A Helm chart for deploying the full Spire stack into your k8s cluster.
Components:
- spire-server
- spire-controller-manager (optional)
- spire-k8s-workload-registrar (deprecated, optional)
- spire-agent
- spiffe-csi-driver
- spiffe-oidc-discovery-provider (optional)
Warning: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server.
Note: Minimum Spire version is
v1.5.3
(This requires a nodeSelector to limit toamd64
nodes on multi-node clusters). The recommended minimum version for multi-architecture clusters isv1.6.0
which ships witharm64
support.
To enable Projected Service Account Tokens on Docker for Mac/Windows run the following command to SSH into the Docker Desktop K8s VM.
docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Then add the following to /etc/kubernetes/manifests/kube-apiserver.yaml
spec:
containers:
- command:
- kube-apiserver
- --api-audiences=api,spire-server
- --service-account-issuer=api,spire-agent
- --service-account-key-file=/run/config/pki/sa.pub
- --service-account-signing-key-file=/run/config/pki/sa.key
Homepage: https://github.com/philips-labs/helm-charts/tree/main/charts/spire
Name | Url | |
---|---|---|
marcofranssen | marco.franssen@philips.com | https://marcofranssen.nl |
Kubernetes: >=1.21.0-0
Repository | Name | Version |
---|---|---|
file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
file://./charts/spire-agent | spire-agent | 0.1.0 |
file://./charts/spire-server | spire-server | 0.1.0 |
Key | Type | Default | Description |
---|---|---|---|
fullnameOverride | string | "" |
|
nameOverride | string | "" |
|
spiffe-csi-driver.agentSocketPath | string | "/run/spire/agent-sockets/spire-agent.sock" |
|
spiffe-oidc-discovery-provider.enabled | bool | false |
|
spiffe-oidc-discovery-provider.trustDomain | string | "example.org" |
|
spire-agent.bundleConfigMap | string | "spire-bundle" |
|
spire-agent.clusterName | string | "example-cluster" |
|
spire-agent.nameOverride | string | "agent" |
|
spire-agent.socketPath | string | "/run/spire/agent-sockets/spire-agent.sock" |
|
spire-agent.trustDomain | string | "example.org" |
|
spire-server.bundleConfigMap | string | "spire-bundle" |
|
spire-server.clusterName | string | "example-cluster" |
|
spire-server.nameOverride | string | "server" |
|
spire-server.trustDomain | string | "example.org" |