spiffe · faisal-memon · Nov 8, 2024 · Jan 22, 2024 · Jan 22, 2024 · Jan 22, 2024
@@ -82,6 +82,16 @@ while true; do
 done
 )
 
+common_test_file_exists () (
+count=20
+while true; do
+        if [ -f "$1" ]; then exit 0; fi
+        sleep 2
+        count=$((count-1))
+        [ $count -le 0 ] && exit 1
+done
+)
+
 # Used just for testing. You should provide your own values as described in the install instructions.
 common_test_your_values () {
 cat > /tmp/$$.example-your-values.yaml <<EOF

@@ -171,7 +171,7 @@ jobs:
       - name: Run chart-testing (install)
         run: |
           helm install -n spire-server spire-crds charts/spire-crds
-          ct install --config ct.yaml --excluded-charts spire-crds \
+          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
             --target-branch ${{ github.base_ref }}
 
       - name: Test summary

@@ -0,0 +1,42 @@
+apiVersion: v2
+name: spiffe-step-ssh
+description: sshd signed host certificates using SPIFFE for trust and step CA
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+keywords: ["spiffe", "step", "step-ca", "ssh"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+sources:
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: kfox1111
+    email: [email protected]
+
+dependencies:
+  - name: spire-lib
+    repository: file://../spire/charts/spire-lib
+    version: 0.1.0
+  - name: step-certificates
+    alias: step
+    repository: https://smallstep.github.io/helm-charts/
+    version: 1.27.4
@@ -0,0 +1,65 @@
+spire-values.yaml
+```
+spire-server:
+  nodeAttestor:
+    httpChallenge:
+      enabled: true
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        spiffe-step-ssh-config:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: config
+        spiffe-step-ssh-fetchca:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: fetchca
+          dnsNameTemplates:
+          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
+```
+
+```shell
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
+```
+
+```shell
+helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
+```
+
+```shell
+PASSWORD=$(openssl rand -base64 48)
+echo "$PASSWORD" > spiffe-step-ssh-password.txt
+step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
+```
+
+ingress-values.yaml
+```yaml
+global:
+  spiffe:
+    ingressControllerType: ingress-nginx
+stepIngress:
+  enabled: true
+fetchCA:
+  ingress:
+    enabled: true
+```
+
+```shell
+helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
+```
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
@@ -0,0 +1 @@
+trustDomain: example.org
@@ -0,0 +1,13 @@
+{{- if eq (len .AuthorizationCrt.URIs) 1 }}
+{{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
+{{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{
+  "type": {{ toJson .Type }},
+  "keyId": {{ toJson $name }},
+  "principals": [{{ toJson $name }}],
+  "extensions": {{ toJson .Extensions }},
+  "criticalOptions": {{ toJson .CriticalOptions }}
+}
+{{-   end }}
+{{- end }}
@@ -0,0 +1,5 @@
+Installed {{ .Chart.Name }}…
+
+Configure your ssh clients with known_hosts file with:
+
+@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}
@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spiffe-step-ssh.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spiffe-step-ssh.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spiffe-step-ssh.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spiffe-step-ssh.labels" -}}
+helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
+{{ include "spiffe-step-ssh.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spiffe-step-ssh.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spiffe-step-ssh.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/* Takes in a dictionary with keys:
+ * global - the standard global object
+ * ingress - a standard format ingress config object
+*/}}
+{{- define "spiffe-step-ssh.ingress-controller-type" }}
+{{-   $type := "" }}
+{{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
+{{-     $type = .global.spiffe.ingressControllerType }}
+{{-   else if ne .ingress.controllerType "" }}
+{{-     $type = .ingress.controllerType }}
+{{-   else if (dig "openshift" false .global) }}
+{{-     $type = "openshift" }}
+{{-   else }}
+{{-     $type = "other" }}
+{{-   end }}
+{{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
+{{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
+{{-   end }}
+{{-   $type }}
+{{- end }}
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "sh"
+    cmd_args = "/config-deployment/update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
+    echo Updating Roots to "$ROOTS"
+    cat /config/ca.json > /work/ca.json
+    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
+    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
+    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
+    echo $?