Skip to content

feat: Externalize ZTVP charts: ztwim #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
minmzzhang wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Externalize ZTVP charts: ztwim #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions .github/linters/.checkov.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ directory:
skip-path:
- tests
skip-check:
- CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
- CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
- CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
- CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
- CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
# CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
- CKV_K8S_49
# CKV_K8S_155: ClusterRoles for admission webhook configurations
- CKV_K8S_155
# CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
- CKV_K8S_156
# CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
- CKV_K8S_157
# CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
- CKV_K8S_158
3 changes: 3 additions & 0 deletions .github/workflows/superlinter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,6 @@ jobs:
with:
sl_env: |
VALIDATE_BIOME_FORMAT=false
# Exclude Helm templates ({{ }} not valid YAML for yamllint/kubeconform)
FILTER_REGEX_EXCLUDE=.*/templates/.*
VALIDATE_GITHUB_ACTIONS_ZIZMOR=false
23 changes: 23 additions & 0 deletions .helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
11 changes: 11 additions & 0 deletions .yamllint
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
extends: default
ignore:
- templates/
- "**/templates/**"
rules:
document-start: disable
line-length:
max: 120
brackets:
min-spaces-inside: 0
max-spaces-inside: 1
13 changes: 8 additions & 5 deletions Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
apiVersion: v2
description: A Helm chart to serve as the Validated Patterns Template
keywords:
- pattern
name: vp-template
version: 0.0.1
name: zero-trust-workload-identity-manager
description: Zero Trust Workload Identity Manager Helm Chart
type: application
version: 0.1.0
home: https://github.com/validatedpatterns/ztwim-chart
maintainers:
- name: Validated Patterns Team
email: validatedpatterns@googlegroups.com
12 changes: 7 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests
.PHONY: super-linter
super-linter: ## Runs super linter locally
rm -rf .mypy_cache
podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
-e VALIDATE_BIOME_FORMAT=false \
-v $(PWD):/tmp/lint:rw,z \
-w /tmp/lint \
ghcr.io/super-linter/super-linter:slim-v8
podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
-e VALIDATE_BIOME_FORMAT=false \
-e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \
-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \
-v $(PWD):/tmp/lint:rw,z \
-w /tmp/lint \
ghcr.io/super-linter/super-linter:slim-v8
66 changes: 63 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,73 @@
# vp-template
# zero-trust-workload-identity-manager

![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
<!-- markdownlint-disable MD013 -->

A Helm chart to serve as the Validated Patterns Template
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

<!-- markdownlint-enable MD013 -->

<!-- markdownlint-disable MD013 -->

Zero Trust Workload Identity Manager Helm Chart

<!-- markdownlint-enable MD013 -->

This chart is used to serve as the template for Validated Patterns Charts

## Notable changes

**Homepage:** <https://github.com/validatedpatterns/ztwim-chart>

## Maintainers

| Name | Email | Url |
| ----------------------- | ------------------------------------ | --- |
| Validated Patterns Team | <validatedpatterns@googlegroups.com> | |

