Skip to content

Commit

Permalink
Add CRDs for spire-controller-manager
Browse files Browse the repository at this point in the history 
Signed-off-by: Batuhan Apaydın <[email protected]>
  • Loading branch information
@developer-guy
developer-guy committed Dec 20, 2022
1 parent 4c36e95 commit 84d3233
Show file tree
Hide file tree
Showing 16 changed files with 645 additions and 10 deletions.
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ description: |
- --service-account-signing-key-file=/run/config/pki/sa.key
```
type: application
version: 0.7.6
version: 0.8.0
appVersion: "1.5.3"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
home: https://github.com/philips-labs/helm-charts/charts/spire
Expand Down
16 changes: 15 additions & 1 deletion charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. -->

![Version: 0.7.6](https://img.shields.io/badge/Version-0.7.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square)
![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.3](https://img.shields.io/badge/AppVersion-1.5.3-informational?style=flat-square)

A Helm chart for deploying spire-server and spire-agent.

Expand Down Expand Up @@ -59,6 +59,19 @@ Kubernetes: `>=1.21.0-0`
| agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| agent.resources | object | `{}` | |
| agent.service.annotations | object | `{}` | |
| controllerManager.affinity | object | `{}` | |
| controllerManager.enabled | bool | `false` | |
| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | |
| controllerManager.image.registry | string | `"ghcr.io"` | |
| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | |
| controllerManager.image.version | string | `"0.2.1"` | |
| controllerManager.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | |
| controllerManager.podAnnotations | object | `{}` | |
| controllerManager.podSecurityContext | object | `{}` | |
| controllerManager.replicaCount | int | `1` | |
| controllerManager.resources | object | `{}` | |
| controllerManager.securityContext | object | `{}` | |
| controllerManager.tolerations | list | `[]` | |
| csiDriver.image.pullPolicy | string | `"IfNotPresent"` | |
| csiDriver.image.registry | string | `"ghcr.io"` | |
| csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | |
Expand Down Expand Up @@ -135,6 +148,7 @@ Kubernetes: `>=1.21.0-0`
| waitForIt.image.repository | string | `"chainguard/wait-for-it"` | |
| waitForIt.image.version | string | `"latest-20221215"` | |
| waitForIt.resources | object | `{}` | |
| workloadRegistrar.enabled | bool | `true` | |
| workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | |
| workloadRegistrar.image.registry | string | `"gcr.io"` | |
| workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | |
Expand Down
96 changes: 96 additions & 0 deletions charts/spire/crds/clusterfederatedtrustdomains.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: clusterfederatedtrustdomains.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterFederatedTrustDomain
listKind: ClusterFederatedTrustDomainList
plural: clusterfederatedtrustdomains
singular: clusterfederatedtrustdomain
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.trustDomain
name: Trust Domain
type: string
- jsonPath: .spec.bundleEndpointURL
name: Endpoint URL
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterFederatedTrustDomainSpec defines the desired state
of ClusterFederatedTrustDomain
properties:
bundleEndpointProfile:
description: BundleEndpointProfile is the profile for the bundle endpoint.
properties:
endpointSPIFFEID:
description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
It is required for the "https_spiffe" profile.
type: string
type:
description: Type is the type of the bundle endpoint profile.
enum:
- https_spiffe
- https_web
type: string
required:
- type
type: object
bundleEndpointURL:
description: BundleEndpointURL is the URL of the bundle endpoint.
It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
type: string
trustDomain:
description: TrustDomain is the name of the trust domain to federate
with (e.g. example.org)
pattern: '[a-z0-9._-]{1,255}'
type: string
trustDomainBundle:
description: TrustDomainBundle is the contents of the bundle for the
referenced trust domain. This field is optional when the resource
is created.
type: string
required:
- bundleEndpointProfile
- bundleEndpointURL
- trustDomain
type: object
status:
description: ClusterFederatedTrustDomainStatus defines the observed state
of ClusterFederatedTrustDomain
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
221 changes: 221 additions & 0 deletions charts/spire/crds/clusterspiffeids.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: clusterspiffeids.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterSPIFFEID
listKind: ClusterSPIFFEIDList
plural: clusterspiffeids
singular: clusterspiffeid
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
properties:
admin:
description: Admin indicates whether or not the SVID can be used to
access the SPIRE administrative APIs. Extra care should be taken
to only apply this SPIFFE ID to admin workloads.
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
federatesWith:
description: FederatesWith is a list of trust domain names that workloads
that obtain this SPIFFE ID will federate with.
items:
type: string
type: array
namespaceSelector:
description: NamespaceSelector selects the namespaces that are targetted
by this CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
podSelector:
description: PodSelector selects the pods that are targetted by this
CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
spiffeIDTemplate:
description: SPIFFEID is the SPIFFE ID template. The node and pod
spec are made available to the template under .NodeSpec, .PodSpec
respectively.
type: string
ttl:
description: TTL indicates an upper-bound time-to-live for SVIDs minted
for this ClusterSPIFFEID. If unset, a default will be chosen.
type: string
workloadSelectorTemplates:
description: WorkloadSelectorTemplates are templates to produce arbitrary
workload selectors that apply to a given workload before it will
receive this SPIFFE ID. The rendered value is interpreted by SPIRE
and are of the form type:value, where the value may, and often does,
contain semicolons, .e.g., k8s:container-image:docker/hello-world
The node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
required:
- spiffeIDTemplate
type: object
status:
description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
properties:
stats:
description: Stats produced by the last entry reconciliation run
properties:
entriesMasked:
description: How many entries were masked by entries for other
ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
produce an entry for the same pod with the same set of workload
selectors.
type: integer
entriesToSet:
description: How many entries are to be set for this ClusterSPIFFEID.
In nominal conditions, this should reflect the number of pods
selected, but not always if there were problems encountered
rendering an entry for the pod (RenderFailures) or entries are
masked (EntriesMasked).
type: integer
entryFailures:
description: How many entries were unable to be set due to failures
to create or update the entries via the SPIRE Server API.
type: integer
namespacesIgnored:
description: How many (selected) namespaces were ignored (based
on configuration).
type: integer
namespacesSelected:
description: How many namespaces were selected.
type: integer
podEntryRenderFailures:
description: How many failures were encountered rendering an entry
selected pods. This could be due to either a bad template in
the ClusterSPIFFEID or Pod metadata that when applied to the
template did not produce valid entry values.
type: integer
podsSelected:
description: How many pods were selected out of the namespaces.
type: integer
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
Loading

0 comments on commit 84d3233

Please sign in to comment.