Documenation updates

README.md

@@ -251,8 +251,6 @@ service, deployed in `tsi-vault` namespace in your cluster.
 ```console
 kubectl create ns tsi-vault
 kubectl -n tsi-vault create -f examples/vault/vault.yaml
-service/tsi-vault created
-deployment.apps/tsi-vault created
 ```
 
 #### Obtain remote access to Vault service

charts/spire/templates/NOTES.txt

@@ -12,9 +12,10 @@ Universal Trusted Workload Identity Service has completed.
   {{- end }}
 
   SPIRE info:
-      Spire Server address:  {{ .Values.spireAddress }}:{{ .Values.spirePort }}
-      Spire Agent image: {{ .Values.spireAgentImg }}:{{ .Values.spireVersion }}
-      Spire Registrar image: {{ .Values.spireRegistrarImg }}:{{ .Values.spireVersion }}
+      Spire Server address:  {{ .Values.spireServer.address }}:{{ .Values.spireServer.port }}
+      Spire Agent image: {{ .Values.spireAgent.img }}:{{ .Values.spireVersion }}
+      Spire Registrar image: {{ .Values.spireRegistrar.img }}:{{ .Values.spireVersion }}
+      Spire Agent sockets: {{ .Values.spireAgent.socketDir }}/{{ .Values.spireAgent.socketFile }}
 
 
 To enable Workload Registrar, create an entry on Tornjak UI:

charts/spire/templates/agent-configmap.tpl

@@ -8,22 +8,28 @@ data:
     agent {
       data_dir = "/run/spire"
       log_level = "DEBUG"
-      server_address = "{{ .Values.spireAddress }}"
-      server_port = "{{ .Values.spirePort }}"
-      socket_path = "/run/spire/sockets/agent.sock"
+      server_address = "{{ .Values.spireServer.address }}"
+      server_port = "{{ .Values.spireServer.port }}"
+      socket_path = "{{ .Values.spireAgent.socketDir }}/{{ .Values.spireAgent.socketFile }}"
       trust_bundle_path = "/run/spire/bundle/bundle.crt"
       trust_domain = "{{ .Values.trustdomain }}"
     }
     plugins {
-      NodeAttestor "k8s_psat" {
-        plugin_data {
-          cluster = "{{ .Values.clustername }}"
-        }
-      }
       {{- if .Values.aws }}
       NodeAttestor "aws_iid" {
           plugin_data {}
       }
+      {{- else if .Values.azure }}
+      NodeAttestor "azure_msi" {
+          plugin_data {
+           }
+      }
+      {{- else }}
+      NodeAttestor "k8s_psat" {
+          plugin_data {
+            cluster = "{{ .Values.clustername }}"
+          }
+      }
       {{- end }}
       KeyManager "memory" {
         plugin_data {

charts/spire/templates/agent-daemonset.tpl

@@ -25,10 +25,10 @@ spec:
           # you prefer that waits for a service to be up. This image is built
           # from https://github.com/lqhl/wait-for-it
           image: gcr.io/spiffe-io/wait-for-it
-          args: ["-t", "30", "{{ .Values.spireAddress }}:{{ .Values.spirePort }}"]
+          args: ["-t", "30", "{{ .Values.spireServer.address }}:{{ .Values.spireServer.port }}"]
       containers:
         - name: spire-agent
-          image: {{ .Values.spireAgentImg }}:{{ .Values.spireVersion }}
+          image: {{ .Values.spireAgent.img }}:{{ .Values.spireVersion }}
           securityContext:
             # TODO: review this, maybe applicable for OpenShift only:
             # privilaged is needed to create socket and bundle files
@@ -39,7 +39,7 @@ spec:
               mountPath: /run/spire/config
               readOnly: true
             - name: spire-agent-socket
-              mountPath: /run/spire/sockets
+              mountPath: {{ .Values.spireAgent.socketDir }}
               readOnly: false
             - name: spire-bundle
               mountPath: /run/spire/bundle
@@ -52,7 +52,7 @@ spec:
                 - /opt/spire/bin/spire-agent
                 - healthcheck
                 - -socketPath
-                - /run/spire/sockets/agent.sock
+                - {{ .Values.spireAgent.socketDir }}/{{ .Values.spireAgent.socketFile }}
             failureThreshold: 2
             initialDelaySeconds: 15
             periodSeconds: 60
@@ -66,7 +66,7 @@ spec:
             name: spire-bundle
         - name: spire-agent-socket
           hostPath:
-            path: /run/spire/sockets
+            path: {{ .Values.spireAgent.socketDir }}
             type: DirectoryOrCreate
         - name: spire-agent-token
           projected:

charts/spire/templates/crd_role_binding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: spire-k8s-registrar
-  namespace: spire
+  namespace: {{ .Values.namespace }}

charts/spire/templates/k8s-workload-registrar-configmap.tpl

@@ -10,8 +10,8 @@ data:
     trust_domain = "{{ .Values.trustdomain }}"
     # enable when direct socket access to SPIRE Server available:
     # server_socket_path = "/run/spire/sockets/registration.sock"
-    agent_socket_path = "/run/spire/sockets/agent.sock"
-    server_address = "{{ .Values.spireAddress }}:{{ .Values.spirePort }}"
+    agent_socket_path = "{{ .Values.spireAgent.socketDir }}/{{ .Values.spireAgent.socketFile }}"
+    server_address = "{{ .Values.spireServer.address }}:{{ .Values.spireServer.port }}"
     cluster = "{{ .Values.clustername }}"
     # enable for label based registration:
     # pod_label = "spire-workload-id"

charts/spire/templates/k8s-workload-registrar-deploy.tpl

@@ -21,7 +21,7 @@ spec:
       containers:
         - name: k8s-workload-registrar
           #image: k8s-workload-registrar:latest
-          image: {{ .Values.spireRegistrarImg }}:{{ .Values.spireVersion }}
+          image: {{ .Values.spireRegistrar.img }}:{{ .Values.spireVersion }}
           imagePullPolicy: Always
           securityContext:
             # TODO: review this, maybe applicable for OpenShift only:
@@ -32,15 +32,15 @@ spec:
             - /run/k8s-workload-registrar/config/registrar.conf
           volumeMounts:
             - name: spire-registrar-socket
-              mountPath: /run/spire/sockets
+              mountPath: {{ .Values.spireAgent.socketDir }}
               readOnly: false
             - name: k8s-workload-registrar-config
               mountPath: /run/k8s-workload-registrar/config
               readOnly: true
       volumes:
         - name: spire-registrar-socket
           hostPath:
-            path: /run/spire/sockets
+            path: {{ .Values.spireAgent.socketDir }}
             type: DirectoryOrCreate
         - name: k8s-workload-registrar-config
           configMap:

charts/spire/values.yaml

@@ -1,31 +1,45 @@
 ---
 # Default values for spire.
 # This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-# workaround since Azure doesn't support by default 10250 security port for kubelet
-azure: false
-# aws - enables the plugin for AWS NodeAttestor
-aws: false
-# openShift requires special configuration, including different security level
-openShift: false
 
 # namespace - namespace for deploying SPIRE agents and workload registrar
 namespace: spire
-
-# SPIRE specific values
-# clustername needs to match between spire-config, k8s-workload-registrar config, and the actual cluster name
+# clustername needs to match between agent-config, k8s-workload-registrar config,
+# and the actual cluster name
 clustername: spire-example
 # region - arbitrary label to describe the region
 region: sample-region
-# trustdomain is arbitrary but needs to match between spire-config and k8s-workload-registrar config
-# for multi-cluster support, trustdomain must be identical for all clusters and
+
+# SPIRE related elements
+# trustdomain is arbitrary but needs to match between agent-config and
+# k8s-workload-registrar config and SPIRE Server.
+# For multi-cluster support, trustdomain must be identical for all clusters and
 # SPIRE server
 trustdomain: spiretest.com
-
-# SPIRE workload registrar values:
-spireAddress: spire-server
-spirePort: 443
-spireRegistrarImg: gcr.io/spiffe-io/k8s-workload-registrar
-spireAgentImg: gcr.io/spiffe-io/spire-agent
+# SPIRE version:
 spireVersion: 1.0.2
+
+# spireServer - location of the SPIRE server
+spireServer:
+  address: spire-server.appdomain.cloud
+  port: 443
+
+# SPIRE Agent related configuration
+spireAgent:
+  img: gcr.io/spiffe-io/spire-agent
+  # SPIRE Agent socket:
+  socketDir: /run/spire/sockets
+  socketFile: agent.sock
+
+# Workload Registrar configuration
+spireRegistrar:
+  img: gcr.io/spiffe-io/k8s-workload-registrar
+
+# Additional configuration related to the platform
+# azure - enables the plugin to suppor Azure platform, also
+# workaround since Azure doesn't support by default 10250 security port for kubelet
+azure: false
+# aws - enables the plugin for AWS NodeAttestor
+aws: false
+# openShift requires special configuration, including different security level
+openShift: false

charts/tornjak/templates/NOTES.txt

@@ -6,42 +6,44 @@ Universal Trusted Workload Identity Service has completed.
 
       Cluster name: {{ .Values.clustername }}
       Trust Domain: {{ .Values.trustdomain }}
-      Tornjak Image: {{ .Values.tornjakImg }}:{{ .Values.spireVersion }}
-      SPIRE Server Socket: {{ .Values.spireServerSocket }}
+      Tornjak Image: {{ .Values.spireServer.img }}:{{ .Values.spireVersion }}
+      SPIRE Server socket: {{ .Values.spireServer.socketDir }}/{{ .Values.spireServer.socketFile }}
 {{- if .Values.openShift }}
       OpenShift mode: true
 {{- end }}
-{{- if .Values.aws_iid -}}
-{{- if .Values.aws_iid.access_key_id -}}
-{{- if .Values.aws_iid.secret_access_key -}}
+{{- if .Values.attestors.aws_iid -}}
+{{- if .Values.attestors.aws_iid.access_key_id -}}
+{{- if .Values.attestors.aws_iid.secret_access_key -}}
       Using NodeAttestor "aws_iid" with
          "access_key_id" and "secret_access_key"
 {{- end }}
 {{- end }}
 {{- end }}
-{{- if .Values.OIDC.enable }}
+{{- if .Values.oidc.enable }}
       OIDC enable: true
-      OIDC service name:   {{ .Values.OIDC.serviceName }}
-      MY_DISCOVERY_DOMAIN: {{ .Values.OIDC.MY_DISCOVERY_DOMAIN }}
+      OIDC image: {{ .Values.oidc.image }}
+      OIDC service name:   {{ .Values.oidc.serviceName }}
+      listen_socket_path:  {{ .Values.oidc.socketDir }}/{{ .Values.oidc.socketFile }}
+      myDiscoveryDomain: {{ .Values.oidc.myDiscoveryDomain }}
 {{- end }}
 
-{{- if .Values.k8s_psat.remoteClusters }}
+{{- if .Values.attestors.k8s_psat.remoteClusters }}
       Multi-cluster support enabled.
       Make sure `kubeconfig` secret is created to support a following:
 
       clusters = {
           "{{ .Values.clustername }}" = {
               # use_token_review_api_validation = true
-              service_account_whitelist = ["spire:spire-agent"]
+              service_account_allow_list = ["spire:spire-agent"]
           },
-      {{- range $k, $v := .Values.k8s_psat.remoteClusters }}
+          {{- range $k, $v := .Values.attestors.k8s_psat.remoteClusters }}
           "{{ $v.name }}" = {
-              service_account_whitelist = ["{{ $v.namespace | default "spire" }}:{{ $v.serviceAccount | default "spire-agent" }}"]
+              service_account_allow_list = ["{{ $v.namespace | default "spire" }}:{{ $v.serviceAccount | default "spire-agent" }}"]
               kube_config_file = "/run/spire/kubeconfigs/{{ $v.name }}"
           },
-      {{- end }}
+          {{- end }}
+      }
 {{- end }}
-   }
 
 To learn more about the release, try:
 

charts/tornjak/templates/oidc-dp-configmap.tpl

@@ -1,17 +1,16 @@
-{{- if .Values.OIDC.enable }}
+{{- if .Values.oidc.enable }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: oidc-discovery-provider
   namespace: {{ .Values.namespace }}
 data:
   oidc-discovery-provider.conf: |
-    log_level = "INFO"
-    domain = "{{ .Values.OIDC.serviceName }}.{{ .Values.OIDC.MY_DISCOVERY_DOMAIN }}"
-    listen_socket_path = "/run/oidc-discovery-provider/server.sock"
-    log_level = "info"
+    log_level = "debug"
+    domain = "{{ .Values.oidc.serviceName }}.{{ .Values.oidc.myDiscoveryDomain }}"
+    listen_socket_path = "{{ .Values.oidc.socketDir }}/{{ .Values.oidc.socketFile }}"
     server_api {
-      address = "unix:///{{ .Values.spireServerSocket }}"
+      address = "unix:///{{ .Values.spireServer.socketDir }}/{{ .Values.spireServer.socketFile }}"
     }
   nginx.conf: |
     user root;

charts/tornjak/templates/server-configmap.tpl

@@ -18,14 +18,14 @@ data:
       data_dir = "/run/spire/data"
       log_level = "DEBUG"
       default_svid_ttl = "1h"
-      socket_path = "{{ .Values.spireServerSocket }}"
+      socket_path = "{{ .Values.spireServer.socketDir }}/{{ .Values.spireServer.socketFile }}"
 
