Feat/spire infrastructure deployment

manifests/charts/base/templates/agentcube-router.yaml

@@ -23,7 +23,30 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
+        {{- if .Values.spire.enabled }}
+        - name: spiffe-helper
+          image: "{{ .Values.spire.spiffeHelper.image.repository }}:{{ .Values.spire.spiffeHelper.image.tag }}"
+          imagePullPolicy: {{ .Values.spire.spiffeHelper.image.pullPolicy }}
+          args:
+            - "-config"
+            - "/etc/spiffe-helper/spiffe-helper.conf"
+          volumeMounts:
+            - name: spiffe-helper-config
+              mountPath: /etc/spiffe-helper
+              readOnly: true
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            - name: spire-certs
+              mountPath: {{ .Values.spire.spiffeHelper.certDir }}
+        {{- end }}
         - name: agentcube-router
+          {{- if .Values.spire.enabled }}
+          volumeMounts:
+            - name: spire-certs
+              mountPath: {{ .Values.spire.spiffeHelper.certDir }}
+              readOnly: true
+          {{- end }}
           image: "{{ .Values.router.image.repository }}:{{ .Values.router.image.tag }}"
           imagePullPolicy: {{ .Values.router.image.pullPolicy }}
           ports:
@@ -61,6 +84,18 @@ spec:
               port: {{ .Values.router.service.targetPort }}
             initialDelaySeconds: 1
             periodSeconds: 2
+      {{- if .Values.spire.enabled }}
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: DirectoryOrCreate
+        - name: spiffe-helper-config
+          configMap:
+            name: spiffe-helper-config
+        - name: spire-certs
+          emptyDir: {}
+      {{- end }}
 
 ---
 apiVersion: v1

manifests/charts/base/templates/rbac-router.yaml

@@ -1,31 +1,29 @@
-{{- if .Values.router.rbac.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
-  namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
-  namespace: {{ .Release.Namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
-{{- end }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.router.serviceAccountName | default "agentcube-router" }}

manifests/charts/base/templates/spire/cluster-spiffe-ids.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.spire.enabled }}
+# Prerequisite: spire.spiffe.io CRDs must be present in the cluster before these resources can be created.
+# The spire-controller-manager sidecar registers them automatically on first boot.
+# For a fresh cluster, run: kubectl apply -f https://github.com/spiffe/spire-controller-manager/releases/download/v{{ .Values.spire.controllerManager.image.tag }}/crds.yaml
+# Router registration
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: {{ .Release.Name }}-agentcube-router
+spec:
+  spiffeIDTemplate: "spiffe://{{ .Values.spire.trustDomain }}/ns/{{ "{{ .PodMeta.Namespace }}" }}/sa/{{ "{{ .PodSpec.ServiceAccountName }}" }}"
+  podSelector:
+    matchLabels:
+      app: agentcube-router
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: {{ .Release.Namespace }}
+
+---
+# WorkloadManager registration
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: {{ .Release.Name }}-agentcube-workload-manager
+spec:
+  spiffeIDTemplate: "spiffe://{{ .Values.spire.trustDomain }}/ns/{{ "{{ .PodMeta.Namespace }}" }}/sa/{{ "{{ .PodSpec.ServiceAccountName }}" }}"
+  podSelector:
+    matchLabels:
+      app: workloadmanager
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: {{ .Release.Namespace }}
+
+---
+# PicoD (Sandbox) registration - namespace-agnostic
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: {{ .Release.Name }}-agentcube-sandbox
+spec:
+  spiffeIDTemplate: "spiffe://{{ .Values.spire.trustDomain }}/sa/{{ "{{ .PodSpec.ServiceAccountName }}" }}"
+  podSelector:
+    matchLabels:
+      app: picod
+{{- end }}

manifests/charts/base/templates/spire/rbac.yaml

@@ -0,0 +1,114 @@
+{{- if .Values.spire.enabled }}
+# --- SPIRE Server ---
+# Also used by the Controller Manager sidecar running in the same pod
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: spire-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-spire-server
+  labels:
+    app: spire-server
+rules:
+  # Required for k8s_psat NodeAttestor to validate projected service account tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  # Required for k8s_psat NodeAttestor to query pod identity during attestation
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  # Required for node attestation and registration entry management
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  # Required by Controller Manager sidecar to watch and sync ClusterSPIFFEID CRDs
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids", "clusterfederatedtrustdomains", "clusterstaticentries"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids/status", "clusterfederatedtrustdomains/status", "clusterstaticentries/status"]
+    verbs: ["get", "update", "patch"]
+  # Required by Controller Manager sidecar to resolve namespaces for namespaceSelector
+  - apiGroups: [""]
+    resources: ["namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  # Required by Controller Manager sidecar for leader election
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  # Required by Controller Manager sidecar to manage its webhook certificate
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    resourceNames: ["{{ .Release.Name }}-spire-controller-manager-webhook"]
+    verbs: ["update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-spire-server
+  labels:
+    app: spire-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-spire-server
+subjects:
+  - kind: ServiceAccount
+    name: spire-server
+    namespace: {{ .Release.Namespace }}
+---
+
+# --- SPIRE Agent ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-agent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: spire-agent
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-spire-agent
+  labels:
+    app: spire-agent
+rules:
+  # Required for k8s workload attestor to query pod metadata from kubelet
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  # Required for workload attestation to resolve node information and proxy requests to kubelet
+  - apiGroups: [""]
+    resources: ["nodes", "nodes/proxy"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-spire-agent
+  labels:
+    app: spire-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-spire-agent
+subjects:
+  - kind: ServiceAccount
+    name: spire-agent
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+

manifests/charts/base/templates/spire/spiffe-helper-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.spire.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spiffe-helper-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: spiffe-helper
+data:
+  spiffe-helper.conf: |
+    agent_address = "/run/spire/sockets/agent.sock"
+    cmd = ""
+    cmd_args = ""
+    cert_dir = "{{ .Values.spire.spiffeHelper.certDir }}"
+    renew_signal = "SIGHUP"
+    svid_file_name = "{{ .Values.spire.spiffeHelper.certFileName }}"
+    svid_key_file_name = "{{ .Values.spire.spiffeHelper.keyFileName }}"
+    svid_bundle_file_name = "{{ .Values.spire.spiffeHelper.bundleFileName }}"
+{{- end }}