstall-namespace-spire-system.yaml | 2 +- ...penshift-security-context-constraints.yaml | 2 +- .../templates/statefulset-spire-server.yaml | 2 +- helm-charts/0.26.2/values.yaml | 2 +- ...piffe.io_clusterfederatedtrustdomains.yaml | 100 + .../spire.spiffe.io_clusterspiffeids.yaml | 239 +++ .../spire.spiffe.io_clusterstaticentries.yaml | 103 + ...re.spiffe.io_controllermanagerconfigs.yaml | 68 + k8s/0.26.1/eks/vsecm-distroless-fips.yaml | 989 +++++++++ k8s/0.26.1/eks/vsecm-distroless.yaml | 989 +++++++++ k8s/0.26.1/local/vsecm-distroless-fips.yaml | 989 +++++++++ k8s/0.26.1/local/vsecm-distroless.yaml | 989 +++++++++ k8s/0.26.1/remote/vsecm-distroless-fips.yaml | 989 +++++++++ k8s/0.26.1/remote/vsecm-distroless.yaml | 989 +++++++++ k8s/0.26.1/spire.yaml | 1821 +++++++++++++++++ 25 files changed, 8281 insertions(+), 16 deletions(-) create mode 100644 k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml create mode 100644 k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml create mode 100644 k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml create mode 100644 k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml create mode 100644 k8s/0.26.1/eks/vsecm-distroless-fips.yaml create mode 100644 k8s/0.26.1/eks/vsecm-distroless.yaml create mode 100644 k8s/0.26.1/local/vsecm-distroless-fips.yaml create mode 100644 k8s/0.26.1/local/vsecm-distroless.yaml create mode 100644 k8s/0.26.1/remote/vsecm-distroless-fips.yaml create mode 100644 k8s/0.26.1/remote/vsecm-distroless.yaml create mode 100644 k8s/0.26.1/spire.yaml diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md index 452a34e6..d111444d 100644 --- a/docs/content/timeline/changelog.md +++ b/docs/content/timeline/changelog.md @@ -22,7 +22,7 @@ TBD ### Added * VMware Secrets Manager Helm charts now have the ability to generate - RedHat OpenShift compatible manifests. You’ll need to set `global.enableOpenshit` + RedHat OpenShift compatible manifests. You’ll need to set `global.enableOpenShift` to `true` to use this feature. It is `false` by default because it introduced OpenShift-specific security rules that other clusters will not interpret properly. diff --git a/helm-charts/0.26.2/README.md b/helm-charts/0.26.2/README.md index 92a3c72b..bc92dfd3 100644 --- a/helm-charts/0.26.2/README.md +++ b/helm-charts/0.26.2/README.md @@ -111,7 +111,7 @@ The sections below are autogenerated from chart source code: | global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. | | global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | | global.deploySpireControllerManager | bool | `true` | Deploy SPIRE Controller Manager. SPIRE Controller Manager is required for ClusterSPIFFEIDs to function. If something else on your system assigns ClusterSPIFFEIDs to your workloads, or if you want to manually manage your SPIRE Server registration entries, you can set this flag to `false`. | -| global.enableOpenShit | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | +| global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | | global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.26.2"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.26.2"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.26.2"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.26.2"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | | global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | | global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | diff --git a/helm-charts/0.26.2/charts/spire/templates/clusterrole-spire-server-spire-server.yaml b/helm-charts/0.26.2/charts/spire/templates/clusterrole-spire-server-spire-server.yaml index 71d3343c..c4e288f1 100644 --- a/helm-charts/0.26.2/charts/spire/templates/clusterrole-spire-server-spire-server.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/clusterrole-spire-server-spire-server.yaml @@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spire-server-spire-server rules: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} - apiGroups: [""] resources: ["nodes"] verbs: ["get"] diff --git a/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-agent.yaml b/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-agent.yaml index 4e18d941..e082930a 100644 --- a/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-agent.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-agent.yaml @@ -50,7 +50,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent securityContext: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} fsGroupChangePolicy: OnRootMismatch {{- else }} fsGroup: 1000 @@ -83,7 +83,7 @@ spec: securityContext: runAsUser: 0 runAsGroup: 0 -{{- if not .Values.global.enableOpenShit }} +{{- if not .Values.global.enableOpenShift }} - name: fsgroupfix image: "{{ .Values.global.images.spireHelperBash.repository }}:{{ .Values.global.images.spireHelperBash.tag }}" imagePullPolicy: {{ .Values.global.images.spireHelperBash.pullPolicy }} @@ -111,7 +111,7 @@ spec: env: - name: PATH value: "/opt/spire/bin:/bin" -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} - name: MY_NODE_NAME valueFrom: fieldRef: diff --git a/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml b/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml index de8afbb3..8b14856a 100644 --- a/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml @@ -37,7 +37,7 @@ spec: serviceAccountName: spire-spiffe-csi-driver priorityClassName: system-node-critical -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} initContainers: - name: set-context command: diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-install.