-{{- if .Values.OIDC.enable }}
+      {{- if .Values.oidc.enable }}
       #AWS requires the use of RSA.  EC cryptography is not supported
       ca_key_type = "rsa-2048"
 
       # Creates the iss claim in JWT-SVIDs.
-      jwt_issuer = "https://{{ .Values.OIDC.serviceName }}.{{ .Values.OIDC.MY_DISCOVERY_DOMAIN }}"
+      jwt_issuer = "https://{{ .Values.oidc.serviceName }}.{{ .Values.oidc.myDiscoveryDomain }}"
 
       experimental {
         // Turns on the bundle endpoint (required, true)
@@ -37,7 +37,7 @@ data:
         // The port to listen on (optional, defaults to 443)
         bundle_endpoint_port = 8443
       }
-{{- end }}
+      {{- end }}
 
       ca_subject = {
         country = ["US"],
@@ -59,39 +59,57 @@ data:
                     # use_token_review_api_validation = true
                     service_account_allow_list = ["spire:spire-agent"]
                 },
-                {{- if .Values.k8s_psat.remoteClusters }}
-                {{- range $k, $v := .Values.k8s_psat.remoteClusters }}
+                {{- if .Values.attestors.k8s_psat.remoteClusters }}
+                {{- range $k, $v := .Values.attestors.k8s_psat.remoteClusters }}
                 "{{ $v.name }}" = {
-                    service_account_whitelist = ["{{ $v.namespace | default "spire" }}:{{ $v.serviceAccount | default "spire-agent" }}"]
+                    service_account_allow_list = ["{{ $v.namespace | default "spire" }}:{{ $v.serviceAccount | default "spire-agent" }}"]
                     kube_config_file = "/run/spire/kubeconfigs/{{ $v.name }}"
                 },
                 {{- end }}
                 {{- end }}
             }
         }
       }
-      {{- if .Values.aws_iid -}}
-      {{- if .Values.aws_iid.access_key_id -}}
-      {{- if .Values.aws_iid.secret_access_key -}}
+
+      {{- if .Values.attestors.aws_iid -}}
+      {{- if .Values.attestors.aws_iid.access_key_id -}}
+      {{- if .Values.attestors.aws_iid.secret_access_key -}}
       NodeAttestor "aws_iid" {
           plugin_data {
-            access_key_id = "{{- .Values.aws_iid.access_key_id -}}"
-            secret_access_key = "{{- .Values.aws_iid.secret_access_key -}}"
-            skip_block_device: {{- .Values.aws_iid.skip_block_device -}}
+            access_key_id = "{{- .Values.attestors.aws_iid.access_key_id -}}"
+            secret_access_key = "{{- .Values.attestors.aws_iid.secret_access_key -}}"
+            skip_block_device = {{- .Values.attestors.aws_iid.skip_block_device -}}
           }
       }
+
       {{- end }}
       {{- end }}
       {{- end }}
-      NodeResolver "noop" {
-        plugin_data {}
+
+      {{- if .Values.attestors.azure_msi -}}
+      {{- if .Values.attestors.azure_msi.tenants -}}
+      NodeAttestor "azure_msi" {
+        enabled = true
+        plugin_data {
+          tenants = {
+            // Tenant configured with the default resource id (i.e. the resource manager)
+            {{- range $k, $v := .Values.attestors.azure_msi.tenants }}
+            "{{ $v.tenant }}" = {},
+            {{- end }}
+          }
+        }
       }
+      {{- end }}
+      {{- end }}
+
       KeyManager "disk" {
         plugin_data {
           keys_path = "/run/spire/data/keys.json"
         }
       }
-      {{- if not .Values.selfSignedCA }}
+
+      {{- if not .Values.spireServer }}
+      {{- if not .Values.spireServer.selfSignedCA }}
       UpstreamAuthority "disk" {
         plugin_data {
           ttl = "12h"
@@ -100,6 +118,7 @@ data:
         }
       }
       {{- end }}
+      {{- end }}
       Notifier "k8sbundle" {
         plugin_data {
           # This plugin updates the bundle.crt value in the spire:spire-bundle