feat(k8s/magiclove): spire

Author: uhthomas

k8s/magiclove/BUILD.bazel

@@ -56,6 +56,7 @@ cue_export(
         "//k8s/magiclove/smartctl_exporter:cue_smartctl_exporter_library",
         "//k8s/magiclove/snapshot_controller:cue_snapshot_controller_library",
         "//k8s/magiclove/speedtest_exporter:cue_speedtest_exporter_library",
+        "//k8s/magiclove/spire:cue_spire_library",
         "//k8s/magiclove/thomas:cue_thomas_library",
         "//k8s/magiclove/vector:cue_vector_library",
         "//k8s/magiclove/victoria_logs:cue_victoria_logs_library",

k8s/magiclove/list.cue

@@ -38,6 +38,7 @@ import (
 	"github.com/uhthomas/automata/k8s/magiclove/smartctl_exporter"
 	"github.com/uhthomas/automata/k8s/magiclove/snapshot_controller"
 	"github.com/uhthomas/automata/k8s/magiclove/speedtest_exporter"
+	"github.com/uhthomas/automata/k8s/magiclove/spire"
 	"github.com/uhthomas/automata/k8s/magiclove/thomas"
 	// "github.com/uhthomas/automata/k8s/magiclove/trivy_system"
 	"github.com/uhthomas/automata/k8s/magiclove/vector"
@@ -113,6 +114,7 @@ _items: [
 	smartctl_exporter.#List.items,
 	snapshot_controller.#List.items,
 	speedtest_exporter.#List.items,
+	spire.#List.items,
 	thomas.#List.items,
 	// trivy_system.#List.items,
 	// vector.#List.items,
@@ -124,56 +126,4 @@ _items: [
 	wireguard_operator.#List.items,
 ]
 
-// _items: [
-// 	magiclove.#ApplySetList.items,
-// 	magiclove.#ClusterIssuerList.items,
-// 	magiclove.#ClusterSecretStoreList.items,
-// 	magiclove.#CustomResourceDefinitionList.items,
-// 	magiclove.#GatewayClassList.items,
-// 	backup.#List.items,
-// 	cert_manager_csi_driver.#List.items,
-// 	cert_manager.#List.items,
-// 	cilium.#List.items,
-// 	cilium_secrets.#List.items,
-// 	dcgm_exporter.#List.items,
-// 	default.#List.items,
-// 	emqx.#List.items,
-// 	emqx_exporter.#List.items,
-// 	external_dns.#List.items,
-// 	external_secrets.#List.items,
-// 	// fluent_bit.#List.items,
-// 	frigate.#List.items,
-// 	gateway_api.#List.items,
-// 	grafana.#List.items,
-// 	grafana_operator.#List.items,
-// 	home_assistant.#List.items,
-// 	karma.#List.items,
-// 	kube_state_metrics.#List.items,
-// 	kube_system.#List.items,
-// 	media.#List.items,
-// 	metrics_server.#List.items,
-// 	minecraft.#List.items,
-// 	node_exporter.#List.items,
-// 	// node_feature_discovery.#List.items,
-// 	node_problem_detector.#List.items,
-// 	nvidia_device_plugin.#List.items,
-// 	onepassword_connect.#List.items,
-// 	ping_exporter.#List.items,
-// 	rook_ceph.#List.items,
-// 	scrutiny.#List.items,
-// 	smartctl_exporter.#List.items,
-// 	snapshot_controller.#List.items,
-// 	speedtest_exporter.#List.items,
-// 	tailscale.#List.items,
-// 	thomas.#List.items,
-// 	// trivy_system.#List.items,
-// 	vector.#List.items,
-// 	victoria_logs.#List.items,
-// 	vm_operator.#List.items,
-// 	vm.#List.items,
-// 	volsync_system.#List.items,
-// 	wireguard.#List.items,
-// 	wireguard_operator.#List.items,
-// ]
-
 #List

k8s/magiclove/spire/BUILD.bazel

@@ -0,0 +1,18 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_spire_library",
+    srcs = [
+        "config_map_list.cue",
+        "list.cue",
+        "namespace_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/magiclove/spire",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+        "//k8s/magiclove/spire/agent:cue_agent_library",
+        "//k8s/magiclove/spire/client:cue_client_library",
+        "//k8s/magiclove/spire/server:cue_server_library",
+    ],
+)

k8s/magiclove/spire/README.md

@@ -0,0 +1,54 @@
+# Spire
+
+[https://spiffe.io/docs/latest/try/getting-started-k8s/](https://spiffe.io/docs/latest/try/getting-started-k8s/)
+
+The CSI driver would be nice.
+
+[https://github.com/spiffe/spiffe-csi](https://github.com/spiffe/spiffe-csi)
+
+```sh
+❯ k exec -it sts/spire-server -- \
+    /opt/spire/bin/spire-server entry create \
+    -spiffeID spiffe://spire-magiclove.hipparcos.net/ns/spire/sa/spire-agent \
+    -selector k8s_sat:cluster:magiclove \
+    -selector k8s_sat:agent_ns:spire \
+    -selector k8s_sat:agent_sa:spire-agent \
+    -node
+Entry ID         : b313a13a-bf78-4c92-9dd7-e1eee47658f0
+SPIFFE ID        : spiffe://spire-magiclove.hipparcos.net/ns/spire/sa/spire-agent
+Parent ID        : spiffe://spire-magiclove.hipparcos.net/spire/server
+Revision         : 0
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
+Selector         : k8s_sat:agent_ns:spire
+Selector         : k8s_sat:agent_sa:spire-agent
+Selector         : k8s_sat:cluster:magiclove
+```
+
+```sh
+❯ k exec -it sts/spire-server -- \
+    /opt/spire/bin/spire-server entry create \
+    -spiffeID spiffe://spire-magiclove.hipparcos.net/ns/default/sa/default \
+    -parentID spiffe://spire-magiclove.hipparcos.net/ns/spire/sa/spire-agent \
+    -selector k8s:ns:spire \
+    -selector k8s:sa:default
+Entry ID         : 95074358-a44a-4a66-9404-77a8fae994e2
+SPIFFE ID        : spiffe://spire-magiclove.hipparcos.net/ns/default/sa/default
+Parent ID        : spiffe://spire-magiclove.hipparcos.net/ns/spire/sa/spire-agent
+Revision         : 0
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
+Selector         : k8s:ns:spire
+Selector         : k8s:sa:default
+```
+
+```sh
+❯ k exec -it deploy/spire-client -- /opt/spire/bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock
+Received 1 svid after 87.184133ms
+
+SPIFFE ID:              spiffe://spire-magiclove.hipparcos.net/ns/default/sa/default
+SVID Valid After:       2025-01-16 01:31:24 +0000 UTC
+SVID Valid Until:       2025-01-16 02:31:34 +0000 UTC
+CA #1 Valid After:      2025-01-16 00:02:26 +0000 UTC
+CA #1 Valid Until:      2025-01-17 00:02:36 +0000 UTC
+```

k8s/magiclove/spire/agent/BUILD.bazel

@@ -0,0 +1,20 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_agent_library",
+    srcs = [
+        "cluster_role_binding_list.cue",
+        "cluster_role_list.cue",
+        "config_map_list.cue",
+        "daemon_set_list.cue",
+        "list.cue",
+        "service_account_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/magiclove/spire/agent",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library",
+    ],
+)

k8s/magiclove/spire/agent/cluster_role_binding_list.cue

@@ -0,0 +1,25 @@
+package agent
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+#ClusterRoleBindingList: rbacv1.#ClusterRoleBindingList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleBindingList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRoleBinding"
+	}]
+}
+
+#ClusterRoleBindingList: items: [{
+	subjects: [{
+		kind:      rbacv1.#ServiceAccountKind
+		name:      #Name
+		namespace: #Namespace
+	}]
+	roleRef: {
+		apiGroup: rbacv1.#GroupName
+		kind:     "ClusterRole"
+		name:     #Name
+	}
+}]

k8s/magiclove/spire/agent/cluster_role_list.cue

@@ -0,0 +1,23 @@
+package agent
+
+import (
+	"k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+#ClusterRoleList: rbacv1.#ClusterRoleList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRole"
+	}]
+}
+
+#ClusterRoleList: items: [{
+	rules: [{
+		apiGroups: [v1.#GroupName]
+		resources: ["pods", "nodes", "nodes/proxy"]
+		verbs: ["get"]
+	}]
+}]

k8s/magiclove/spire/agent/config_map_list.cue

@@ -0,0 +1,64 @@
+package agent
+
+import "k8s.io/api/core/v1"
+
+#ConfigMapList: v1.#ConfigMapList & {
+	apiVersion: "v1"
+	kind:       "ConfigMapList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "ConfigMap"
+	}]
+}
+
+#ConfigMapList: items: [{
+	metadata: name: "spire-agent"
+	data: "agent.conf": """
+		agent {
+		  data_dir = "/run/spire"
+		  log_level = "DEBUG"
+		  server_address = "spire-server"
+		  server_port = "8081"
+		  socket_path = "/run/spire/sockets/agent.sock"
+		  trust_bundle_path = "/run/spire/bundle/bundle.crt"
+		  trust_domain = "spire-magiclove.hipparcos.net"
+		}
+
+		plugins {
+		  NodeAttestor "k8s_sat" {
+		    plugin_data {
+		      cluster = "magiclove"
+		    }
+		  }
+
+		  KeyManager "memory" {
+		    plugin_data {
+		    }
+		  }
+
+		  WorkloadAttestor "k8s" {
+		    plugin_data {
+		      # Defaults to the secure kubelet port by default.
+		      # Minikube does not have a cert in the cluster CA bundle that
+		      # can authenticate the kubelet cert, so skip validation.
+		      skip_kubelet_verification = true
+		      node_name_env = "MY_NODE_NAME"
+		    }
+		  }
+
+		  WorkloadAttestor "unix" {
+		      plugin_data {
+		      }
+		  }
+		}
+
+		health_checks {
+		  listener_enabled = true
+		  bind_address = "0.0.0.0"
+		  bind_port = "8080"
+		  live_path = "/live"
+		  ready_path = "/ready"
+		}
+
+		"""
+}]

k8s/magiclove/spire/agent/daemon_set_list.cue

@@ -0,0 +1,85 @@
+package agent
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/api/core/v1"
+)
+
+#DaemonSetList: appsv1.#DaemonSetList & {
+	apiVersion: "apps/v1"
+	kind:       "DaemonSetList"
+	items: [...{
+		apiVersion: "apps/v1"
+		kind:       "DaemonSet"
+	}]
+}
+
+#DaemonSetList: items: [{
+	spec: {
+		selector: matchLabels: "app.kubernetes.io/name": #Name
+		template: {
+			metadata:
+				labels: "app.kubernetes.io/name": #Name
+			spec: {
+				volumes: [{
+					name: "spire-config"
+					configMap: name: #Name
+				}, {
+					name: "spire-bundle"
+					configMap: name: "spire-bundle"
+				}, {
+					name: "spire-agent-socket"
+					hostPath: {
+						path: "/run/spire/sockets"
+						type: v1.#HostPathDirectoryOrCreate
+					}
+				}]
+				containers: [{
+					name:  "spire-agent"
+					image: "ghcr.io/spiffe/spire-agent:\(#Version)"
+					args: ["-config", "/run/spire/config/agent.conf"]
+					ports: [{
+						name:          "healthz"
+						containerPort: 8080
+					}]
+					env: [{
+						name: "MY_NODE_NAME"
+						valueFrom: fieldRef: fieldPath: "status.hostIP"
+					}]
+					volumeMounts: [{
+						name:      "spire-config"
+						mountPath: "/run/spire/config"
+						readOnly:  true
+					}, {
+						name:      "spire-bundle"
+						mountPath: "/run/spire/bundle"
+					}, {
+						name:      "spire-agent-socket"
+						mountPath: "/run/spire/sockets"
+					}]
+					livenessProbe: {
+						httpGet: {
+							path: "/live"
+							port: "healthz"
+						}
+						failureThreshold:    2
+						initialDelaySeconds: 15
+						periodSeconds:       60
+						timeoutSeconds:      3
+					}
+					readinessProbe: {
+						httpGet: {
+							path: "/ready"
+							port: "healthz"
+						}
+						initialDelaySeconds: 5
+						periodSeconds:       5
+					}
+					securityContext: privileged: true
+				}]
+				serviceAccountName: #Name
+				hostPID:            true
+			}
+		}
+	}
+}]