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-install.yaml index b8e619e8..5ea2ea8d 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-install.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-install.yaml @@ -35,7 +35,7 @@ spec: restartPolicy: Never serviceAccountName: spire-server-post-install securityContext: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} fsGroupChangePolicy: OnRootMismatch {{- else }} fsGroup: 1000 diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml index 9b0c8882..36bdcd07 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml @@ -35,7 +35,7 @@ spec: restartPolicy: Never serviceAccountName: spire-server-post-upgrade securityContext: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} fsGroupChangePolicy: OnRootMismatch {{- else }} fsGroup: 1000 diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml index 3458b772..79b56abb 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml @@ -35,7 +35,7 @@ spec: restartPolicy: Never serviceAccountName: spire-server-pre-upgrade securityContext: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} fsGroupChangePolicy: OnRootMismatch {{- else }} fsGroup: 1000 diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml index 96bccdb2..25c2931d 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml @@ -14,7 +14,7 @@ metadata: name: "csi.spiffe.io" annotations: "helm.sh/hook": pre-install -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} labels: security.openshift.io/csi-ephemeral-volume-profile: restricted {{- end }} diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml index e3c62eb2..7b999309 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml @@ -16,7 +16,7 @@ metadata: pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} security.openshift.io/scc.podSecurityLabelSync: "false" {{- end }} annotations: diff --git a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml index aa6c4e06..2d84643d 100644 --- a/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml @@ -16,7 +16,7 @@ metadata: pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/warn: restricted -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} security.openshift.io/scc.podSecurityLabelSync: "false" {{- end }} annotations: diff --git a/helm-charts/0.26.2/charts/spire/templates/openshift-security-context-constraints.yaml b/helm-charts/0.26.2/charts/spire/templates/openshift-security-context-constraints.yaml index b80d4f61..8e34b4c0 100644 --- a/helm-charts/0.26.2/charts/spire/templates/openshift-security-context-constraints.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/openshift-security-context-constraints.yaml @@ -8,7 +8,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: diff --git a/helm-charts/0.26.2/charts/spire/templates/statefulset-spire-server.yaml b/helm-charts/0.26.2/charts/spire/templates/statefulset-spire-server.yaml index 66487cf9..a8f79960 100644 --- a/helm-charts/0.26.2/charts/spire/templates/statefulset-spire-server.yaml +++ b/helm-charts/0.26.2/charts/spire/templates/statefulset-spire-server.yaml @@ -52,7 +52,7 @@ spec: serviceAccountName: spire-server shareProcessNamespace: true securityContext: -{{- if .Values.global.enableOpenShit }} +{{- if .Values.global.enableOpenShift }} fsGroupChangePolicy: OnRootMismatch {{- else }} fsGroup: 1000 diff --git a/helm-charts/0.26.2/values.yaml b/helm-charts/0.26.2/values.yaml index f5a0dcae..6d3bf24a 100644 --- a/helm-charts/0.26.2/values.yaml +++ b/helm-charts/0.26.2/values.yaml @@ -11,7 +11,7 @@ global: # -- Set it to true for OpenShift deployments. This will add necessary # annotations to the SPIRE components to make them work on OpenShift. - enableOpenShit: false + enableOpenShift: false # -- Deploy SPIRE components. If set to false, SPIRE components will not be # deployed. This is useful when SPIRE is already deployed in the cluster. diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml new file mode 100644 index 00000000..658617dd --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -0,0 +1,100 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + className: + description: Set the class of controller to handle this object. + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml new file mode 100644 index 00000000..597b2b08 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterspiffeids.yaml @@ -0,0 +1,239 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + autoPopulateDNSNames: + description: AutoPopulateDNSNames indicates whether or not to auto + populate service DNS names. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 00000000..c19df220 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,103 @@ +# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + className: + description: Set the class of controller to handle this object. + type: string + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + storeSVID: + type: boolean + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml new file mode 100644 index 00000000..538ac974 --- /dev/null +++ b/k8s/0.26.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml @@ -0,0 +1,68 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controllermanagerconfigs.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ControllerManagerConfig + listKind: ControllerManagerConfigList + plural: controllermanagerconfigs + singular: controllermanagerconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ControllerManagerConfig is the Schema for the controllermanagerconfigs + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControllerManagerConfigSpec defines the desired state of + ControllerManagerConfig + properties: + foo: + description: Foo is an example field of ControllerManagerConfig. Edit + controllermanagerconfig_types.go to deletion/update + type: string + type: object + status: + description: ControllerManagerConfigStatus defines the observed state + of ControllerManagerConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/k8s/0.26.1/eks/vsecm-distroless-fips.yaml b/k8s/0.26.1/eks/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..6f73d578 --- /dev/null +++ b/k8s/0.26.1/eks/vsecm-distroless-fips.