manifest changes (#1039)

* generated files for the playground

Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>

* testing alignment chnages

Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>

---------

Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>

examples/workshop_federation/cluster-1/spire/crd-rbac/role.yaml

@@ -1,8 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: spire-server-spire-controller-manager
 rules:
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch" ]
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get", "list", "watch"]

examples/workshop_federation/cluster-1/spire/crd-rbac/role_binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: spire-server-spire-controller-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: spire-server-spire-controller-manager
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: spire-system
+    namespace: spire-server

examples/workshop_federation/cluster-1/spire/spire/spire-agent.yaml

@@ -11,7 +11,7 @@ metadata:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-agent-cluster-role
+  name: spire-agent
 rules:
   - apiGroups: [""]
     resources: ["pods","nodes","nodes/proxy"]
@@ -23,14 +23,14 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-agent-cluster-role-binding
+  name: spire-agent
 subjects:
   - kind: ServiceAccount
     name: spire-agent
     namespace: spire-system
 roleRef:
   kind: ClusterRole
-  name: spire-agent-cluster-role
+  name: spire-agent
   apiGroup: rbac.authorization.k8s.io
 
 

examples/workshop_federation/cluster-1/spire/spire/spire-server.yaml

@@ -11,7 +11,7 @@ metadata:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-server-cluster-role
+  name: spire-server-spire-server
 rules:
   - apiGroups: [""]
     resources: ["nodes"]
@@ -28,15 +28,14 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-server-cluster-role-binding
-  namespace: spire-system
+  name: spire-server-spire-server
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: spire-system
+    namespace: spire-server
 roleRef:
   kind: ClusterRole
-  name: spire-server-cluster-role
+  name: spire-server-spire-server
   apiGroup: rbac.authorization.k8s.io
 
 ---

examples/workshop_federation/cluster-2/safe/Role.yaml

@@ -78,7 +78,6 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: vsecm-safe
-    namespace: vsecm-system
 roleRef:
   kind: ClusterRole
   name: vsecm-secret-readwriter

examples/workshop_federation/cluster-2/spire/crd-rbac/role.yaml

@@ -1,8 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: spire-server-spire-controller-manager
 rules:
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch" ]
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get", "list", "watch"]

examples/workshop_federation/cluster-2/spire/crd-rbac/role_binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: spire-server-spire-controller-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: spire-server-spire-controller-manager
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: spire-system
+    namespace: spire-server

examples/workshop_federation/cluster-2/spire/spire/spire-agent.yaml

@@ -11,7 +11,7 @@ metadata:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-agent-cluster-role
+  name: spire-agent
 rules:
   - apiGroups: [""]
     resources: ["pods","nodes","nodes/proxy"]
@@ -23,14 +23,14 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-agent-cluster-role-binding
+  name: spire-agent
 subjects:
   - kind: ServiceAccount
     name: spire-agent
     namespace: spire-system
 roleRef:
   kind: ClusterRole
-  name: spire-agent-cluster-role
+  name: spire-agent
   apiGroup: rbac.authorization.k8s.io
 
 

examples/workshop_federation/cluster-2/spire/spire/spire-server.yaml

@@ -11,7 +11,7 @@ metadata:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-server-cluster-role
+  name: spire-server-spire-server
 rules:
   - apiGroups: [""]
     resources: ["nodes"]
@@ -28,15 +28,14 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: spire-server-cluster-role-binding
-  namespace: spire-system
+  name: spire-server-spire-server
 subjects:
   - kind: ServiceAccount
     name: spire-server
-    namespace: spire-system
+    namespace: spire-server
 roleRef:
   kind: ClusterRole
-  name: spire-server-cluster-role
+  name: spire-server-spire-server
   apiGroup: rbac.authorization.k8s.io
 
 ---

hack/uninstall.sh

@@ -26,8 +26,8 @@ if kubectl get ns | grep vsecm-system; then
   kubectl delete ClusterSPIFFEID vsecm-safe
   kubectl delete CSIDriver csi.spiffe.io
   kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook
-  kubectl delete clusterrolebinding vsecm-secret-readwriter-binding manager-rolebinding spire-agent-cluster-role-binding spire-server-cluster-role-binding
-  kubectl delete clusterrole spire-agent-cluster-role spire-server-cluster-role vsecm-secret-readwriter manager-role
+  kubectl delete clusterrolebinding vsecm-secret-readwriter-binding spire-server-spire-controller-manager spire-agent spire-server-spire-server
+  kubectl delete clusterrole spire-agent spire-server-spire-server vsecm-secret-readwriter spire-server-spire-controller-manager
 
 else
   echo "Nothing to clean."