<!-- markdownlint-disable MD013 MD034 MD060 -->

## Values

| Key | Type | Default | Description |
| -------------------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------- | ----------- |
| global.hubClusterDomain | string | `"hub.example.com"` | |
| global.localClusterDomain | string | `"local.example.com"` | |
| spiffe.csi.agentSocketPath | string | `"/run/spire/agent-sockets"` | |
| spire.agent.nodeAttestor.k8sPSATEnabled | string | `"true"` | |
| spire.agent.workloadAttestors.k8sEnabled | string | `"true"` | |
| spire.agent.workloadAttestors.workloadAttestorsVerification.hostCertBasePath | string | `"/var/lib/kubelet/pki"` | |
| spire.agent.workloadAttestors.workloadAttestorsVerification.hostCertFileName | string | `""` | |
| spire.agent.workloadAttestors.workloadAttestorsVerification.type | string | `"auto"` | |
| spire.bundleConfigMap | string | `"spire-bundle"` | |
| spire.clusterName | string | `"cluster"` | |
| spire.oidcDiscoveryProvider.ingress.annotations."route.openshift.io/termination" | string | `"reencrypt"` | |
| spire.oidcDiscoveryProvider.ingress.host | string | `"spire-spiffe-oidc-discovery-provider.{{ .Values.global.localClusterDomain }}"` | |
| spire.oidcDiscoveryProvider.ingress.operatorManaged | string | `"true"` | |
| spire.oidcDiscoveryProvider.service.name | string | `"spire-spiffe-oidc-discovery-provider"` | |
| spire.oidcDiscoveryProvider.service.port | int | `443` | |
| spire.server.ca.commonName | string | `"redhat.com"` | |
| spire.server.ca.country | string | `"US"` | |
| spire.server.ca.organization | string | `"Red Hat"` | |
| spire.server.datastore.connMaxLifetime | int | `0` | |
| spire.server.datastore.connectionString | string | `"/run/spire/data/datastore.sqlite3"` | |
| spire.server.datastore.databaseType | string | `"sqlite3"` | |
| spire.server.datastore.maxIdleConns | int | `10` | |
| spire.server.datastore.maxOpenConns | int | `100` | |
| spire.server.federation.bundleEndpoint.profile | string | `"https_spiffe"` | |
| spire.server.federation.enabled | string | `"false"` | |
| spire.server.federation.federatesWith | list | `[]` | |
| spire.server.federation.ingress.annotations."route.openshift.io/termination" | string | `"passthrough"` | |
| spire.server.federation.ingress.host | string | `"spire-server.{{ .Values.global.localClusterDomain }}"` | |
| spire.server.federation.ingress.operatorManaged | string | `"true"` | |
| spire.server.persistence.accessMode | string | `"ReadWriteOnce"` | |
| spire.server.persistence.size | string | `"5Gi"` | |
| spire.server.persistence.storageClass | string | `""` | |
| spire.server.service.name | string | `"spire-server"` | |
| spire.server.service.port | int | `443` | |
| spire.trustDomain | string | `"{{ .Values.global.localClusterDomain }}"` | |

<!-- markdownlint-enable MD013 MD034 MD060 -->

---

Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
6 changes: 6 additions & 0 deletions README.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}

<!-- markdownlint-disable MD013 -->
{{ template "chart.badgesSection" . }}
<!-- markdownlint-enable MD013 -->

<!-- markdownlint-disable MD013 -->
{{ template "chart.description" . }}
<!-- markdownlint-enable MD013 -->

This chart is used to serve as the template for Validated Patterns Charts

Expand All @@ -17,6 +21,8 @@ This chart is used to serve as the template for Validated Patterns Charts

{{ template "chart.requirementsSection" . }}

<!-- markdownlint-disable MD013 MD034 MD060 -->
{{ template "chart.valuesSection" . }}
<!-- markdownlint-enable MD013 MD034 MD060 -->

{{ template "helm-docs.versionFooter" . }}
Empty file removed templates/.keep
View file
Open in desktop
Empty file.
6 changes: 6 additions & 0 deletions templates/SpiffeCSIDriver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: operator.openshift.io/v1alpha1
kind: SpiffeCSIDriver
metadata:
name: cluster
spec:
agentSocketPath: {{ .Values.spiffe.csi.agentSocketPath }}
11 changes: 11 additions & 0 deletions templates/SpireAgent.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: operator.openshift.io/v1alpha1
kind: SpireAgent
metadata:
name: cluster
spec:
nodeAttestor:
k8sPSATEnabled: {{ .Values.spire.agent.nodeAttestor.k8sPSATEnabled | quote }}
workloadAttestors:
k8sEnabled: {{ .Values.spire.agent.workloadAttestors.k8sEnabled | quote }}
workloadAttestorsVerification:
type: {{ .Values.spire.agent.workloadAttestors.workloadAttestorsVerification.type}}
22 changes: 22 additions & 0 deletions templates/SpireOIDCDiscoveryProvider-Ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if not (eq .Values.spire.oidcDiscoveryProvider.ingress.operatorManaged "true") }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: spire-spiffe-oidc-discovery-provider
namespace: {{ .Release.Namespace }}
{{- if .Values.spire.server.ingress.annotations }}
annotations:
{{- tpl (toYaml .Values.spire.oidcDiscoveryProvider.ingress.annotations) . | nindent 4 }}
{{- end }}
spec:
rules:
- host: {{ tpl .Values.spire.oidcDiscoveryProvider.ingress.host $ }}
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: {{ .Values.spire.oidcDiscoveryProvider.service.name }}
port:
number: {{ .Values.spire.oidcDiscoveryProvider.service.port }}
{{- end }}
7 changes: 7 additions & 0 deletions templates/SpireOIDCDiscoveryProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: operator.openshift.io/v1alpha1
kind: SpireOIDCDiscoveryProvider
metadata:
name: cluster
spec:
jwtIssuer: {{ include "zero-trust-workload-identity-manager.jwtIssuer" . }}
managedRoute: {{ (.Values.spire.oidcDiscoveryProvider.ingress.operatorManaged | default true) | quote }}
22 changes: 22 additions & 0 deletions templates/SpireServer-Ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if not (eq .Values.spire.server.federation.ingress.operatorManaged "true") }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: spire-server
namespace: {{ .Release.Namespace }}
{{- if .Values.spire.server.federation.ingress.annotations }}
annotations:
{{- tpl (toYaml .Values.spire.server.federation.ingress.annotations) . | nindent 4 }}
{{- end }}
spec:
rules:
- host: {{ tpl .Values.spire.server.federation.ingress.host $ }}
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: {{ .Values.spire.server.service.name }}
port:
number: {{ .Values.spire.server.service.port }}
{{- end }}
29 changes: 29 additions & 0 deletions templates/SpireServer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: operator.openshift.io/v1alpha1
kind: SpireServer
metadata:
name: cluster
spec:
caSubject:
commonName: {{ .Values.spire.server.ca.commonName }}
country: {{ .Values.spire.server.ca.country }}
organization: {{ .Values.spire.server.ca.organization }}
persistence:
size: {{ .Values.spire.server.persistence.size }}
accessMode: {{ .Values.spire.server.persistence.accessMode }}
datastore:
databaseType: {{ .Values.spire.server.datastore.databaseType }}
connectionString: {{ .Values.spire.server.datastore.connectionString }}
maxOpenConns: {{ .Values.spire.server.datastore.maxOpenConns }}
maxIdleConns: {{ .Values.spire.server.datastore.maxIdleConns }}
connMaxLifetime: {{ .Values.spire.server.datastore.connMaxLifetime }}
jwtIssuer: {{ include "zero-trust-workload-identity-manager.jwtIssuer" . }}
{{- if (eq .Values.spire.server.federation.ingress.operatorManaged "true") }}
federation:
bundleEndpoint:
profile: {{ .Values.spire.server.federation.bundleEndpoint.profile }}
{{- if .Values.spire.server.federation.federatesWith }}
federatesWith:
{{- toYaml .Values.spire.server.federation.federatesWith | nindent 6 }}
{{- end }}
managedRoute: {{ (.Values.spire.server.federation.ingress.operatorManaged | default false) | quote }}
{{- end }}
8 changes: 8 additions & 0 deletions templates/ZeroTrustWorkloadIdentityManager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: operator.openshift.io/v1alpha1
kind: ZeroTrustWorkloadIdentityManager
metadata:
name: cluster
spec:
trustDomain: {{ tpl .Values.spire.trustDomain $ }}
clusterName: {{ .Values.spire.clusterName }}
bundleConfigMap: {{ .Values.spire.bundleConfigMap }}
69 changes: 69 additions & 0 deletions templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "zero-trust-workload-identity-manager.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "zero-trust-workload-identity-manager.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "zero-trust-workload-identity-manager.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "zero-trust-workload-identity-manager.labels" -}}
helm.sh/chart: {{ include "zero-trust-workload-identity-manager.chart" . }}
{{ include "zero-trust-workload-identity-manager.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "zero-trust-workload-identity-manager.selectorLabels" -}}
app.kubernetes.io/name: {{ include "zero-trust-workload-identity-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "zero-trust-workload-identity-manager.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "zero-trust-workload-identity-manager.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "zero-trust-workload-identity-manager.jwtIssuer" -}}
{{- printf "https://%s" (tpl .Values.spire.oidcDiscoveryProvider.ingress.host $) }}
{{- end }}
Loading