diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index e180fa01..57cc9e28 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Cofide SPIRE stack including: spire-server, spire-agent, spiffe-csi-driver, and spiffe-oidc-discovery-provider. type: application -version: 0.26.0-cofide.11 +version: 0.26.0-cofide.12 appVersion: "1.12.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/cofide/spiffe-helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d9304eb9..9c79dee6 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -394,6 +394,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `nodeAttestor.externalK8sPSAT.defaults.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` | | `nodeAttestor.externalK8sPSAT.defaults.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` | | `nodeAttestor.externalK8sPSAT.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | +| `nodeAttestor.connectK8sPSAT.enabled` | Enable PSAT k8s nodeattestor with Connect datasource. Cannot be enabled simultaneously with the k8sPSAT or externalK8sPSAT node attestors. | `false` | +| `nodeAttestor.connectK8sPSAT.pollInterval` | Frequency with which to poll Connect to build plugin config. | `10s` | | `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` | | `nodeAttestor.httpChallenge.enabled` | Enable the http_challenge nodeattesto | `false` | | `nodeAttestor.httpChallenge.allowedDNSPatterns` | A list of regular expressions to match to the hostname being attested. If none match, attestation will fail. If a blank list, all hostnames are allowed. | `[]` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index ab965e50..c4ec2d08 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -142,11 +142,21 @@ plugins: {{- end }} disable_migration: {{ .Values.dataStore.sql.disableMigration }} - {{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }} + {{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.connectK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }} NodeAttestor: {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }} - {{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }} + {{- $k8sPSATEnabled := .Values.nodeAttestor.k8sPSAT.enabled -}} + {{- $externalK8sPSATEnabled := .Values.nodeAttestor.externalK8sPSAT.enabled -}} + {{- $connectK8sPSATEnabled := .Values.nodeAttestor.connectK8sPSAT.enabled -}} + {{- if and $connectK8sPSATEnabled (or $k8sPSATEnabled $externalK8sPSATEnabled) }} + {{- fail "nodeAttestor.connectK8sPSAT cannot be enabled at the same time as nodeAttestor.k8sPSAT or nodeAttestor.externalK8sPSAT" -}} + {{- end -}} + {{- if or $connectK8sPSATEnabled $k8sPSATEnabled (and $externalK8sPSATEnabled (gt (len $clusters) 0) ) }} k8s_psat: + {{- if $connectK8sPSATEnabled }} + plugin_data_cofide_connect: true + plugin_data_cofide_connect_poll_interval: {{ .Values.nodeAttestor.connectK8sPSAT.pollInterval }} + {{- else }} plugin_data: clusters: {{- with .Values.nodeAttestor.k8sPSAT }} @@ -182,6 +192,7 @@ plugins: {{ if hasKey $clusterSettings "allowedPodLabelKeys" }}{{ toYaml $clusterSettings.allowedPodLabelKeys | nindent 14 }}{{ else }}{{ toYaml $clusterDefaults.allowedPodLabelKeys | nindent 14 }}{{ end }} {{- end }} {{- end }} + {{- end }} {{- end }} {{- with .Values.nodeAttestor.joinToken }} {{- if eq (.enabled | toString) "true" }} diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index 3afedefc..41c8ca33 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -64,7 +64,7 @@ roleRef: name: {{ include "spire-lib.bundle-configmap" . }} apiGroup: rbac.authorization.k8s.io {{- end }} -{{- if and .Values.nodeAttestor.k8sPSAT.enabled }} +{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.connectK8sPSAT.enabled }} --- # ClusterRole to allow spire-server node attestor to query Token Review API kind: ClusterRole diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index f6ca8b5c..496de4ea 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -969,6 +969,11 @@ nodeAttestor: # kubeConfigName: foo # serviceAccountAllowList: ["other-ns:other-agent"] # clusterb: {} + connectK8sPSAT: + ## @param nodeAttestor.connectK8sPSAT.enabled Enable PSAT k8s nodeattestor with Connect datasource. Cannot be enabled simultaneously with the k8sPSAT or externalK8sPSAT node attestors. + enabled: false + ## @param nodeAttestor.connectK8sPSAT.pollInterval Frequency with which to poll Connect to build plugin config. + pollInterval: 10s joinToken: ## @param nodeAttestor.joinToken.enabled Enable the join_token nodeattestor enabled: false