From 7458c47cb6b5a7bbccffcaa82879aa1b26c253db Mon Sep 17 00:00:00 2001 From: Denis Tingajkin Date: Mon, 30 Nov 2020 15:48:17 +0700 Subject: [PATCH] add initial configs + ci Signed-off-by: Denis Tingajkin --- alpine.yaml | 33 ++++++++++++++++ fake-cross-nse.yaml | 43 +++++++++++++++++++++ namespace.yaml | 5 +++ nsc.yaml | 45 ++++++++++++++++++++++ nse.yaml | 45 ++++++++++++++++++++++ nsmgr.yaml | 56 +++++++++++++++++++++++++++ proxy-registry-service.yaml | 13 +++++++ registry-memory.yaml | 43 +++++++++++++++++++++ registry-proxy-dns.yaml | 43 +++++++++++++++++++++ registry-service.yaml | 14 +++++++ spire/agent-account.yaml | 6 +++ spire/agent-cluster-role.yaml | 25 ++++++++++++ spire/agent-configmap.yaml | 45 ++++++++++++++++++++++ spire/agent-daemonset.yaml | 64 +++++++++++++++++++++++++++++++ spire/server-account.yaml | 6 +++ spire/server-cluster-role.yaml | 29 ++++++++++++++ spire/server-configmap.yaml | 61 +++++++++++++++++++++++++++++ spire/server-service.yaml | 15 ++++++++ spire/server-statefulset.yaml | 59 ++++++++++++++++++++++++++++ spire/spire-bundle-configmap.yaml | 6 +++ spire/spire-namespace.yaml | 5 +++ workflows/ci.yaml | 43 +++++++++++++++++++++ workflows/pr-for-updates.yaml | 23 +++++++++++ 23 files changed, 727 insertions(+) create mode 100644 alpine.yaml create mode 100644 fake-cross-nse.yaml create mode 100644 namespace.yaml create mode 100644 nsc.yaml create mode 100644 nse.yaml create mode 100644 nsmgr.yaml create mode 100644 proxy-registry-service.yaml create mode 100644 registry-memory.yaml create mode 100644 registry-proxy-dns.yaml create mode 100644 registry-service.yaml create mode 100644 spire/agent-account.yaml create mode 100644 spire/agent-cluster-role.yaml create mode 100644 spire/agent-configmap.yaml create mode 100644 spire/agent-daemonset.yaml create mode 100644 spire/server-account.yaml create mode 100644 spire/server-cluster-role.yaml create mode 100644 spire/server-configmap.yaml create mode 100644 spire/server-service.yaml create mode 100644 spire/server-statefulset.yaml create mode 100644 spire/spire-bundle-configmap.yaml create mode 100644 spire/spire-namespace.yaml create mode 100644 workflows/ci.yaml create mode 100644 workflows/pr-for-updates.yaml diff --git a/alpine.yaml b/alpine.yaml new file mode 100644 index 000000000000..451e87f3b074 --- /dev/null +++ b/alpine.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alpine + labels: + app: alpine +spec: + selector: + matchLabels: + app: alpine + template: + metadata: + labels: + app: alpine + spec: + containers: + - image: alpine:latest + command: + - /bin/sh + - "-c" + - "sleep 60m" + imagePullPolicy: IfNotPresent + name: alpine + volumeMounts: + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + readOnly: true + volumes: + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/fake-cross-nse.yaml b/fake-cross-nse.yaml new file mode 100644 index 000000000000..3be12aa83bcb --- /dev/null +++ b/fake-cross-nse.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fake-cross-nse + namespace: nsm-system + labels: + app: fake-cross-nse +spec: + selector: + matchLabels: + app: fake-cross-nse + template: + metadata: + labels: + app: fake-cross-nse + spec: + containers: + - image: networkservicemeshci/fake-cross-nse:latest + imagePullPolicy: IfNotPresent + name: fake-cross-nse + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: FAKE-CROSS-NSE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/namespace.yaml b/namespace.yaml new file mode 100644 index 000000000000..e952c71a0b30 --- /dev/null +++ b/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: nsm-system diff --git a/nsc.yaml b/nsc.yaml new file mode 100644 index 000000000000..820f27ee8ce4 --- /dev/null +++ b/nsc.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nsc + labels: + app: nsc +spec: + selector: + matchLabels: + app: nsc + template: + metadata: + labels: + app: nsc + spec: + containers: + - image: networkservicemeshci/cmd-nsc:f5401987 + imagePullPolicy: IfNotPresent + name: nsc + env: + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NSM_NETWORK_SERVICES + value: kernel://icmp-responder/nsm-1 + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + readOnly: true + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/nse.yaml b/nse.yaml new file mode 100644 index 000000000000..4abcedd71469 --- /dev/null +++ b/nse.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nse + labels: + app: nse +spec: + selector: + matchLabels: + app: nse + template: + metadata: + labels: + app: nse + spec: + containers: + - image: networkservicemeshci/cmd-nse-icmp-responder:2ab24506 + imagePullPolicy: IfNotPresent + name: nse + env: + - name: NSE_CONNECT_TO + value: unix:///var/lib/networkservicemesh/nsm.io.sock + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + readOnly: true + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/nsmgr.yaml b/nsmgr.yaml new file mode 100644 index 000000000000..d391e375b88a --- /dev/null +++ b/nsmgr.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: nsmgr + namespace: nsm-system + labels: + app: nsmgr +spec: + selector: + matchLabels: + app: nsmgr + template: + metadata: + labels: + app: nsmgr + spec: + containers: + - image: networkservicemeshci/cmd-nsmgr:3639f650 + imagePullPolicy: IfNotPresent + name: nsmgr + ports: + - containerPort: 5001 + hostPort: 5001 + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NSM_REGISTRY_URL + value: "nsm-registry-svc:5002" + # - name: DLV_LISTEN_NSMGR + # value: :40000 + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NSM_LISTEN_ON + value: unix:///var/lib/networkservicemesh/nsm.io.sock,tcp://:5001 + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/proxy-registry-service.yaml b/proxy-registry-service.yaml new file mode 100644 index 000000000000..bcc8159e648f --- /dev/null +++ b/proxy-registry-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nsm-registry-proxy-dns-svc +spec: + selector: + app: nsm-registry-proxy-dns + ports: + - name: nsm-registry-proxy-dns + protocol: TCP + port: 5003 + targetPort: 5003 diff --git a/registry-memory.yaml b/registry-memory.yaml new file mode 100644 index 000000000000..a2a2715f4f56 --- /dev/null +++ b/registry-memory.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: nsm-system + name: nsm-registry + labels: + app: nsm-registry +spec: + selector: + matchLabels: + app: nsm-registry + template: + metadata: + labels: + app: nsm-registry + spec: + containers: + - image: networkservicemeshci/cmd-registry-memory:b6f1d58a + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: REGISTRY_MEMORY_LISTEN_ON + value: tcp://:5002 + - name: REGISTRY_MEMORY_PROXY_REGISTRY_URL + value: nsm-registry-proxy-dns-svc:5003 + imagePullPolicy: IfNotPresent + name: nsm-registry + ports: + - containerPort: 5002 + hostPort: 5002 + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/registry-proxy-dns.yaml b/registry-proxy-dns.yaml new file mode 100644 index 000000000000..9ab73eeb3e74 --- /dev/null +++ b/registry-proxy-dns.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: nsm-system + name: nsm-registry-proxy-dns + labels: + app: nsm-registry-proxy-dns +spec: + selector: + matchLabels: + app: nsm-registry-proxy-dns + template: + metadata: + labels: + app: nsm-registry-proxy-dns + spec: + containers: + - image: networkservicemeshci/cmd-registry-proxy-dns:f2bb4611 + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: REGISTRY-PROXY-DNS_LISTEN_ON + value: tcp://:5003 + imagePullPolicy: IfNotPresent + name: nsm-registry-proxy-dns + ports: + - containerPort: 5003 + hostPort: 5003 + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate diff --git a/registry-service.yaml b/registry-service.yaml new file mode 100644 index 000000000000..ec0131794918 --- /dev/null +++ b/registry-service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + namespace: nsm-system + name: nsm-registry-svc +spec: + selector: + app: nsm-registry + ports: + - name: nsm-registry-svc + protocol: TCP + port: 5002 + targetPort: 5002 diff --git a/spire/agent-account.yaml b/spire/agent-account.yaml new file mode 100644 index 000000000000..4e5794c82d87 --- /dev/null +++ b/spire/agent-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire diff --git a/spire/agent-cluster-role.yaml b/spire/agent-cluster-role.yaml new file mode 100644 index 000000000000..b79564de3f89 --- /dev/null +++ b/spire/agent-cluster-role.yaml @@ -0,0 +1,25 @@ +--- +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods", "nodes", "nodes/proxy"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/spire/agent-configmap.yaml b/spire/agent-configmap.yaml new file mode 100644 index 000000000000..3ec1e4f52e6b --- /dev/null +++ b/spire/agent-configmap.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_sat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "nsm-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } + } diff --git a/spire/agent-daemonset.yaml b/spire/agent-daemonset.yaml new file mode 100644 index 000000000000..814fe20e8741 --- /dev/null +++ b/spire/agent-daemonset.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + initContainers: + - name: init + # This is a small image with wait-for-it, choose whatever image + # you prefer that waits for a service to be up. This image is built + # from https://github.com/lqhl/wait-for-it + image: gcr.io/spiffe-io/wait-for-it + args: ["-t", "30", "spire-server:8081"] + containers: + - name: spire-agent + image: gcr.io/spiffe-io/spire-agent:0.10.0 + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: false + livenessProbe: + exec: + command: + - /opt/spire/bin/spire-agent + - healthcheck + - -socketPath + - /run/spire/sockets/agent.sock + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate diff --git a/spire/server-account.yaml b/spire/server-account.yaml new file mode 100644 index 000000000000..98d811ce2bc5 --- /dev/null +++ b/spire/server-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire diff --git a/spire/server-cluster-role.yaml b/spire/server-cluster-role.yaml new file mode 100644 index 000000000000..6ff93619861d --- /dev/null +++ b/spire/server-cluster-role.yaml @@ -0,0 +1,29 @@ +--- +# ClusterRole to allow spire-server node attestor to query Token Review API +# and to be able to push certificate bundles to a configmap +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["patch", "get", "list"] + +--- +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-trust-role + apiGroup: rbac.authorization.k8s.io diff --git a/spire/server-configmap.yaml b/spire/server-configmap.yaml new file mode 100644 index 000000000000..0bb05595a334 --- /dev/null +++ b/spire/server-configmap.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + registration_uds_path = "/tmp/spire-registration.sock" + trust_domain = "example.org" + data_dir = "/run/spire/data" + log_level = "DEBUG" + #AWS requires the use of RSA. EC cryptography is not supported + ca_key_type = "rsa-2048" + + default_svid_ttl = "1h" + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_sat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "nsm-cluster" = { + use_token_review_api_validation = true + service_account_whitelist = ["spire:spire-agent"] + } + } + } + } + + NodeResolver "noop" { + plugin_data {} + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + } + } + } diff --git a/spire/server-service.yaml b/spire/server-service.yaml new file mode 100644 index 000000000000..8f890306bdce --- /dev/null +++ b/spire/server-service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: NodePort + ports: + - name: grpc + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server diff --git a/spire/server-statefulset.yaml b/spire/server-statefulset.yaml new file mode 100644 index 000000000000..d9d30f7fef40 --- /dev/null +++ b/spire/server-statefulset.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + serviceName: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + containers: + - name: spire-server + image: gcr.io/spiffe-io/spire-server:0.10.0 + args: + - -config + - /run/spire/config/server.conf + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-data + mountPath: /run/spire/data + readOnly: false + livenessProbe: + exec: + command: + - /opt/spire/bin/spire-server + - healthcheck + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + volumes: + - name: spire-config + configMap: + name: spire-server + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: spire + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/spire/spire-bundle-configmap.yaml b/spire/spire-bundle-configmap.yaml new file mode 100644 index 000000000000..4633e426c8e1 --- /dev/null +++ b/spire/spire-bundle-configmap.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire diff --git a/spire/spire-namespace.yaml b/spire/spire-namespace.yaml new file mode 100644 index 000000000000..08c7fd849ed1 --- /dev/null +++ b/spire/spire-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire diff --git a/workflows/ci.yaml b/workflows/ci.yaml new file mode 100644 index 000000000000..88e3cec84447 --- /dev/null +++ b/workflows/ci.yaml @@ -0,0 +1,43 @@ +--- +name: ci +on: + pull_request: + branches: + - master + push: + branches: + - master +jobs: + yamllint: + name: yamllint + runs-on: ubuntu-latest + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + - name: Setup Python + uses: actions/setup-python@v1 + - name: Install yamllint + run: pip install --user yamllint + - name: Run yamllint + run: ~/.local/bin/yamllint -c .yamllint.yml --strict . + automerge: + name: automerge + runs-on: ubuntu-latest + needs: + - yamllint + if: github.actor == 'nsmbot' && github.event_name == 'pull_request' + steps: + - name: Check out the code + uses: actions/checkout@v2 + - name: Fetch master + run: | + git remote -v + git fetch --depth=1 origin master + - name: Only allow go.mod and go.sum changes + run: | + find . -type f ! -name '*.yaml' ! -name '*.yml' -exec git diff --exit-code origin/master -- {} + + - name: Automerge nsmbot PR + uses: ridedott/merge-me-action@master + with: + GITHUB_LOGIN: nsmbot + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflows/pr-for-updates.yaml b/workflows/pr-for-updates.yaml new file mode 100644 index 000000000000..b44b978e20fb --- /dev/null +++ b/workflows/pr-for-updates.yaml @@ -0,0 +1,23 @@ +--- +name: Pull Request on update/* Branch Push +on: + push: + branches: + - update/** +jobs: + auto-pull-request: + name: Pull Request on update/* Branch Push + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Construct PR message + run: | + PULL_REQUEST_BODY=$(git log -1) + echo ${PULL_REQUEST_BODY} + echo PULL_REQUEST_BODY=${PULL_REQUEST_BODY} >> $GITHUB_ENV + - name: pull-request-action + uses: vsoch/pull-request-action@1.0.12 + env: + GITHUB_TOKEN: ${{ secrets.NSM_BOT_GITHUB_TOKEN }} + BRANCH_PREFIX: "update/" + PULL_REQUEST_BRANCH: "master"