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/eks/vsecm-distroless.yaml b/k8s/0.26.1/eks/vsecm-distroless.yaml new file mode 100644 index 00000000..9caf4702 --- /dev/null +++ b/k8s/0.26.1/eks/vsecm-distroless.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/local/vsecm-distroless-fips.yaml b/k8s/0.26.1/local/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..9e26bad7 --- /dev/null +++ b/k8s/0.26.1/local/vsecm-distroless-fips.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "localhost:5000/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-fips-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/local/vsecm-distroless.yaml b/k8s/0.26.1/local/vsecm-distroless.yaml new file mode 100644 index 00000000..be65bb07 --- /dev/null +++ b/k8s/0.26.1/local/vsecm-distroless.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "localhost:5000/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "localhost:5000/vsecm-ist-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "localhost:5000/vsecm-ist-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/remote/vsecm-distroless-fips.yaml b/k8s/0.26.1/remote/vsecm-distroless-fips.yaml new file mode 100644 index 00000000..81348f04 --- /dev/null +++ b/k8s/0.26.1/remote/vsecm-distroless-fips.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "vsecm/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "vsecm/vsecm-ist-fips-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-fips-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-fips-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/remote/vsecm-distroless.yaml b/k8s/0.26.1/remote/vsecm-distroless.yaml new file mode 100644 index 00000000..0efe2407 --- /dev/null +++ b/k8s/0.26.1/remote/vsecm-distroless.yaml @@ -0,0 +1,989 @@ +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-namespace.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false +--- +# Source: vsecm/charts/safe/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-root-key + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +data: + # '{}' (e30=) is a special placeholder to tell Safe that the Secret + # is not initialized. DO NOT remove or change it. + KEY_TXT: "e30=" +--- +# Source: vsecm/charts/sentinel/templates/Secret.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +apiVersion: v1 +kind: Secret +metadata: + name: vsecm-sentinel-init-secret + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/operated-by: vsecm +type: Opaque +stringData: + data: "exit:true\n--\n" +--- +# Source: vsecm/charts/safe/templates/hook-preinstall-role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vsecm-secret-readwriter +# +# Creating a `ClusterRole` will make the role applicable to all namespaces +# within the cluster. This approach is easier to maintain, and still secure +# enough because VSecM Safe will talk only to the Secrets it knows about. +# Alternatively, you can create a `Role` for tighter control: +# +# kind: Role +# metadata: +# name: vsecm-secret-readwriter +# namespace: vsecm-system +# +## + +## +# +# It is not possible to implement a more granular regex-based +# access control using RBAC. See, for example: +# https://github.com/kubernetes/kubernetes/issues/93845 +# +# Also, note that you will either need to specify one role for each +# namespace, or you will need to define a ClusterRole across the cluster. +# The former approach is tedious, yet more explicit, and more secure. +# +# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated +# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the +# workload names), then you can limit the scope of this role as follows: +# +# rules +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +## + +## +# +# This `rules` setting is for legacy support (see the above discussion): +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list", "update", "create"] +# +# This `rules` configuration is the recommended, more secure, way: +# +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# resourceNames: ["vsecm-root-key"] +# verbs: ["get", "watch", "list", "update", "create"] +# +# +## +--- +# Source: vsecm/charts/safe/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vsecm-secret-readwriter-binding +subjects: + - kind: ServiceAccount + name: vsecm-safe + namespace: vsecm-system +roleRef: + kind: ClusterRole + name: vsecm-secret-readwriter + apiGroup: rbac.authorization.k8s.io + +## +# +# Alternatively, for a tighter security, you can define a `RoleBinding` +# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to +# maintain. See the discussion about above `Role`s and `RoleBinding`s. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: vsecm-secret-readwriter-binding +# namespace: vsecm-system +# subjects: +# - kind: ServiceAccount +# name: vsecm-safe +# namespace: vsecm-system +# roleRef: +# kind: Role +# name: vsecm-secret-readwriter +# apiGroup: rbac.authorization.k8s.io +# +## +--- +# Source: vsecm/charts/safe/templates/Service.