spiffe / helm-charts-flex Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
We need to alter the defaults to add the deployment name into the path of the disk keymanager hostpath volume. That way one can perform the following commands
helm install aaa spire-flex-<version>.tgz
helm install bbb spire-flex-<version>.tgz
without the two deployments interacting with each other.
If possible, place the configuration.md documentation into the helm chart (zip) bundle.
When the agent pod is initializing with the Disk KeyManager activated, it will mount a hostPath volume in order to have a persistent location for the KeyManager's backing store. The problem is that such a location might not exist within a typicaly operating system.
What is needed is an initcontainer within the daemonset that performs the corresponding OS "mkdir" command to install the directory such that the hostPath volume can be created unblocking the launch of the agent under the Disk KeyManager configuration.
This mkdir should be recursive (mkdir -p) to avoid loops. Ideally a very popular image should be used (alpine?) and the command "mkdir" should be the visible element on the pod's launching arguments.
$ make container_cmd=podman
podman run -ti --rm -v /home/kfox/git/spire-helm-charts-flex:/apps docker://alpine/helm:3.11.1 lint spire-flex -f spire-flex/values.yaml
Trying to pull docker.io/alpine/helm:3.11.1...
Getting image source signatures
Copying blob 05a2708c4a81 done
Copying blob 796e85e1de57 done
Copying blob 63b65145d645 done
Copying blob 4f4fb700ef54 done
Copying config b7831bc301 done
Writing manifest to image destination
Storing signatures
==> Linting spire-flex
1 chart(s) linted, 0 chart(s) failed
podman run -ti --rm -v /home/kfox/git/spire-helm-charts-flex:/apps docker://helmunittest/helm-unittest:3.11.1-0.3.0 spire-flex/ -d -f tests/*.yaml
Trying to pull docker.io/helmunittest/helm-unittest:3.11.1-0.3.0...
Getting image source signatures
Copying blob 8921db27df28 done
Copying blob a37700b44b78 done
Copying blob aac2ca54914b done
Copying blob 00d47daa0b62 done
Copying config ec55be8ef8 done
Writing manifest to image destination
Storing signatures
### Chart [ spire-flex ] spire-flex/
FAIL spire-flex/tests/agentDaemonsetSelectorConsistency.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckBindPort.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckDefault.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckDisabled.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckEnabled.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv4BindAddress.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv4BindAddressAny.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv4BindAddress_failOnBadValue.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv6BindAddress.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv6BindAddressAny.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckIPv6BindAddress_failOnBadValue.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckLivePath.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
FAIL spire-flex/tests/agentHealthCheckReadyPath.yaml
- Execution Error:
mkdir spire-flex/tests/__snapshot__: permission denied
Charts: 1 failed, 0 passed, 1 total
Test Suites: 13 failed, 13 errored, 0 passed, 13 total
Tests: 0 passed, 0 total
Snapshot: 0 passed, 0 total
Time: 3.461462ms
Error: plugin "unittest" exited with error
make: *** [Makefile:14: test] Error 1
An ideal framework should:
Ideally this would be configurable with YAML files, to reduce developer overhead, depend on tooling outside of the project that can be packaged with docker, and produce a configurable output that supports both command line reporting and junit xml reporting.
We missed an obvious IPv4 address, the alias of 0.0.0.0, currently we only permit "localhost", "127.0.0.1", and "::1"
@kfox1111 Is there a IPv6 equivalent of "0.0.0.0"?
The agent requires a server address / hostname so it can launch. This name is used to connect to the server.
In our deployments, we have two options:
The advantages of the latter are many.
It permits the scaling of server instances without reconfiguration.
It provides a text DNS name that is automatically managed by the Kubernetes environment.
This request only covers the support of the latter approach.
Expectations:
In a custom plugin, the pattern is
plugins {
<pluginType> <pluginName> {
plugin_data {
plugin_cmd = "/usr/bin/customKeyManager"
plugin_checksum = "3f363c538588bbbbbcbe5374274c2c01f0d1387e012b68a22178e3dd790dc26c"
enabled = true
plugin_data {
<stuff>
}
}
}
}
Currently our custom plugins permit the user to set the custom plugin name.
The following items are not clear:
We should decide on which if the above policies is the correct one, document it, and adjust the charts to enforce the policy
Its not clear in all cases in the documentation what defaults values have.
Based on the initial design ideas, we need to add agent image pull policies to the agent-daemonset.
This would add the configuration points:
The value is constrained to one of "never", "IfNotPresent", and "always"
The following agent flags all control agent bootstrapping,
the process by which an agent obtains a CA permitting it
to validate and trust the TLS response of the server.
agent {
insecure_bootstrap = true
trust_bundle_url = protocol://server/path/
trust_bundle_path = /path/
}
We need one enumeration type setting to decide which of the
three approaches is used, and for the url and path options,
we need another flag each for specifying the url or path
value.
Based on the initial design ideas, we need to add the base image to the agent-deployment set.
This would add the configuration points:
A volume needs to exist to hold the agent config file. This volume should be a config map volume.
The agent should have a volume mount that binds the agent to the volume. The agent command line parameters should reference the agent-configmap's agent configuration as a file at its mounted location.
It is unclear if there is a need to specify the volume mount path, but for biodegradability, the volume name and mount path names should not be configurable.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.