kubernetes-sigs
diff --git a/‎deployment/components/master-config/nfd-master.conf.example
+1 b/‎deployment/components/master-config/nfd-master.conf.example
+1
diff --git a/‎deployment/components/worker-config/nfd-worker.conf.example
+1 b/‎deployment/components/worker-config/nfd-worker.conf.example
+1
diff --git a/‎deployment/helm/node-feature-discovery/templates/master.yaml
+14 b/‎deployment/helm/node-feature-discovery/templates/master.yaml
+14
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml
+26 b/‎deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml
+26
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-agent-configmap.yaml
+45 b/‎deployment/helm/node-feature-discovery/templates/spire-agent-configmap.yaml
+45
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml
+57 b/‎deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml
+57
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-agent-service-account.yaml
+6 b/‎deployment/helm/node-feature-discovery/templates/spire-agent-service-account.yaml
+6
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-bundle-configmap.yaml
+6 b/‎deployment/helm/node-feature-discovery/templates/spire-bundle-configmap.yaml
+6
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml
+50 b/‎deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml
+50
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml
+58 b/‎deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml
+58
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-server-service-account.yaml
+6 b/‎deployment/helm/node-feature-discovery/templates/spire-server-service-account.yaml
+6
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-server-service.yaml
+15 b/‎deployment/helm/node-feature-discovery/templates/spire-server-service.yaml
+15
diff --git a/‎deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml
+62 b/‎deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml
+62
@@ -6,6 +6,7 @@
 # enableTaints: false
 # labelWhiteList: "foo"
 # resyncPeriod: "2h"
+# enableSpiffe: true
 # klog:
 #    addDirHeader: false
 #    alsologtostderr: false
 
@@ -2,6 +2,7 @@
 #  labelWhiteList:
 #  noPublish: false
 #  sleepInterval: 60s
+#  enableSpiffe: true
 #  featureSources: [all]
 #  labelSources: [all]
 #  klog:
 
@@ -115,12 +115,20 @@ spec:
             - "-feature-gates={{ $key }}={{ $value }}"
             {{- end }}
             - "-metrics={{ .Values.master.metricsPort  | default "8081" }}"
+            {{- if .Values.spiffe.enable }}
+            - "-enable-spiffe"
+            {{- end }}
           volumeMounts:
             {{- if .Values.tls.enable }}
             - name: nfd-master-cert
               mountPath: "/etc/kubernetes/node-feature-discovery/certs"
               readOnly: true
             {{- end }}
+            {{- if .Values.spiffe.enable }}
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            {{- end }}
             - name: nfd-master-conf
               mountPath: "/etc/kubernetes/node-feature-discovery"
               readOnly: true
@@ -130,6 +138,12 @@ spec:
           secret:
             secretName: nfd-master-cert
         {{- end }}
+        {{- if .Values.spiffe.enable }}
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        {{- end }}
         - name: nfd-master-conf
           configMap:
             name: {{ include "node-feature-discovery.fullname" . }}-master-conf
 
@@ -0,0 +1,26 @@
+{{- if .Values.spiffe.enable }}
+# Required cluster role to allow spire-agent to query k8s API server
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-agent-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["pods","nodes","nodes/proxy"]
+  verbs: ["get"]
+
+---
+# Binds above cluster role to spire-agent service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-agent-cluster-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-agent
+  namespace: {{ include "node-feature-discovery.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: spire-agent-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
@@ -0,0 +1,45 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-agent
+data:
+  agent.conf: |
+    agent {
+      data_dir = "/run/spire"
+      log_level = "DEBUG"
+      server_address = "spire-server"
+      server_port = "8081"
+      socket_path = "/run/spire/sockets/agent.sock"
+      trust_bundle_path = "/run/spire/bundle/bundle.crt"
+      trust_domain = "nfd.com"
+    }
+    plugins {
+      NodeAttestor "k8s_sat" {
+        plugin_data {
+          cluster = "nfd"
+        }
+      }
+      KeyManager "memory" {
+        plugin_data {
+        }
+      }
+      WorkloadAttestor "k8s" {
+        plugin_data {
+          skip_kubelet_verification = true
+          node_name_env = "MY_NODE_NAME"
+        }
+      }
+      WorkloadAttestor "unix" {
+          plugin_data {
+          }
+      }
+    }
+    health_checks {
+      listener_enabled = true
+      bind_address = "0.0.0.0"
+      bind_port = "8080"
+      live_path = "/live"
+      ready_path = "/ready"
+    }
+{{- end }}
@@ -0,0 +1,57 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: spire-agent
+  labels:
+    app: spire-agent
+spec:
+  selector:
+    matchLabels:
+      app: spire-agent
+  template:
+    metadata:
+      labels:
+        app: spire-agent
+    spec:
+      hostPID: true
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: spire-agent
+      initContainers:
+        - name: init
+          # This is a small image with wait-for-it, choose whatever image
+          # you prefer that waits for a service to be up. This image is built
+          # from https://github.com/lqhl/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
+          args: ["-t", "30", "spire-server:8081"]
+      containers:
+        - name: spire-agent
+          image: ghcr.io/spiffe/spire-agent:1.5.1
+          args: ["-config", "/run/spire/config/agent.conf"]
+          env:
+          - name: MY_NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          volumeMounts:
+            - name: spire-config
+              mountPath: /run/spire/config
+              readOnly: true
+            - name: spire-bundle
+              mountPath: /run/spire/bundle
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: false
+      volumes:
+        - name: spire-config
+          configMap:
+            name: spire-agent
+        - name: spire-bundle
+          configMap:
+            name: spire-bundle
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: DirectoryOrCreate
+{{- end }}
@@ -0,0 +1,6 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-agent
+{{- end }}
@@ -0,0 +1,6 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-bundle
+{{- end }}
@@ -0,0 +1,50 @@
+{{- if .Values.spiffe.enable }}
+# Role (namespace scoped) to be able to push certificate bundles to a configmap
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-configmap-role
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["patch", "get", "list"]
+---
+# Binds above role to spire-server service account
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-configmap-role-binding
+  namespace: {{ include "node-feature-discovery.namespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: {{ include "node-feature-discovery.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: spire-server-configmap-role
+---
+# ClusterRole to allow spire-server node attestor to query Token Review API
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+---
+# Binds above cluster role to spire-server service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-trust-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: {{ include "node-feature-discovery.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: spire-server-trust-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
@@ -0,0 +1,58 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-server
+data:
+  server.conf: |
+    server {
+      bind_address = "0.0.0.0"
+      bind_port = "8081"
+      socket_path = "/tmp/spire-server/private/api.sock"
+      trust_domain = "nfd.com"
+      data_dir = "/run/spire/data"
+      log_level = "DEBUG"
+      #AWS requires the use of RSA.  EC cryptography is not supported
+      ca_key_type = "rsa-2048"
+      ca_subject = {
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "nfd.com",
+      }
+    }
+    plugins {
+      DataStore "sql" {
+        plugin_data {
+          database_type = "sqlite3"
+          connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+      }
+      NodeAttestor "k8s_sat" {
+        plugin_data {
+          clusters = {
+            "nfd" = {
+              use_token_review_api_validation = true
+              service_account_allow_list = ["{{ include "node-feature-discovery.namespace" . }}:spire-agent"]
+            }
+          }
+        }
+      }
+      KeyManager "disk" {
+        plugin_data {
+          keys_path = "/run/spire/data/keys.json"
+        }
+      }
+      Notifier "k8sbundle" {
+        plugin_data {
+          namespace = "{{ include "node-feature-discovery.namespace" . }}"
+        }
+      }
+    }
+    health_checks {
+      listener_enabled = true
+      bind_address = "0.0.0.0"
+      bind_port = "8080"
+      live_path = "/live"
+      ready_path = "/ready"
+    }
+{{- end }}
@@ -0,0 +1,6 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-server
+{{- end }}
@@ -0,0 +1,15 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: spire-server
+spec:
+  type: NodePort
+  ports:
+    - name: grpc
+      port: 8081
+      targetPort: 8081
+      protocol: TCP
+  selector:
+    app: spire-server
+{{- end }}
@@ -0,0 +1,62 @@
+{{- if .Values.spiffe.enable }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: spire-server
+  labels:
+    app: spire-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spire-server
+  serviceName: spire-server
+  template:
+    metadata:
+      labels:
+        app: spire-server
+    spec:
+      serviceAccountName: spire-server
+      containers:
+        - name: spire-server
+          image: ghcr.io/spiffe/spire-server:1.5.1
+          args:
+            - -config
+            - /run/spire/config/server.conf
+          ports:
+            - containerPort: 8081
+          volumeMounts:
+            - name: spire-config
+              mountPath: /run/spire/config
+              readOnly: true
+            - name: spire-data
+              mountPath: /run/spire/data
+              readOnly: false
+          livenessProbe:
+            httpGet:
+              path: /live
+              port: 8080
+            failureThreshold: 2
+            initialDelaySeconds: 15
+            periodSeconds: 60
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: spire-config
+          configMap:
+            name: spire-server
+  volumeClaimTemplates:
+    - metadata:
+        name: spire-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+{{- end }}