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system +--- +# Source: vsecm/charts/keystone/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-keystone + namespace: vsecm-system + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-keystone + securityContext: + {} + + priorityClassName: system-cluster-critical + + initContainers: + - name: init-container + image: "vsecm/vsecm-ist-init-container:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /spire-agent-socket + name: spire-agent-socket + readOnly: true + env: + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given link above. + # + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + + + + - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT + value: "0" + + + + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + containers: + - name: main + image: "vsecm/vsecm-ist-keystone:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + - name: VSECM_LOG_LEVEL + value: "7" + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true +--- +# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vsecm-sentinel + namespace: vsecm-system + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-sentinel + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-sentinel:0.26.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init + # + # You can configure VSecM Sentinel by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. + # + env: + + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + + - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER + value: "false" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE + value: "0" + + + + + - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC + value: "0" + + + + + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + + + + + - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL + value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" + + + + + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - name: init-command-volume + secret: + secretName: vsecm-sentinel-init-secret +--- +# Source: vsecm/charts/safe/templates/StatefulSet.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vsecm-safe + namespace: vsecm-system + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vsecm-safe + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + template: + metadata: + labels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + spec: + serviceAccountName: vsecm-safe + securityContext: + {} + + priorityClassName: system-cluster-critical + + containers: + - name: main + image: "vsecm/vsecm-ist-safe:0.26.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP + volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + - name: vsecm-root-key + mountPath: /key + readOnly: true + # + # You can configure VSecM Safe by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. + # + env: + + + + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + + + + - name: VSECM_BACKOFF_DELAY + value: "1000" + + + + - name: VSECM_BACKOFF_MAX_RETRIES + value: "10" + + + + - name: VSECM_BACKOFF_MAX_WAIT + value: "10000" + + + + - name: VSECM_BACKOFF_MODE + value: "exponential" + + + + - name: VSECM_LOG_LEVEL + value: "7" + + + + - name: VSECM_LOG_SECRET_FINGERPRINTS + value: "false" + + + + - name: VSECM_PROBE_LIVENESS_PORT + value: ":8081" + + + + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + + + + - name: VSECM_SAFE_BACKING_STORE + value: "file" + + + + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + + + + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + + + + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + + + + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + + + + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" + + + + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + + + + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + + + + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + + + + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + + + + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + + + + - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX + value: "k8s:" + + + + - name: VSECM_SAFE_ROOT_KEY_STORE + value: "k8s" + + + + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SAFE_ENDPOINT_URL + value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_SENTINEL + value: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" + - name: VSECM_NAMESPACE_SYSTEM + value: "vsecm-system" + - name: VSECM_NAMESPACE_SPIRE + value: "spire-system" + - name: SPIFFE_TRUST_DOMAIN + value: "vsecm.com" + - name: VSECM_WORKLOAD_NAME_REGEXP + value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" + livenessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 + resources: + requests: + memory: 20Mi + cpu: 5m + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key + secret: + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt +--- +# Source: vsecm/charts/keystone/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-keystone + labels: + helm.sh/chart: keystone-0.26.1 + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-keystone + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-keystone" +--- +# Source: vsecm/charts/safe/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-safe + labels: + helm.sh/chart: safe-0.26.1 + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-safe" +--- +# Source: vsecm/charts/sentinel/templates/Identity.