Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Commit

Permalink
ingress-nginx production tests and spiffe-oidc-discovery-provider exa…
Browse files Browse the repository at this point in the history
…mple (#136)

Co-authored-by: Marco Franssen <marco.franssen@gmail.com>
  • Loading branch information
kfox1111 and marcofranssen authored Aug 29, 2023
1 parent b05175e commit e81a59a
Show file tree
Hide file tree
Showing 14 changed files with 247 additions and 2 deletions.
52 changes: 52 additions & 0 deletions .github/tests/dependencies/testcert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-selfsigned-ca
spec:
isCA: true
commonName: demo-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: Issuer
group: cert-manager.io
subject:
countries:
- US
organizations:
- test
organizationalUnits:
- test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: demo-ca
spec:
ca:
secretName: root-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: oidc
spec:
dnsNames:
- oidc-discovery.example.org
- spire-server-federation.example.org
secretName: tls-cert
issuerRef:
name: demo-ca
kind: Issuer
group: cert-manager.io
2 changes: 2 additions & 0 deletions charts/spire/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ Now you can interact with the Spire agent socket from your own application. The
| spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| spire-agent.fullnameOverride | string | `""` | |
| spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking |
| spire-agent.hostAliases | list | `[]` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ |
| spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
| spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
| spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry |
Expand Down Expand Up @@ -540,6 +541,7 @@ Now you can interact with the Spire agent socket from your own application. The
| upstream-spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| upstream-spire-agent.fullnameOverride | string | `""` | |
| upstream-spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking |
| upstream-spire-agent.hostAliases | list | `[]` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ |
| upstream-spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
| upstream-spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
| upstream-spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry |
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ $values := merge .Values }}
apiVersion: v1
kind: Pod
metadata:
Expand Down Expand Up @@ -33,8 +34,31 @@ spec:
- name: curl-ingress
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl']
{{- if dig "tests" "tls" "enabled" false $values }}
{{- if ne (len (dig "tests" "tls" "customCA" "" $values)) 0 }}
args: ['-s', '-f', '--cacert', '/ca/ca.crt', 'https://{{ (index .Values.ingress.hosts 0).host }}/.well-known/openid-configuration']
{{- else }}
args: ['-s', '-f', 'https://{{ (index .Values.ingress.hosts 0).host }}/.well-known/openid-configuration']
{{- end }}
{{- if ne (len (dig "tests" "tls" "customCA" "" $values)) 0 }}
volumeMounts:
- name: custom-ca
mountPath: /ca
{{- end }}
{{- else }}
args: ['-s', '-f', 'http://{{ (index .Values.ingress.hosts 0).host }}/.well-known/openid-configuration']
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }}
hostAliases:
{{- toYaml .Values.tests.hostAliases | nindent 4 }}
{{- end }}
{{- if ne (len (dig "tests" "tls" "customCA" "" $values)) 0 }}
volumes:
- name: custom-ca
secret:
secretName: {{ .Values.tests.tls.customCA }}
{{- end }}
restartPolicy: Never
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,10 @@ ingress:

# @ignored
tests:
hostAliases: []
tls:
enabled: false
customCA: ""
bash:
image:
# -- The OCI registry to pull the tests image from
Expand Down
1 change: 1 addition & 0 deletions charts/spire/charts/spire-agent/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ A Helm chart to install the SPIRE agent.
| fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| fullnameOverride | string | `""` | |
| healthChecks.port | int | `9980` | override the host port used for health checking |
| hostAliases | list | `[]` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ |
| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
| image.repository | string | `"spiffe/spire-agent"` | The repository within the registry |
Expand Down
4 changes: 4 additions & 0 deletions charts/spire/charts/spire-agent/templates/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if ne (len .Values.hostAliases) 0 }}
hostAliases:
{{- toYaml .Values.hostAliases | nindent 8 }}
{{- end }}
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
Expand Down
2 changes: 2 additions & 0 deletions charts/spire/charts/spire-agent/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,3 +164,5 @@ extraVolumeMounts: []
extraContainers: []

initContainers: []
# -- Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
hostAliases: []
15 changes: 15 additions & 0 deletions charts/spire/charts/spire-server/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,21 @@ The code below determines what connection type should be used.
{{- include "spire-tornjak.backend" . -}}
{{- end -}}

{{- define "spire-server.test.federation-ingress-args" }}
{{- $args := list }}
{{- $host := index (index (index .Values.federation.ingress.tls 0) "hosts") 0 }}
{{- if dig "tests" "tls" "enabled" false .Values }}
{{- if ne (len (dig "tests" "tls" "customCA" "" .Values)) 0 }}
{{- $args = append $args "--cacert" }}
{{- $args = append $args "/ca/ca.crt" }}
{{- end }}
{{- $args = append $args (printf "https://%s/" $host) }}
{{- else }}
{{- $args = append $args (printf "http://%s/" $host) }}
{{- end }}
{{ $args | toYaml }}
{{- end -}}

