From 8238a7e3a5f3fe273e78e3b3bedc708f46f45912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Fri, 26 Apr 2024 18:39:42 -0700 Subject: [PATCH] PV Support for VSecM Safe (#947) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * added volume claim templates Signed-off-by: Volkan Özçelik * new yamls Signed-off-by: Volkan Özçelik * update makefiles Signed-off-by: Volkan Özçelik * pvc Signed-off-by: Volkan Özçelik * storageclass fix Signed-off-by: Volkan Özçelik * vsecm-data Signed-off-by: Volkan Özçelik * update build script Signed-off-by: Volkan Özçelik * wait Signed-off-by: Volkan Özçelik * condition Signed-off-by: Volkan Özçelik * removed volume claim templates Signed-off-by: Volkan Özçelik --------- Signed-off-by: Volkan Özçelik --- core/env/safe.go | 5 +- core/env/safe_test.go | 2 +- docs/_pages/0260-changelog.md | 8 +- .../cluster-2/safe/Deployment.yaml | 2 +- .../{Deployment.yaml => StatefulSet.yaml} | 31 ++- helm-charts/0.25.1/charts/safe/values.yaml | 7 +- ...pp.yaml => spire-server-stateful-set.yaml} | 9 +- helm-charts/0.25.1/charts/spire/values.yaml | 5 - k8s/0.25.1/eks/vsecm-distroless-fips.yaml | 212 +++++++++--------- k8s/0.25.1/eks/vsecm-distroless.yaml | 212 +++++++++--------- k8s/0.25.1/local/vsecm-distroless-fips.yaml | 212 +++++++++--------- k8s/0.25.1/local/vsecm-distroless.yaml | 212 +++++++++--------- k8s/0.25.1/remote/vsecm-distroless-fips.yaml | 212 +++++++++--------- k8s/0.25.1/remote/vsecm-distroless.yaml | 212 +++++++++--------- k8s/0.25.1/spire.yaml | 5 +- makefiles/VSecMDeploy.mk | 4 +- 16 files changed, 688 insertions(+), 662 deletions(-) rename helm-charts/0.25.1/charts/safe/templates/{Deployment.yaml => StatefulSet.yaml} (85%) rename helm-charts/0.25.1/charts/spire/templates/{spire-server-app.yaml => spire-server-stateful-set.yaml} (94%) diff --git a/core/env/safe.go b/core/env/safe.go index 85737f5b..8231aeb1 100644 --- a/core/env/safe.go +++ b/core/env/safe.go @@ -230,11 +230,12 @@ func ManualRootKeyUpdatesK8sSecret() bool { // DataPathForSafe returns the path to the safe data directory. // The path is determined by the VSECM_SAFE_DATA_PATH environment variable. -// If the environment variable is not set, the default path "/data" is returned. +// If the environment variable is not set, the default path "/var/local/vsecm/data" +// is returned. func DataPathForSafe() string { p := os.Getenv("VSECM_SAFE_DATA_PATH") if p == "" { - p = "/data" + p = "/var/local/vsecm/data" } return p } diff --git a/core/env/safe_test.go b/core/env/safe_test.go index 0946518c..dc6d8881 100644 --- a/core/env/safe_test.go +++ b/core/env/safe_test.go @@ -599,7 +599,7 @@ func TestSafeDataPath(t *testing.T) { }{ { name: "default_safe_data_path", - want: "/data", + want: "/var/local/vsecm/data", }, { name: "safe_data_path_from_env", diff --git a/docs/_pages/0260-changelog.md b/docs/_pages/0260-changelog.md index fecf3133..988aec51 100644 --- a/docs/_pages/0260-changelog.md +++ b/docs/_pages/0260-changelog.md @@ -18,7 +18,13 @@ next_url: /docs/releases/ ## Recent Updates -TBD +* Converted VSecM Safe and SPIRE Server to StatefulSets (because they are stateful). +* VSecM Sentinel "init command" loop now exits the container if it cannot execute + commands after exponential backoff. The former behavior was to retry forever, + and that was not a cloud-native way of handling the situation. Panicking + early and thus killing the pod fixed issues with things like persistent volumes + and CSI drivers. +* Minor bug fixes in the VSecM Sentinel init command workflow. ## [0.25.0] - 2024-04-24 diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml index ae191e4a..6bbcd4f8 100644 --- a/examples/workshop_federation/cluster-2/safe/Deployment.yaml +++ b/examples/workshop_federation/cluster-2/safe/Deployment.yaml @@ -65,7 +65,7 @@ spec: - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://cluster2.demo/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - name: VSECM_SAFE_DATA_PATH - value: "/data" + value: "/var/local/vsecm/data" - name: VSECM_ROOT_KEY_NAME value: "vsecm-root-key" - name: VSECM_ROOT_KEY_PATH diff --git a/helm-charts/0.25.1/charts/safe/templates/Deployment.yaml b/helm-charts/0.25.1/charts/safe/templates/StatefulSet.yaml similarity index 85% rename from helm-charts/0.25.1/charts/safe/templates/Deployment.yaml rename to helm-charts/0.25.1/charts/safe/templates/StatefulSet.yaml index 25d3beb3..0ee1da0a 100644 --- a/helm-charts/0.25.1/charts/safe/templates/Deployment.yaml +++ b/helm-charts/0.25.1/charts/safe/templates/StatefulSet.yaml @@ -9,7 +9,7 @@ # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "safe.fullname" . }} namespace: {{ .Values.global.vsecm.namespace }} @@ -50,11 +50,12 @@ spec: name: http protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: {{ .Values.data.hostPath.path }} + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - name: vsecm-root-key mountPath: /key readOnly: true @@ -99,16 +100,15 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true + +{{- if not .Values.data.persistent }} # `vsecm-data` is used to persist the encrypted backups of the secrets. - name: vsecm-data - {{- if .Values.data.persistent }} - persistentVolumeClaim: - claimName: {{ .Values.data.persistentVolumeClaim.claimName }} - {{- else }} hostPath: path: {{ .Values.data.hostPath.path }} type: DirectoryOrCreate - {{- end }} +{{- end}} + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - name: vsecm-root-key secret: @@ -116,3 +116,18 @@ spec: items: - key: KEY_TXT path: key.txt + +{{- if .Values.data.persistent }} + volumeClaimTemplates: + - metadata: + name: vsecm-data + spec: + accessModes: + - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.data.persistentVolumeClaim.size }} + {{- if .Values.data.persistentVolumeClaim.storageClass }} + storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm-charts/0.25.1/charts/safe/values.yaml b/helm-charts/0.25.1/charts/safe/values.yaml index 3bddaa46..7797a63c 100644 --- a/helm-charts/0.25.1/charts/safe/values.yaml +++ b/helm-charts/0.25.1/charts/safe/values.yaml @@ -22,7 +22,10 @@ data: persistent: false # Define the PVC if `persistent` is true. persistentVolumeClaim: - claimName: "your-pvc-name" # Replace with your PVC name. + storageClass: "" + accessMode: ReadWriteOnce + size: 1Gi + # Define the hostPath if `persistent` is false. hostPath: path: "/var/local/vsecm/data" @@ -45,7 +48,7 @@ environments: - name: VSECM_ROOT_KEY_PATH value: "/key/key.txt" - name: VSECM_SAFE_DATA_PATH - value: "/data" + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - name: VSECM_SAFE_FIPS_COMPLIANT diff --git a/helm-charts/0.25.1/charts/spire/templates/spire-server-app.yaml b/helm-charts/0.25.1/charts/spire/templates/spire-server-stateful-set.yaml similarity index 94% rename from helm-charts/0.25.1/charts/spire/templates/spire-server-app.yaml rename to helm-charts/0.25.1/charts/spire/templates/spire-server-stateful-set.yaml index de3f780a..2538c64b 100644 --- a/helm-charts/0.25.1/charts/spire/templates/spire-server-app.yaml +++ b/helm-charts/0.25.1/charts/spire/templates/spire-server-stateful-set.yaml @@ -9,11 +9,7 @@ # */ apiVersion: apps/v1 -{{- if eq .Values.server.kind "deployment" }} -kind: Deployment -{{- else }} kind: StatefulSet -{{- end }} metadata: name: spire-server namespace: {{ .Values.global.spire.namespace }} @@ -21,10 +17,7 @@ metadata: app: spire-server app.kubernetes.io/component: server spec: - {{- if eq .Values.server.kind "statefulset" }} - # noinspection KubernetesUnknownKeys serviceName: spire-server - {{- end }} replicas: {{ .Values.replicaCount }} selector: matchLabels: @@ -132,6 +125,6 @@ spec: requests: storage: {{ .Values.data.persistentVolumeClaim.size }} {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim }} + storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} {{- end }} {{- end }} diff --git a/helm-charts/0.25.1/charts/spire/values.yaml b/helm-charts/0.25.1/charts/spire/values.yaml index 208f1534..a38f87d6 100644 --- a/helm-charts/0.25.1/charts/spire/values.yaml +++ b/helm-charts/0.25.1/charts/spire/values.yaml @@ -17,11 +17,6 @@ ## @param replicaCount SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. replicaCount: 1 -## @param server.kind Define SPIRE server deployment type. -## Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental. -server: - kind: deployment - # Override it with an image pull secret that you need as follows: # imagePullSecrets: # - name: my-registry-secret diff --git a/k8s/0.25.1/eks/vsecm-distroless-fips.yaml b/k8s/0.25.1/eks/vsecm-distroless-fips.yaml index 74d90d03..15605020 100644 --- a/k8s/0.25.1/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.25.1/eks/vsecm-distroless-fips.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.25.1" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.25.1" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/eks/vsecm-distroless.yaml b/k8s/0.25.1/eks/vsecm-distroless.yaml index 01cc8d84..e09e13a7 100644 --- a/k8s/0.25.1/eks/vsecm-distroless.yaml +++ b/k8s/0.25.1/eks/vsecm-distroless.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.25.1" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.25.1" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/local/vsecm-distroless-fips.yaml b/k8s/0.25.1/local/vsecm-distroless-fips.yaml index 920380a2..02e7b07f 100644 --- a/k8s/0.25.1/local/vsecm-distroless-fips.yaml +++ b/k8s/0.25.1/local/vsecm-distroless-fips.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.25.1" + image: "localhost:5000/vsecm-ist-fips-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.25.1" + image: "localhost:5000/vsecm-ist-fips-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/local/vsecm-distroless.yaml b/k8s/0.25.1/local/vsecm-distroless.yaml index 2b0af430..3f9848cb 100644 --- a/k8s/0.25.1/local/vsecm-distroless.yaml +++ b/k8s/0.25.1/local/vsecm-distroless.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-safe:0.25.1" + image: "localhost:5000/vsecm-ist-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.25.1" + image: "localhost:5000/vsecm-ist-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/remote/vsecm-distroless-fips.yaml b/k8s/0.25.1/remote/vsecm-distroless-fips.yaml index 496ff60d..cec58412 100644 --- a/k8s/0.25.1/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.25.1/remote/vsecm-distroless-fips.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-safe:0.25.1" + image: "vsecm/vsecm-ist-fips-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.25.1" + image: "vsecm/vsecm-ist-fips-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/remote/vsecm-distroless.yaml b/k8s/0.25.1/remote/vsecm-distroless.yaml index f85ff76c..8cea56d5 100644 --- a/k8s/0.25.1/remote/vsecm-distroless.yaml +++ b/k8s/0.25.1/remote/vsecm-distroless.yaml @@ -397,7 +397,7 @@ spec: driver: "csi.spiffe.io" readOnly: true --- -# Source: vsecm/charts/safe/templates/Deployment.yaml +# Source: vsecm/charts/sentinel/templates/Deployment.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -411,11 +411,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: vsecm-safe + name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: safe-0.25.1 - app.kubernetes.io/name: vsecm-safe + helm.sh/chart: sentinel-0.25.1 + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -424,17 +424,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-safe + app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-safe + serviceAccountName: vsecm-sentinel securityContext: {} @@ -442,29 +442,24 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-safe:0.25.1" + image: "vsecm/vsecm-ist-sentinel:0.25.1" imagePullPolicy: IfNotPresent - ports: - - containerPort: 8443 - name: http - protocol: TCP volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: vsecm-data - mountPath: /data - - name: vsecm-root-key - mountPath: /key - readOnly: true + - name: init-command-volume + # /opt/vsecm-sentinel/init/data will contain the init script. + mountPath: /opt/vsecm-sentinel/init # - # You can configure VSecM Safe by providing environment variables. + # You can configure VSecM Sentinel by providing + # environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Sentinel will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -473,66 +468,30 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - - name: VSECM_SAFE_BACKING_STORE - value: "file" - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - - name: VSECM_ROOT_KEY_NAME - value: "vsecm-root-key" - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - - name: VSECM_SAFE_DATA_PATH - value: "/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX - value: "k8s:" - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - name: VSECM_SAFE_SPIFFEID_PREFIX value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_WORKLOAD_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/" + - name: VSECM_SAFE_TLS_PORT + value: ":8443" + - name: VSECM_SENTINEL_INIT_COMMAND_PATH + value: "/opt/vsecm-sentinel/init/data" + - name: VSECM_SENTINEL_LOGGER_URL + value: "localhost:50051" + - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX + value: "gen:" + - name: VSECM_SENTINEL_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" - - name: VSECM_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8082 - initialDelaySeconds: 1 - periodSeconds: 10 resources: requests: memory: 20Mi @@ -544,20 +503,11 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: /var/local/vsecm/data - type: DirectoryOrCreate - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key + - name: init-command-volume secret: - secretName: vsecm-root-key - items: - - key: KEY_TXT - path: key.txt + secretName: vsecm-sentinel-init-secret --- -# Source: vsecm/charts/sentinel/templates/Deployment.yaml +# Source: vsecm/charts/safe/templates/StatefulSet.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -569,13 +519,13 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: vsecm-sentinel + name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.25.1 - app.kubernetes.io/name: vsecm-sentinel + helm.sh/chart: safe-0.25.1 + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system app.kubernetes.io/version: "0.25.1" @@ -584,17 +534,17 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system template: metadata: labels: - app.kubernetes.io/name: vsecm-sentinel + app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system spec: - serviceAccountName: vsecm-sentinel + serviceAccountName: vsecm-safe securityContext: {} @@ -602,24 +552,30 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-sentinel:0.25.1" + image: "vsecm/vsecm-ist-safe:0.25.1" imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: http + protocol: TCP volumeMounts: + - name: vsecm-data + mountPath: /var/local/vsecm/data + readOnly: false - name: spire-agent-socket mountPath: /spire-agent-socket readOnly: true - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init + - name: vsecm-root-key + mountPath: /key + readOnly: true # - # You can configure VSecM Sentinel by providing - # environment variables. + # You can configure VSecM Safe by providing environment variables. # # See https://vsecm.com/configuration for more information about # these environment variables. # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. + # When you don't explicitly provide env vars here, VSecM Safe + # will assume the default values outlined in the given link above. # env: - name: SPIFFE_ENDPOINT_SOCKET @@ -628,30 +584,66 @@ spec: value: "7" - name: VSECM_PROBE_LIVENESS_PORT value: ":8081" + - name: VSECM_PROBE_READINESS_PORT + value: ":8082" + - name: VSECM_SAFE_BACKING_STORE + value: "file" + - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT + value: "300000" + - name: VSECM_ROOT_KEY_NAME + value: "vsecm-root-key" + - name: VSECM_ROOT_KEY_PATH + value: "/key/key.txt" + - name: VSECM_SAFE_DATA_PATH + value: "/var/local/vsecm/data" - name: VSECM_SAFE_ENDPOINT_URL value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - name: VSECM_SAFE_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SAFE_FIPS_COMPLIANT + value: "false" + - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL + value: "50" + - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL + value: "false" + - name: VSECM_SAFE_SECRET_BACKUP_COUNT + value: "3" + - name: VSECM_SAFE_SECRET_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE + value: "10" + - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT + value: "10000" + - name: VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX + value: "k8s:" - name: VSECM_SAFE_TLS_PORT value: ":8443" - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - - name: VSECM_SENTINEL_SPIFFEID_PREFIX - value: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/" + - name: VSECM_SAFE_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_WORKLOAD_SPIFFEID_PREFIX + value: "spiffe://vsecm.com/workload/" - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - name: VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER value: "false" + - name: VSECM_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: path: / port: 8081 initialDelaySeconds: 1 periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8082 + initialDelaySeconds: 1 + periodSeconds: 10 resources: requests: memory: 20Mi @@ -663,9 +655,19 @@ spec: csi: driver: "csi.spiffe.io" readOnly: true - - name: init-command-volume + # `vsecm-data` is used to persist the encrypted backups of the secrets. + - name: vsecm-data + hostPath: + path: /var/local/vsecm/data + type: DirectoryOrCreate + + # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. + - name: vsecm-root-key secret: - secretName: vsecm-sentinel-init-secret + secretName: vsecm-root-key + items: + - key: KEY_TXT + path: key.txt --- # Source: vsecm/charts/keystone/templates/Identity.yaml # /* diff --git a/k8s/0.25.1/spire.yaml b/k8s/0.25.1/spire.yaml index cfa1fff3..8ab4ece0 100644 --- a/k8s/0.25.1/spire.yaml +++ b/k8s/0.25.1/spire.yaml @@ -790,7 +790,7 @@ spec: path: /var/lib/kubelet/plugins_registry type: Directory --- -# Source: vsecm/charts/spire/templates/spire-server-app.yaml +# Source: vsecm/charts/spire/templates/spire-server-stateful-set.yaml # /* # | Protect your secrets, protect your sensitive data. # : Explore VMware Secrets Manager docs at https://vsecm.com/ @@ -802,7 +802,7 @@ spec: # */ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: spire-server namespace: spire-system @@ -810,6 +810,7 @@ metadata: app: spire-server app.kubernetes.io/component: server spec: + serviceName: spire-server replicas: 1 selector: matchLabels: diff --git a/makefiles/VSecMDeploy.mk b/makefiles/VSecMDeploy.mk index c2f18b24..fa4e536d 100644 --- a/makefiles/VSecMDeploy.mk +++ b/makefiles/VSecMDeploy.mk @@ -38,7 +38,7 @@ deploy-spire: kubectl apply -f ${MANIFESTS_BASE_PATH}/crds; \ kubectl apply -f ${MANIFESTS_BASE_PATH}/spire.yaml; \ echo "verifying SPIRE installation"; \ - kubectl wait --timeout=60s --for=condition=Available deployment -n spire-system spire-server; \ + kubectl wait --for=condition=ready pod spire-server-0 --timeout=60s -n spire-system \ echo "spire-server: deployment available"; \ echo "spire installation successful"; \ fi @@ -69,7 +69,7 @@ post-deploy: echo "verifying vsecm installation" kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-sentinel echo "vsecm-sentinel: deployment available" - kubectl wait --timeout=60s --for=condition=Available deployment -n vsecm-system vsecm-safe + kubectl wait --for=condition=ready pod vsecm-safe-0 --timeout=60s -n vsecm-system echo "vsecm-safe: deployment available" echo "vsecm installation successful"