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: vsecm-sentinel + labels: + helm.sh/chart: sentinel-0.26.1 + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/instance: vsecm + app.kubernetes.io/part-of: vsecm-system + app.kubernetes.io/version: "0.26.1" + app.kubernetes.io/managed-by: Helm +spec: + className: "vsecm" + spiffeIDTemplate: spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }} + podSelector: + matchLabels: + app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/part-of: vsecm-system + workloadSelectorTemplates: + - "k8s:ns:vsecm-system" + - "k8s:sa:vsecm-sentinel" diff --git a/k8s/0.26.1/spire.yaml b/k8s/0.26.1/spire.yaml new file mode 100644 index 00000000..318ff6f9 --- /dev/null +++ b/k8s/0.26.1/spire.yaml @@ -0,0 +1,1821 @@ +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +--- +# Source: vsecm/charts/spire/templates/configmap-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire-system +data: + agent.conf: | + { + "agent": { + "data_dir": "/run/spire", + "log_level": "info", + "retry_bootstrap": true, + "server_address": "spire-server.spire-server", + "server_port": "443", + "socket_path": "/tmp/spire-agent/public/spire-agent.sock", + "trust_bundle_path": "/run/spire/bundle/bundle.crt", + "trust_domain": "vsecm.com" + }, + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "9982", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "KeyManager": [ + { + "memory": { + "plugin_data": null + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "cluster": "vsecm-cluster" + } + } + } + ], + "WorkloadAttestor": [ + { + "k8s": { + "plugin_data": { + "disable_container_selectors": false, + "skip_kubelet_verification": true, + "use_new_container_locator": false, + "verbose_container_locator_logs": false + } + } + } + ] + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: vsecm/charts/spire/templates/configmap-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire-system +--- +# Source: vsecm/charts/spire/templates/configmap-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager + namespace: spire-server +data: + controller-manager-config.yaml: | + + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metadata: + name: spire-controller-manager + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + metrics: + bindAddress: 0.0.0.0:8082 + health: + healthProbeBindAddress: 0.0.0.0:8083 + leaderElection: + leaderElect: true + resourceName: 6f304bd2.spiffe.io + resourceNamespace: spire-server + validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook + entryIDPrefix: vsecm-cluster + clusterName: vsecm-cluster + trustDomain: vsecm.com + ignoreNamespaces: + - kube-system + - kube-public + - local-path-storage + - openshift-cluster-node-tuning-operator + - openshift-cluster-samples-operator + - openshift-cluster-storage-operator + - openshift-console-operator + - openshift-console + - openshift-dns + - openshift-dns-operator + - openshift-image-registry + - openshift-ingress + - openshift-kube-storage-version-migrator + - openshift-kube-storage-version-migrator-operator + - openshift-kube-proxy + - openshift-marketplace + - openshift-monitoring + - openshift-multus + - openshift-network-diagnostics + - openshift-network-operator + - openshift-operator-lifecycle-manager + - openshift-roks-metrics + - openshift-service-ca-operator + - openshift-service-ca + - ibm-odf-validation-webhook + - ibm-system + spireServerSocketPath: "/tmp/spire-server/private/api.sock" + className: "vsecm" + watchClassless: false + parentIDTemplate: "spiffe://{{ .TrustDomain }}/spire/agent/k8s_psat/{{ .ClusterName }}/{{ .NodeMeta.UID }}" + reconcile: + clusterSPIFFEIDs: true + clusterStaticEntries: true + clusterFederatedTrustDomains: true +--- +# Source: vsecm/charts/spire/templates/configmap-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire-server +data: + server.conf: | + { + "health_checks": { + "bind_address": "0.0.0.0", + "bind_port": "8080", + "listener_enabled": true, + "live_path": "/live", + "ready_path": "/ready" + }, + "plugins": { + "DataStore": [ + { + "sql": { + "plugin_data": { + "connection_string": "/run/spire/data/datastore.sqlite3", + "database_type": "sqlite3" + } + } + } + ], + "KeyManager": [ + { + "disk": { + "plugin_data": { + "keys_path": "/run/spire/data/keys.json" + } + } + } + ], + "NodeAttestor": [ + { + "k8s_psat": { + "plugin_data": { + "clusters": [ + { + "vsecm-cluster": { + "allowed_node_label_keys": [], + "allowed_pod_label_keys": [], + "audience": [ + "spire-server" + ], + "service_account_allow_list": [ + "spire-system:spire-agent" + ] + } + } + ] + } + } + } + ], + "Notifier": [ + { + "k8sbundle": { + "plugin_data": { + "config_map": "spire-bundle", + "namespace": "spire-system" + } + } + } + ] + }, + "server": { + "audit_log_enabled": false, + "bind_address": "0.0.0.0", + "bind_port": "8081", + "ca_key_type": "rsa-2048", + "ca_subject": [ + { + "common_name": "aegist.ist", + "country": [ + "US" + ], + "organization": [ + "vsecm.com" + ] + } + ], + "ca_ttl": "24h", + "data_dir": "/run/spire/data", + "default_jwt_svid_ttl": "1h", + "default_x509_svid_ttl": "4h", + "jwt_issuer": "https://oidc-discovery.vsecm.com", + "log_level": "info", + "trust_domain": "vsecm.com" + }, + "telemetry": [ + { + "Prometheus": [ + { + "host": "0.0.0.0", + "port": 9988 + } + ] + } + ] + } +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - nodes/proxy + verbs: ["get"] +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-spire-controller-manager +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] +--- +# Source: vsecm/charts/spire/templates/clusterrole-spire-server-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# ClusterRole to allow spire-server node attestor to query Token Review API +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server +rules: + - apiGroups: [""] + resources: [nodes, pods] + verbs: ["get", "list"] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: ["get", "watch", "list", "create"] +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds SPIRE Agent Cluster Role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent +subjects: + - kind: ServiceAccount + name: spire-agent + namespace: spire-system +roleRef: + kind: ClusterRole + name: spire-agent + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server-spire-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server-spire-controller-manager +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: vsecm/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Binds spire-server-spire-server cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-spire-server + +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-spire-server + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/role-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +# Role to be able to push certificate bundles to a configmap +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +rules: + - apiGroups: [""] + resources: [configmaps] + resourceNames: [spire-bundle] + verbs: + - get + - patch +--- +# Source: vsecm/charts/spire/templates/role-spire-controller-manager-leader-election.