{{/*
Take a copy of the config and merge in .Values.customPlugins and .Values.unsupportedBuiltInPlugins passed through as root.
*/}}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ $values := merge .Values }}
apiVersion: v1
kind: Pod
metadata:
Expand Down Expand Up @@ -38,4 +39,28 @@ spec:
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if .Values.federation.ingress.enabled }}
- name: federation-ingress
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl']
args:
{{ include "spire-server.test.federation-ingress-args" (dict "Values" $values) | nindent 8 }}
{{- if ne (len (dig "tests" "tls" "customCA" "" $values)) 0 }}
volumeMounts:
- name: custom-ca
mountPath: /ca
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }}
hostAliases:
{{- toYaml .Values.tests.hostAliases | nindent 4 }}
{{- end }}
{{- if ne (len (dig "tests" "tls" "customCA" "" $values)) 0 }}
volumes:
- name: custom-ca
secret:
secretName: {{ .Values.tests.tls.customCA }}
{{- end }}
restartPolicy: Never
4 changes: 4 additions & 0 deletions charts/spire/charts/spire-server/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,10 @@ customPlugins:

# @ignored
tests:
hostAliases: []
tls:
enabled: false
customCA: ""
bash:
image:
# -- The OCI registry to pull the image from
Expand Down
23 changes: 22 additions & 1 deletion examples/production/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,26 @@ kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privil
kubectl create namespace "spire-server"
kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted

```shell
helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml
```

See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup.
If your using ingress-nginx and want to expose the spiffe oidc discovery provider outside the
cluster, add the following to the end of the helm upgrade example:

```shell
-f values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml
```

If you want to expose your spire-server outside of Kubernetes and are using ingress-nginx, add following values file when running `helm template/install/upgrade`.

```shell
-f values-expose-spire-server-ingress-nginx.yaml
```
For example:
```shell
helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-spire-server-ingress-nginx.yaml
```

If you want to expose your federation endpoint outside of Kubernetes and are using ingress-nginx
you have two options as described here:
Expand All @@ -28,9 +38,20 @@ If you chose profile https_web, use:
```shell
-f values-expose-federation-https-web-ingress-nginx.yaml
```
For example:
```shell
helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-federation-https-web-ingress-nginx.yaml
```

If you chose profile https_spiffe, use:

```shell
-f values-expose-federation-https-spiffe-ingress-nginx.yaml
```
For example:
```shell
helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-federation-https-spiffe-ingress-nginx.yaml
```

See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup.

63 changes: 62 additions & 1 deletion examples/production/run-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ set -xe
SCRIPT="$(readlink -f "$0")"
SCRIPTPATH="$(dirname "${SCRIPT}")"
TESTDIR="${SCRIPTPATH}/../../.github/tests"
DEPS="${TESTDIR}/dependencies"

# shellcheck source=/dev/null
source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh"
# shellcheck source=/dev/null
source "${TESTDIR}/common.sh"

Expand All @@ -16,6 +19,10 @@ teardown() {
helm uninstall --namespace "${ns}" spire 2>/dev/null || true
kubectl delete ns "${ns}" 2>/dev/null || true
kubectl delete ns spire-system 2>/dev/null || true
helm uninstall --namespace cert-manager cert-manager 2>/dev/null || true
kubectl delete ns cert-manager 2>/dev/null || true
helm uninstall --namespace ingress-nginx 2>/dev/null || true
kubectl delete ns ingress-nginx 2>/dev/null || true
}

trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT
Expand All @@ -25,7 +32,61 @@ kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileg
kubectl create namespace "${ns}" 2>/dev/null || true
kubectl label namespace "${ns}" pod-security.kubernetes.io/enforce=restricted || true

"${helm_install[@]}" --namespace "${ns}" --values "${SCRIPTPATH}/values.yaml" --wait spire charts/spire
"${helm_install[@]}" cert-manager cert-manager --version "$VERSION_CERT_MANAGER" --repo "$HELM_REPO_CERT_MANAGER" \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
--wait

kubectl apply -f "${DEPS}/testcert.yaml" -n spire-server

"${helm_install[@]}" ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \
--namespace ingress-nginx \
--create-namespace \
--set controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP \
--set controller.ingressClassResource.default=true \
--wait

ip=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ .spec.clusterIP }}')
echo "$ip" oidc-discovery.example.org

cat > /tmp/dummydns <<EOF
spiffe-oidc-discovery-provider:
tests:
hostAliases:
- ip: "$ip"
hostnames:
- "oidc-discovery.example.org"
spire-agent:
hostAliases:
- ip: "$ip"
hostnames:
- "spire-server.example.org"
spire-server:
tests:
hostAliases:
- ip: "$ip"
hostnames:
- "spire-server-federation.example.org"
federation:
ingress:
tls:
- hosts:
- spire-server-federation.example.org
secretName: tls-cert
EOF

"${helm_install[@]}" spire charts/spire \
--namespace "${ns}" \
--values "${SCRIPTPATH}/values.yaml" \
--values "${SCRIPTPATH}/values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml" \
--values "${SCRIPTPATH}/values-export-spire-server-ingress-nginx.yaml" \
--values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \
--values /tmp/dummydns \
--set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
--set spire-agent.server.address=spire-server.example.org,spire-agent.server.port=443 \
--wait

helm test --namespace "${ns}" spire

print_helm_releases
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
spire-server:
tests:
tls:
enabled: true
federation:
enabled: true
ingress:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
spiffe-oidc-discovery-provider:
tests:
tls:
enabled: true
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

# Optional settings you may put in your own values.
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"

# className: nginx

# You must override these in your own values file with the appropriate hostname
# and secret or it wont start.
hosts:
- host: oidc-discovery.example.org
paths:
- path: /
pathType: Prefix
tls:
- secretName: tls-cert
hosts:
- oidc-discovery.example.org

0 comments on commit e81a59a

Please sign in to comment.