Skip to content

Commit d4e960b

Browse files
alec-walec-w
committed
devx: Add extra cas for spire agent
Added in the same manner as done for the SPIRE server already. This allows configuring the agent to trust self-signed certificates for local dev.
1 parent 1a4c767 commit d4e960b

File tree

4 files changed

+27
-0
lines changed

4 files changed

+27
-0
lines changed

charts/spire/charts/spire-agent/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,7 @@ A Helm chart to install the SPIRE agent.
126126
| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` |
127127
| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` |
128128
| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` |
129+
| `extraCAs` | A bundle, in PEM format, of X.509 certificates representing additional Certificate Authorities (CAs) to add to the default (WebPKI) trust store | `""` |
129130
| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` |
130131
| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` |
131132
| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` |

charts/spire/charts/spire-agent/templates/daemonset.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,12 @@ spec:
290290
mountPath: /hostCert
291291
readOnly: true
292292
{{- end }}
293+
{{- if .Values.extraCAs }}
294+
- name: extra-ca
295+
mountPath: /etc/ssl/certs/extra-ca.crt
296+
subPath: ca.crt
297+
readOnly: true
298+
{{- end -}}
293299
{{- if gt (len .Values.extraVolumeMounts) 0 }}
294300
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
295301
{{- end }}
@@ -392,6 +398,11 @@ spec:
392398
hostPath:
393399
path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }}
394400
{{- end }}
401+
{{- if .Values.extraCAs }}
402+
- name: extra-ca
403+
configMap:
404+
name: {{ include "spire-agent.fullname" . }}-extra-ca
405+
{{- end -}}
395406
{{- if gt (len .Values.extraVolumes) 0 }}
396407
{{- toYaml .Values.extraVolumes | nindent 8 }}
397408
{{- end }}

charts/spire/charts/spire-agent/templates/extra-ca-configmap.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{{- if .Values.extraCAs }}
2+
apiVersion: v1
3+
kind: ConfigMap
4+
metadata:
5+
name: {{ include "spire-agent.fullname" . }}-extra-ca
6+
namespace: {{ include "spire-agent.namespace" . }}
7+
labels:
8+
{{- include "spire-agent.labels" . | nindent 4 }}
9+
data:
10+
ca.crt: |
11+
{{ .Values.extraCAs | indent 4 }}
12+
{{- end }}

charts/spire/charts/spire-agent/values.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,9 @@ extraVolumeMounts: []
315315
## @param extraContainers [array] Additional containers to create with Spire Agent pods
316316
extraContainers: []
317317

318+
## @param extraCAs [string] A bundle, in PEM format, of X.509 certificates representing additional Certificate Authorities (CAs) to add to the default (WebPKI) trust store
319+
extraCAs: ""
320+
318321
## @param initContainers [array] Additional init containers to create with Spire Agent pods
319322
initContainers: []
320323
## @param hostAliases [array] Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/

0 commit comments

Comments
 (0)