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: vsecm/charts/spire/templates/rolebinding-spire-bundle.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-bundle + namespace: spire-system +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +roleRef: + kind: Role + name: spire-bundle + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spire-controller-manager-leader-election + namespace: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: spire-controller-manager-leader-election +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire-server +--- +# Source: vsecm/charts/spire/templates/service-spire-controller-manager-webhook.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: https + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: vsecm/charts/spire/templates/service-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire +--- +# Source: vsecm/charts/spire/templates/daemonset-spire-agent.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire-system + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-agent + checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 + labels: + app.kubernetes.io/name: agent + app.kubernetes.io/instance: spire + app.kubernetes.io/component: default + spec: + + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + priorityClassName: system-node-critical + initContainers: + - name: ensure-alternate-names + image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" + imagePullPolicy: IfNotPresent + command: ["bash", "-xc"] + args: + - | + cd /run/spire/agent-sockets + L=`readlink socket` + [ "x$L" != "xspire-agent.sock" ] && rm -f socket + [ ! -L socket ] && ln -s spire-agent.sock socket + L=`readlink api.sock` + [ "x$L" != "xspire-agent.sock" ] && rm -f api.sock + [ ! -L api.sock ] && ln -s spire-agent.sock api.sock + [ -L spire-agent.sock ] && rm -f spire-agent.sock + exit 0 + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + securityContext: + runAsUser: 0 + runAsGroup: 0 + - name: fsgroupfix + image: "cgr.dev/chainguard/bash:latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d" + imagePullPolicy: IfNotPresent + command: ["bash", "-c"] + args: + - "chown -R 1000:1000 /run/spire/agent-sockets /tmp/spire-agent/private" + resources: + {} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /run/spire/agent-sockets + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private + securityContext: + runAsUser: 0 + runAsGroup: 0 + containers: + - name: spire-agent + image: "ghcr.io/spiffe/spire-agent:1.9.6" + imagePullPolicy: IfNotPresent + args: ["-config", "/opt/spire/conf/agent/agent.conf"] + securityContext: + {} + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - containerPort: 9982 + name: healthz + - containerPort: 9988 + name: prom + volumeMounts: + - name: spire-config + mountPath: /opt/spire/conf/agent + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /tmp/spire-agent/public + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + httpGet: + path: /live + port: healthz + initialDelaySeconds: 15 + periodSeconds: 60 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + {} + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-agent-admin-socket-dir + emptyDir: {} + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate +--- +# Source: vsecm/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-spiffe-csi-driver + namespace: spire-system + labels: + hhelm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "0.2.3" + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app.kubernetes.io/name: spiffe-csi-driver + app.kubernetes.io/instance: spire + spec: + serviceAccountName: spire-spiffe-csi-driver + + priorityClassName: system-node-critical + containers: + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: "ghcr.io/spiffe/spiffe-csi-driver:0.2.6" + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-plugin-name", "csi.spiffe.io", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + privileged: true + resources: + {} + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0" + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + "-health-port", "9809" + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + ports: + - containerPort: 9809 + name: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + {} + volumes: + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory +--- +# Source: vsecm/charts/spire/templates/statefulset-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: server +spec: + replicas: 1 + serviceName: spire-server + selector: + matchLabels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: spire-server + checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 + checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 + checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/component: server + component: server + release: spire + release-namespace: spire-server + spec: + + serviceAccountName: spire-server + shareProcessNamespace: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + priorityClassName: system-cluster-critical + containers: + - name: spire-server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/spiffe/spire-server:1.9.6" + imagePullPolicy: IfNotPresent + args: + - -expandEnv + - -config + - /run/spire/config/server.conf + env: + - name: PATH + value: "/opt/spire/bin:/bin" + ports: + - name: grpc + containerPort: 8081 + protocol: TCP + - containerPort: 8080 + name: healthz + - containerPort: 9988 + name: prom + livenessProbe: + httpGet: + path: /live + port: healthz + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + + - name: server-tmp + mountPath: /tmp + readOnly: false + + - name: spire-controller-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/spiffe/spire-controller-manager:0.5.0" + imagePullPolicy: IfNotPresent + args: + - --config=controller-manager-config.yaml + env: + - name: ENABLE_WEBHOOKS + value: "true" + ports: + - name: https + containerPort: 9443 + protocol: TCP + - containerPort: 8083 + name: healthz + - containerPort: 8082 + name: prom-cm + livenessProbe: + httpGet: + path: /healthz + port: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + {} + volumeMounts: + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: controller-manager-config + mountPath: /controller-manager-config.yaml + subPath: controller-manager-config.yaml + readOnly: true + - name: spire-controller-manager-tmp + mountPath: /tmp + subPath: spire-controller-manager + readOnly: false + volumes: + - name: server-tmp + emptyDir: {} + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-tmp + emptyDir: {} + - name: controller-manager-config + configMap: + name: spire-controller-manager + # noinspection KubernetesUnknownKeys + volumeClaimTemplates: + - metadata: + name: spire-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: vsecm/charts/spire/templates/openshift-security-context-constraints.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ +--- +# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-default +spec: + className: "vsecm" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - spire-server + - spire-system + - vsecm-system + - default +--- +# Source: vsecm/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: spire-server-spire-test-keys +spec: + className: "vsecm" + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + component: test-keys + release: spire + release-namespace: spire-server + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - spire-server + - spire-system + - vsecm-system +--- +# Source: vsecm/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-server-spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook + namespace: spire-server + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: spire-system + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + annotations: + "helm.sh/hook": pre-install +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: Namespace +metadata: + name: spire-server + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted + annotations: + "helm.sh/hook": pre-install +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + resourceNames: ["spire-server-spire-controller-manager-webhook"] + verbs: ["get", "patch"] +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-install + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-install + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-install + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-post-upgrade + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-post-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-post-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: spire-server-pre-upgrade + namespace: spire-server +roleRef: + kind: ClusterRole + name: spire-server-pre-upgrade + apiGroup: rbac.authorization.k8s.io +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-install.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-install + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-install + spec: + + restartPolicy: Never + serviceAccountName: spire-server-post-install + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-post-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-post-upgrade + spec: + + restartPolicy: Never + serviceAccountName: spire-server-post-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-upgrade-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Fail" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Fail" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: batch/v1 +kind: Job +metadata: + name: spire-server-pre-upgrade + namespace: spire-server + labels: + helm.sh/chart: spire-0.26.1 + app.kubernetes.io/name: server + app.kubernetes.io/instance: spire + app.kubernetes.io/version: "1.9.6" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: spire-server-pre-upgrade + spec: + + restartPolicy: Never + serviceAccountName: spire-server-pre-upgrade + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 1000 + runAsUser: 1000 + containers: + - name: post-install-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "docker.io/rancher/kubectl:v1.28.0" + imagePullPolicy: IfNotPresent + args: + - patch + - validatingwebhookconfiguration + - spire-server-spire-controller-manager-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Ignore" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Ignore" + } + ] + } +--- +# Source: vsecm/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" + annotations: + "helm.sh/hook": pre-install + +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral