diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 08ac4eb..32e7cc2 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -6,11 +6,11 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19.4 + GO_VERSION: 1.24.1 CHANGE_MINIKUBE_NONE_USER: true jobs: test-all: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 timeout-minutes: 30 steps: - name: Checkout diff --git a/README.md b/README.md index e3ff5c0..d9eec13 100644 --- a/README.md +++ b/README.md @@ -12,30 +12,26 @@ The SPIRE project is growing rapidly, and new features are released often. In or Examples showing how SPIRE integrates with Envoy. -* [Envoy SDS Integration with SPIRE 1.5.1](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy +* [Envoy SDS Integration](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy ## Kubernetes Examples showing how to deploy SPIRE on Kubernetes. There are several configuration possibilities. -+ [Simple SAT with SPIRE 1.5.1](examples/k8s/simple_sat) - This is a simple configuration using the Kubernetes - [service account token (SAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md) - that deploys SPIRE server as a StatefulSet and SPIRE agent as a DaemonSet. -+ [Simple PSAT with SPIRE 1.5.1](examples/k8s/simple_psat) - This is a simple configuration using the ++ [Simple PSAT](examples/k8s/simple_psat) - This is a simple configuration using the Kubernetes - [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md) - that otherwise deploys SPIRE as in the **Simple SAT** example. -+ [Postgres with SPIRE 1.5.1](examples/k8s/postgres) - This expands on the **Simple SAT** configuration by + [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md). ++ [Postgres](examples/k8s/postgres) - This expands on the **Simple PSAT** configuration by moving the SPIRE datastore into a Postgres StatefulSet. The SPIRE server is now a stateless Deployment that can be scaled. -+ [Kustomize with SPIRE 1.5.1](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/) ++ [Kustomize](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/) as shown at the SPIFFE Community Day in May 2019. ## EKS Examples showing how to deploy SPIRE on Amazon EKS. -+ [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to ++ [EKS-based SAT](examples/k8s/eks_psat) - This slightly modifies the **Kubernetes Simple PSAT** configuration to make it compatible with EKS platform. ## SystemD diff --git a/examples/envoy/README.md b/examples/envoy/README.md index d4a51c6..ce9f642 100644 --- a/examples/envoy/README.md +++ b/examples/envoy/README.md @@ -1,4 +1,4 @@ -# Envoy 1.17.0 SDS Example with SPIRE 1.5.1 +# Envoy 1.17.0 SDS Example with SPIRE [!WARNING] This example is no longer tested regularly. Some assembly may be required. Please let us know if changes are needed. diff --git a/examples/envoy/docker/echo/Dockerfile b/examples/envoy/docker/echo/Dockerfile index 8da6d19..0878e82 100644 --- a/examples/envoy/docker/echo/Dockerfile +++ b/examples/envoy/docker/echo/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire +FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire FROM envoyproxy/envoy:v1.25.1 RUN mkdir -p /opt/spire/conf/agent diff --git a/examples/envoy/docker/spire-server/Dockerfile b/examples/envoy/docker/spire-server/Dockerfile index 6a81da9..9c8b85f 100644 --- a/examples/envoy/docker/spire-server/Dockerfile +++ b/examples/envoy/docker/spire-server/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-server:1.6.1 +FROM ghcr.io/spiffe/spire-server:1.11.2 # Override spire configurations COPY conf/spire-server.conf /opt/spire/conf/server/server.conf diff --git a/examples/envoy/docker/web/Dockerfile b/examples/envoy/docker/web/Dockerfile index ca2684f..93501a2 100644 --- a/examples/envoy/docker/web/Dockerfile +++ b/examples/envoy/docker/web/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire +FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire FROM envoyproxy/envoy:v1.25.1 RUN mkdir -p /opt/spire/conf/agent diff --git a/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl b/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl index a911829..2b943da 100644 --- a/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl +++ b/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl @@ -28,7 +28,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME diff --git a/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl b/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl index 38fa6eb..26f2f2f 100644 --- a/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl +++ b/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl @@ -21,7 +21,7 @@ spec: shareProcessNamespace: true containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: - -config - /run/spire/config/server.conf diff --git a/examples/k8s/eks_sat/README.md b/examples/k8s/eks_psat/README.md similarity index 55% rename from examples/k8s/eks_sat/README.md rename to examples/k8s/eks_psat/README.md index d8036dd..211c2b7 100644 --- a/examples/k8s/eks_sat/README.md +++ b/examples/k8s/eks_psat/README.md @@ -1,18 +1,18 @@ -# SPIRE 1.5.1 deployment using SAT node attestor on EKS +# SPIRE deployment using PSAT node attestor on EKS -This configuration is an example of a SPIRE 1.5.1 deployment for Kubernetes on EKS. This example is based on the [simple SAT](../simple_sat/README.md), with minor modifications to make it work on EKS platform. +This configuration is an example of a SPIRE deployment for Kubernetes on EKS. This example is based on the [simple PSAT](../simple_psat/README.md), with minor modifications to make it work on EKS platform. -Compare the [simple SAT server](../simple_sat/spire-server.yaml) configuration with -this [EKS SAT server](spire-server.yaml) to see the differences, which +Compare the [simple PSAT server](../simple_psat/spire-server.yaml) configuration with +this [EKS PSAT server](spire-server.yaml) to see the differences, which consist of: -+ Node attestation is done using the [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md) ++ Node attestation is done using the [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md) with kubernetes token review validation enabled. + As a consequence of the above, volume and volume mounts for validation key are removed. + RBAC authorization policies are set to guarantee access to certain Kubernetes resources. -In the same way, the differences between the [simple SAT agent](../simple_sat/spire-agent.yaml) and [EKS SAT server](spire-agent.yaml) are: -+ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration. +In the same way, the differences between the [simple PSAT agent](../simple_psat/spire-agent.yaml) and [EKS PSAT server](spire-agent.yaml) are: ++ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration. + RBAC authorization policies are set to guarantee access to certain Kubernetes resources. Both SPIRE agent and server run in the **spire** namespace, using service accounts of **spire-server** and **spire-agent**. @@ -42,5 +42,5 @@ The server log shows the attestation result: $ kubectl -n spire logs -f spire-server-0 ``` ``` -level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_sat" subsystem_name=node_api +level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_psat" subsystem_name=node_api ``` diff --git a/examples/k8s/eks_sat/spire-agent.yaml b/examples/k8s/eks_psat/spire-agent.yaml similarity index 91% rename from examples/k8s/eks_sat/spire-agent.yaml rename to examples/k8s/eks_psat/spire-agent.yaml index 8e02313..b660f00 100644 --- a/examples/k8s/eks_sat/spire-agent.yaml +++ b/examples/k8s/eks_psat/spire-agent.yaml @@ -52,7 +52,7 @@ data: } plugins { - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { cluster = "demo-cluster" } @@ -130,7 +130,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME @@ -144,6 +144,8 @@ spec: - name: spire-agent-socket mountPath: /run/spire/sockets readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live @@ -166,3 +168,10 @@ spec: hostPath: path: /run/spire/sockets type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/examples/k8s/eks_sat/spire-server.yaml b/examples/k8s/eks_psat/spire-server.yaml similarity index 97% rename from examples/k8s/eks_sat/spire-server.yaml rename to examples/k8s/eks_psat/spire-server.yaml index 74364dc..d039b00 100644 --- a/examples/k8s/eks_sat/spire-server.yaml +++ b/examples/k8s/eks_psat/spire-server.yaml @@ -80,12 +80,11 @@ data: } } - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { clusters = { "demo-cluster" = { service_account_allow_list = ["spire:spire-agent"] - use_token_review_api_validation = true } } } @@ -152,7 +151,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: ["-config", "/run/spire/config/server.conf"] ports: - containerPort: 8081 diff --git a/examples/k8s/k7e/README.md b/examples/k8s/k7e/README.md index cd34bc8..93ee88c 100644 --- a/examples/k8s/k7e/README.md +++ b/examples/k8s/k7e/README.md @@ -4,7 +4,7 @@ This directory contains various examples of deploying and configuring SPIRE to Kubernetes using [kustomize](https://kustomize.io) which is part of Kubectl as of 1.14. -+ [base_minikube_sat](base_minikube_sat) - A base configuration for SPIRE in ++ [base_minikube_psat](base_minikube_psat) - A base configuration for SPIRE in minikube using the SAT attestor. This is also the base configuration from which all other configurations in this directory are derived. + [community_day_2019_may](community_day_2019_may) - This is the demo from @@ -28,7 +28,7 @@ by kubectl, you can use the "kustomize" argument to `kubectl` along with the directory of the configuration to apply. For example: ``` -$ kubectl kustomize base_minikube_sat +$ kubectl kustomize base_minikube_psat ``` ## Apply Configuration to Kubernetes @@ -37,5 +37,5 @@ To apply a kustomize configuration with kubectl, use the "-k" option to the "apply" option along with the directory of the configuration to apply: ``` -$ kubectl apply -k base_minikube_sat +$ kubectl apply -k base_minikube_psat ``` diff --git a/examples/k8s/k7e/base_minikube_sat/README.md b/examples/k8s/k7e/base_minikube_psat/README.md similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/README.md rename to examples/k8s/k7e/base_minikube_psat/README.md diff --git a/examples/k8s/k7e/base_minikube_sat/common/spire-namespace.yaml b/examples/k8s/k7e/base_minikube_psat/common/spire-namespace.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/common/spire-namespace.yaml rename to examples/k8s/k7e/base_minikube_psat/common/spire-namespace.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/config/spire-agent.conf b/examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf similarity index 96% rename from examples/k8s/k7e/base_minikube_sat/config/spire-agent.conf rename to examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf index 8ebe358..2f32f3b 100644 --- a/examples/k8s/k7e/base_minikube_sat/config/spire-agent.conf +++ b/examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf @@ -9,7 +9,7 @@ agent { } plugins { - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { cluster = "demo-cluster" } diff --git a/examples/k8s/k7e/base_minikube_sat/config/spire-server.conf b/examples/k8s/k7e/base_minikube_psat/config/spire-server.conf similarity index 90% rename from examples/k8s/k7e/base_minikube_sat/config/spire-server.conf rename to examples/k8s/k7e/base_minikube_psat/config/spire-server.conf index 76b384f..93fe736 100644 --- a/examples/k8s/k7e/base_minikube_sat/config/spire-server.conf +++ b/examples/k8s/k7e/base_minikube_psat/config/spire-server.conf @@ -19,11 +19,10 @@ plugins { } } - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { clusters = { "demo-cluster" = { - service_account_key_file = "/run/k8s-certs/sa.pub" service_account_allow_list = ["spire:spire-agent"] } } diff --git a/examples/k8s/k7e/base_minikube_sat/kustomization.yaml b/examples/k8s/k7e/base_minikube_psat/kustomization.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/kustomization.yaml rename to examples/k8s/k7e/base_minikube_psat/kustomization.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-deployment.yaml b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml similarity index 85% rename from examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-deployment.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml index 570499d..4d25470 100644 --- a/examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-deployment.yaml +++ b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml @@ -28,7 +28,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 imagePullPolicy: Always args: ["-config", "/run/spire/config/spire-agent.conf"] env: @@ -46,6 +46,8 @@ spec: - name: spire-agent-socket mountPath: /run/spire/sockets readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live @@ -71,3 +73,10 @@ spec: hostPath: path: /run/spire/sockets type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-role.yaml b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-role.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-role.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-role.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-rolebinding.yaml b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-rolebinding.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-rolebinding.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-rolebinding.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-serviceaccount.yaml b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-serviceaccount.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-agent/spire-agent-serviceaccount.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-serviceaccount.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-deployment.yaml b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml similarity index 97% rename from examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-deployment.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml index 5955da8..5b3d7b9 100644 --- a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-deployment.yaml +++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml @@ -20,7 +20,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 + image: ghcr.io/spiffe/spire-server:1.11.2 imagePullPolicy: Always args: ["-config", "/run/spire/config/spire-server.conf"] ports: diff --git a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-role.yaml b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml similarity index 71% rename from examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-role.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml index 2babb34..8811996 100644 --- a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-role.yaml +++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml @@ -8,3 +8,6 @@ rules: resources: ["configmaps"] resourceNames: ["spire-bundle"] verbs: ["get", "patch"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-rolebinding.yaml b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-rolebinding.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-rolebinding.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-rolebinding.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-service.yaml b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-service.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-service.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-service.yaml diff --git a/examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-serviceaccount.yaml b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-serviceaccount.yaml similarity index 100% rename from examples/k8s/k7e/base_minikube_sat/spire-server/spire-server-serviceaccount.yaml rename to examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-serviceaccount.yaml diff --git a/examples/k8s/k7e/community_day_2019_may/README.md b/examples/k8s/k7e/community_day_2019_may/README.md index 5919b5c..e237ae1 100644 --- a/examples/k8s/k7e/community_day_2019_may/README.md +++ b/examples/k8s/k7e/community_day_2019_may/README.md @@ -1,10 +1,10 @@ # Demo from SPIRE Community Day, May 2019 This example will allow you to recreate the demo from SPIRE Community Day in -May, 2019. To run this example you'll need: +May 2019. To run this example you'll need: + A working minikube. -+ `kubectl` version 1.14 or later. ++ `kubectl` version 1.20 or later. + The [examples/k8s/k7e](/examples/k8s/k7e) directory tree from the SPIRE github repository. @@ -24,11 +24,11 @@ $ watch 'set -x; kubectl get pods -n spire; kubectl get pods' ### Deploy SPIRE -To deploy SPIRE, apply the `base_minikube_sat` configuration from the parent +To deploy SPIRE, apply the `base_minikube_psat` configuration from the parent directory: ``` -$ kubectl apply -k ../base_minikube_sat +$ kubectl apply -k ../base_minikube_psat ``` Within 30 seconds or so, you should now have pods in "Running" status for both @@ -102,13 +102,13 @@ registration entries. We'll create two registration entries: First, let's create the `node` registration entry: ``` -$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_sat:cluster:demo-cluster +$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_psat:cluster:demo-cluster Entry ID : 1685a30f-fb14-4242-a86a-568038407ed7 SPIFFE ID : spiffe://example.org/cluster Parent ID : spiffe://example.org/spire/server TTL : 3600 -Selector : k8s_sat:cluster:demo-cluster +Selector : k8s_psat:cluster:demo-cluster ``` Second, we'll create a registration entry for our client workload: diff --git a/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml b/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml index 48b4f94..264ece7 100644 --- a/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml +++ b/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: client - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 imagePullPolicy: Always command: ["/opt/spire/bin/spire-agent"] args: ["api", "watch", "-socketPath", "/run/spire/sockets/agent.sock"] diff --git a/examples/k8s/postgres/README.md b/examples/k8s/postgres/README.md index 29fe031..e126cc1 100644 --- a/examples/k8s/postgres/README.md +++ b/examples/k8s/postgres/README.md @@ -1,4 +1,4 @@ -# Postgres SPIRE 1.5.1 deployment +# Postgres SPIRE deployment This configuration is an example of a SPIRE deployment for Kubernetes using Postgres as a datastore for the SPIRE server. This configuration provides @@ -8,13 +8,13 @@ better resiliency and allows for scaling up the number of SPIRE servers. PersistentVolume. + The SPIRE [server](spire-server.yaml) runs as a stateless Deployment. + The SPIRE agent runs as a DaemonSet - note this configuration is a symlink - to the [simple sat example](../simple_sat/spire-agent.yaml). + to the [simple psat example](../simple_psat/spire-agent.yaml). Both SPIRE agent and server, along with postgres, run in the **spire** namespace, using service accounts of **spire-database**, **spire-server**, and **spire-agent**. -Compare the [simple sat server](../simple_sat/spire-server.yaml) configuration with +Compare the [simple psat server](../simple_psat/spire-server.yaml) configuration with this [postgres backed server](spire-server.yaml) to see the differences, which consist of: a Deployment instead of a StatefulSet, a datastore plugin change, an InitContainer that waits for postgres to be up, and removal of the @@ -27,11 +27,11 @@ failures and scalability. + **stateless** - To run the SPIRE server stateless (as in this example), the `UpstreamAuthority` plugin needs to be used. + **stateful** - To run the SPIRE server stateful, the directory specified in - `data_dir` must be persistent (such as in the [simple sat example](../simple_sat) + `data_dir` must be persistent (such as in the [simple psat example](../simple_psat) where a StatefulSet and PersistentVolumeClaim are used. In this example deployment, the SPIRE server is stateless, using the example -[dummy upstream authority](https://github.com/spiffe/spire/tree/v1.5.1/conf/server). +[dummy upstream authority](https://github.com/spiffe/spire/tree/main/conf/server). One other **important note**: In a production environment it is very important to use a highly available Postgres configuration, unlike this configuration diff --git a/examples/k8s/postgres/spire-agent.yaml b/examples/k8s/postgres/spire-agent.yaml index 2e3a072..7bed755 100644 --- a/examples/k8s/postgres/spire-agent.yaml +++ b/examples/k8s/postgres/spire-agent.yaml @@ -24,7 +24,7 @@ data: } plugins { - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { cluster = "demo-cluster" } @@ -106,7 +106,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME @@ -120,6 +120,8 @@ spec: - name: spire-agent-socket mountPath: /run/spire/sockets readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens livenessProbe: httpGet: path: /live @@ -142,3 +144,10 @@ spec: hostPath: path: /run/spire/sockets type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/examples/k8s/postgres/spire-server.yaml b/examples/k8s/postgres/spire-server.yaml index 134bc4e..769ae40 100644 --- a/examples/k8s/postgres/spire-server.yaml +++ b/examples/k8s/postgres/spire-server.yaml @@ -6,6 +6,36 @@ metadata: --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +--- + +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: v1 kind: Secret metadata: @@ -46,11 +76,10 @@ data: } } - NodeAttestor "k8s_sat" { + NodeAttestor "k8s_psat" { plugin_data { clusters = { "demo-cluster" = { - service_account_key_file = "/run/k8s-certs/sa.pub" service_account_allow_list = ["spire:spire-agent"] } } @@ -124,7 +153,7 @@ spec: args: ["-t", "30", "spire-database:5432"] containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: ["-config", "/run/spire/config/server.conf"] ports: - containerPort: 8081 diff --git a/examples/k8s/simple_psat/README.md b/examples/k8s/simple_psat/README.md index 9054aa5..a7751dd 100644 --- a/examples/k8s/simple_psat/README.md +++ b/examples/k8s/simple_psat/README.md @@ -1,6 +1,6 @@ -# Simple SPIRE 1.5.1 deployment using PSAT node attestor +# Simple SPIRE deployment using PSAT node attestor -This configuration is an example of a simple SPIRE 1.5.1 deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md). +This configuration is an example of a simple SPIRE deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md). + The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a PersistentVolumeClaim. diff --git a/examples/k8s/simple_psat/spire-agent.yaml b/examples/k8s/simple_psat/spire-agent.yaml index 2e3adfd..e14307d 100644 --- a/examples/k8s/simple_psat/spire-agent.yaml +++ b/examples/k8s/simple_psat/spire-agent.yaml @@ -134,7 +134,7 @@ spec: args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 + image: ghcr.io/spiffe/spire-agent:1.11.2 args: ["-config", "/run/spire/config/agent.conf"] env: - name: MY_NODE_NAME diff --git a/examples/k8s/simple_psat/spire-server.yaml b/examples/k8s/simple_psat/spire-server.yaml index ace1dd5..8558a5a 100644 --- a/examples/k8s/simple_psat/spire-server.yaml +++ b/examples/k8s/simple_psat/spire-server.yaml @@ -154,7 +154,7 @@ spec: serviceAccountName: spire-server containers: - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 + image: ghcr.io/spiffe/spire-server:1.11.2 args: ["-config", "/run/spire/config/server.conf"] ports: - containerPort: 8081 diff --git a/examples/k8s/simple_sat/README.md b/examples/k8s/simple_sat/README.md deleted file mode 100644 index 0e38907..0000000 --- a/examples/k8s/simple_sat/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Simple SPIRE 1.5.1 deployment using SAT node attestor - -This configuration is an example of a simple SPIRE v1.5.1 deployment for Kubernetes that uses [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md). - -+ The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a - PersistentVolumeClaim. -+ The SPIRE [agent](spire-agent.yaml) runs as a DaemonSet. - -Both SPIRE agent and server run in the **spire** namespace, using service -accounts of **spire-server** and **spire-agent**. - -## Usage - -### Configuration - -+ Set trust_domain and the cluster name for the k8s SAT NodeAttestor. -+ Modify the path in the *k8s-sa-cert* volume for SPIRE server as appropriate - for your deployment - this is the certificate used to verify service accounts - in the cluster. This example assumes minikube. - -### Deployment - -Start the server StatefulSet: - -``` -$ kubectl apply -f spire-server.yaml -``` - -Start the agent DaemonSet: - -``` -$ kubectl apply -f spire-agent.yaml -``` diff --git a/examples/k8s/simple_sat/kustomization.yaml b/examples/k8s/simple_sat/kustomization.yaml deleted file mode 100644 index 9717080..0000000 --- a/examples/k8s/simple_sat/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: spire - -resources: -- spire-server.yaml -- spire-agent.yaml diff --git a/examples/k8s/simple_sat/spire-agent.yaml b/examples/k8s/simple_sat/spire-agent.yaml deleted file mode 100644 index 2e3a072..0000000 --- a/examples/k8s/simple_sat/spire-agent.yaml +++ /dev/null @@ -1,144 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire - ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/spire/sockets/agent.sock" - trust_bundle_path = "/run/spire/config/bootstrap.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_sat" { - plugin_data { - cluster = "demo-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - node_name_env = "MY_NODE_NAME" - } - } - - WorkloadAttestor "unix" { - plugin_data { - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - bootstrap.crt: | - -----BEGIN CERTIFICATE----- - MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT - AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0 - OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C - AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C - 51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW - rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT - VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD - AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 - ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI - KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf - 08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ - VYYO6xcbDgbZVm5MXu3FWTt+7g== - -----END CERTIFICATE----- - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - template: - metadata: - namespace: spire - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - initContainers: - - name: init - # This is a small image with wait-for-it, choose whatever image - # you prefer that waits for a service to be up. This image is built - # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it - image: cgr.dev/chainguard/wait-for-it - args: ["-t", "30", "spire-server:8081"] - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.6.1 - args: ["-config", "/run/spire/config/agent.conf"] - env: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: false - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-agent-socket - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate diff --git a/examples/k8s/simple_sat/spire-server.yaml b/examples/k8s/simple_sat/spire-server.yaml deleted file mode 100644 index 02f2b07..0000000 --- a/examples/k8s/simple_sat/spire-server.yaml +++ /dev/null @@ -1,195 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: spire - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire - ---- - -apiVersion: v1 -kind: Secret -metadata: - name: spire-server - namespace: spire -type: Opaque -data: - bootstrap.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRCN2FmUTBzS2xuVWZHZ01rcTRnZVFFdlUwOTV1aHJLZzNkVU1pSkQyVVVKNzBYYjVXTThXWmYKMEp3R2ZXVzVjTStnQndZRks0RUVBQ0toWkFOaUFBUkZaMnFac0ZhYVR1SW9NVVBzeTRqdzdhZ0d0Y3lsOWs4TAo0M1BkMHRFOWE3ampQY0xuVXcrVDBZa01DZzJ5cW5KbjJ3YzZjdndqNEoyU1lUalV1b3IrdUtDOHFDK1d1V3BZCm1OL1Q4VUF6OWNzQkZwYXZOeWxHM0xqWlltQkhsakU9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K - ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "/run/spire/data" - log_level = "DEBUG" - ca_subject = { - country = ["US"], - organization = ["SPIFFE"], - common_name = "", - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_sat" { - plugin_data { - clusters = { - "demo-cluster" = { - service_account_key_file = "/run/k8s-certs/sa.pub" - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/data/keys.json" - } - } - - UpstreamAuthority "disk" { - plugin_data { - key_file_path = "/run/spire/secrets/bootstrap.key" - cert_file_path = "/run/spire/config/bootstrap.crt" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - bootstrap.crt: | - -----BEGIN CERTIFICATE----- - MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT - AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0 - OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C - AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C - 51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW - rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT - VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD - AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 - ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI - KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf - 08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ - VYYO6xcbDgbZVm5MXu3FWTt+7g== - -----END CERTIFICATE----- - ---- - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - serviceName: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - containers: - - name: spire-server - image: ghcr.io/spiffe/spire-server:1.6.1 - args: ["-config", "/run/spire/config/server.conf"] - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-secrets - mountPath: /run/spire/secrets - readOnly: true - - name: spire-data - mountPath: /run/spire/data - readOnly: false - - name: k8s-sa-cert - mountPath: /run/k8s-certs/sa.pub - readOnly: true - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-secrets - secret: - secretName: spire-server - - name: k8s-sa-cert - hostPath: - path: /var/lib/minikube/certs/sa.pub - type: File - volumeClaimTemplates: - - metadata: - name: spire-data - namespace: spire - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - ---- - -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: NodePort - ports: - - name: grpc - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server diff --git a/examples/k8s/simple_sat/test.sh b/examples/k8s/simple_sat/test.sh deleted file mode 100755 index 9bbc182..0000000 --- a/examples/k8s/simple_sat/test.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -bold=$(tput bold) || true -norm=$(tput sgr0) || true -red=$(tput setaf 1) || true -green=$(tput setaf 2) || true -yellow=$(tput setaf 3) || true - -fail() { - echo "${red}$*${norm}." - exit 1 -} - -delete-ns() { - echo "${bold}Cleaning up...${norm}" - kubectl delete --ignore-not-found namespace spire > /dev/null -} - -cleanup() { - if [ -z "${GOOD}" ]; then - echo "${yellow}Dumping statefulset/spire-server logs...${norm}" - kubectl -nspire logs statefulset/spire-server --all-containers - echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" - kubectl -nspire logs daemonset/spire-agent --all-containers - fi - delete-ns - if [ -n "${GOOD}" ]; then - echo "${green}Success.${norm}" - else - echo "${red}Failed.${norm}" - fi -} - -trap cleanup EXIT - -echo "${bold}Preparing environment...${norm}" -delete-ns -kubectl create namespace spire - -echo "${bold}Applying configuration...${norm}" -kubectl apply -k "${DIR}" - -LOGLINE="Agent attestation request completed" -for ((i=0;i<120;i++)); do - if ! kubectl -nspire rollout status statefulset/spire-server; then - sleep 1 - continue - fi - if ! kubectl -nspire rollout status daemonset/spire-agent; then - sleep 1 - continue - fi - if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE" ; then - sleep 1 - continue - fi - echo "${bold}Node attested.${norm}" - GOOD=1 - exit 0 -done - -echo "${red}Timed out waiting for node to attest.${norm}" -exit 1