helm-charts-playground/helm-charts-manifests/atmp/clusterrole-spire-server-post-install.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: spire-server-post-install
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    resourceNames: ["spire-server-spire-controller-manager-webhook"]
+    verbs: ["get", "patch"]

helm-charts-playground/helm-charts-manifests/atmp/clusterrole-spire-server-post-upgrade.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: spire-server-post-upgrade
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    resourceNames: ["spire-server-spire-controller-manager-webhook"]
+    verbs: ["get", "patch"]

helm-charts-playground/helm-charts-manifests/atmp/clusterrole-spire-server-pre-upgrade.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: spire-server-pre-upgrade
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    resourceNames: ["spire-server-spire-controller-manager-webhook"]
+    verbs: ["get", "patch"]

helm-charts-playground/helm-charts-manifests/atmp/clusterrolebinding-spire-server-post-install.yaml

@@ -0,0 +1,15 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-post-install
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: spire-server-post-install
+    namespace: spire-server
+roleRef:
+  kind: ClusterRole
+  name: spire-server-post-install
+  apiGroup: rbac.authorization.k8s.io

helm-charts-playground/helm-charts-manifests/atmp/clusterrolebinding-spire-server-post-upgrade.yaml

@@ -0,0 +1,15 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-post-upgrade
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: spire-server-post-upgrade
+    namespace: spire-server
+roleRef:
+  kind: ClusterRole
+  name: spire-server-post-upgrade
+  apiGroup: rbac.authorization.k8s.io

helm-charts-playground/helm-charts-manifests/atmp/clusterrolebinding-spire-server-pre-upgrade.yaml

@@ -0,0 +1,15 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-pre-upgrade
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
+subjects:
+  - kind: ServiceAccount
+    name: spire-server-pre-upgrade
+    namespace: spire-server
+roleRef:
+  kind: ClusterRole
+  name: spire-server-pre-upgrade
+  apiGroup: rbac.authorization.k8s.io

helm-charts-playground/helm-charts-manifests/atmp/clusterspiffeid-spire-server-spire-default.yaml

@@ -0,0 +1,14 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: spire-server-spire-default
+spec:
+  className: "spire-server-spire"
+  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - spire-server
+      - spire-system

helm-charts-playground/helm-charts-manifests/atmp/clusterspiffeid-spire-server-spire-oidc-discovery-provider.yaml

@@ -0,0 +1,22 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: spire-server-spire-oidc-discovery-provider
+spec:
+  className: "spire-server-spire"
+  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
+  podSelector:
+    matchLabels:
+      component: oidc-discovery-provider
+      release: spire
+      release-namespace: spire-server
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: In
+      values:
+      - spire-server
+      - spire-system
+  dnsNameTemplates:
+    - oidc-discovery.{{ .TrustDomain }}
+  autoPopulateDNSNames: true

helm-charts-playground/helm-charts-manifests/atmp/clusterspiffeid-spire-server-spire-test-keys.yaml

@@ -0,0 +1,19 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: spire-server-spire-test-keys
+spec:
+  className: "spire-server-spire"
+  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
+  podSelector:
+    matchLabels:
+      component: test-keys
+      release: spire
+      release-namespace: spire-server
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: In
+      values:
+      - spire-server
+      - spire-system

helm-charts-playground/helm-charts-manifests/spire/clusterrole-spire-controller-manager.yaml

@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: spire-server-spire-controller-manager
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "patch", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterfederatedtrustdomains/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterspiffeids/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterstaticentries"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterstaticentries/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["spire.spiffe.io"]
+    resources: ["clusterstaticentries/status"]
+    verbs: ["get", "patch", "update"]

helm-charts-playground/helm-charts-manifests/spire/clusterrole-spire-server.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-spire-server
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["get", "create"]