chore: make spiffe optional

Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>
kubernetes-sigs · Oct 29, 2023 · 7f2b4a7 · 7f2b4a7
1 parent e8748c8
commit 7f2b4a7
Show file tree

Hide file tree

Showing 20 changed files with 122 additions and 82 deletions.
diff --git a/Makefile b/Makefile
@@ -120,21 +120,21 @@ deploy: yamls
 templates:
 	@# Need to prepend each line in the sample config with spaces in order to
 	@# fit correctly in the configmap spec.
-	@sed s'/^/    /' deployment/components/worker-config/nfd-worker.conf.example > nfd-worker.conf.tmp
-	@sed s'/^/    /' deployment/components/master-config/nfd-master.conf.example > nfd-master.conf.tmp
-	@sed s'/^/    /' deployment/components/topology-updater-config/nfd-topology-updater.conf.example > nfd-topology-updater.conf.tmp
+	@gsed s'/^/    /' deployment/components/worker-config/nfd-worker.conf.example > nfd-worker.conf.tmp
+	@gsed s'/^/    /' deployment/components/master-config/nfd-master.conf.example > nfd-master.conf.tmp
+	@gsed s'/^/    /' deployment/components/topology-updater-config/nfd-topology-updater.conf.example > nfd-topology-updater.conf.tmp
 	@# The sed magic below replaces the block of text between the lines with start and end markers
 	@start=NFD-MASTER-CONF-START-DO-NOT-REMOVE; \
 	end=NFD-MASTER-CONF-END-DO-NOT-REMOVE; \
-	sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-master.conf.tmp" \
+	gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-master.conf.tmp" \
 	    -e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
 	@start=NFD-WORKER-CONF-START-DO-NOT-REMOVE; \
 	end=NFD-WORKER-CONF-END-DO-NOT-REMOVE; \
-	sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-worker.conf.tmp" \
+	gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-worker.conf.tmp" \
 	    -e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
 	@start=NFD-TOPOLOGY-UPDATER-CONF-START-DO-NOT-REMOVE; \
 	end=NFD-TOPOLOGY-UPDATER-CONF-END-DO-NOT-REMOVE; \
-	sed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-topology-updater.conf.tmp" \
+	gsed -e "/$$start/,/$$end/{ /$$start/{ p; r nfd-topology-updater.conf.tmp" \
 		-e "}; /$$end/p; d }" -i deployment/helm/node-feature-discovery/values.yaml
 	@rm nfd-master.conf.tmp
 	@rm nfd-worker.conf.tmp

diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go
@@ -71,6 +71,8 @@ func main() {
 			args.Overrides.ResyncPeriod = overrides.ResyncPeriod
 		case "nfd-api-parallelism":
 			args.Overrides.NfdApiParallelism = overrides.NfdApiParallelism
+		case "enable-spiffe":
+			args.Overrides.EnableSpiffe = overrides.EnableSpiffe
 		case "enable-nodefeature-api":
 			klog.InfoS("-enable-nodefeature-api is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "ca-file":
@@ -181,6 +183,7 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs)
 			"It has an effect when the NodeFeature API has been enabled (with -enable-nodefeature-api).")
 	overrides.NfdApiParallelism = flagset.Int("nfd-api-parallelism", 10, "Defines the maximum number of goroutines responsible of updating nodes. "+
 		"Can be used for the throttling mechanism. It has effect only when -enable-nodefeature-api has been set.")
-
+	overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
+		"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")
 	return args, overrides
 }
diff --git a/cmd/nfd-worker/main.go b/cmd/nfd-worker/main.go
@@ -104,6 +104,8 @@ func parseArgs(flags *flag.FlagSet, osArgs ...string) *worker.Args {
 			args.Overrides.FeatureSources = overrides.FeatureSources
 		case "label-sources":
 			args.Overrides.LabelSources = overrides.LabelSources
+		case "enable-spiffe":
+			args.Overrides.EnableSpiffe = overrides.EnableSpiffe
 		}
 	})
 
@@ -158,6 +160,8 @@ func initFlags(flagset *flag.FlagSet) (*worker.Args, *worker.ConfigOverrideArgs)
 	flagset.Var(overrides.LabelSources, "label-sources",
 		"Comma separated list of label sources. Special value 'all' enables all sources. "+
 			"Prefix the source name with '-' to disable it.")
+	overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
+		"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")
 
 	return args, overrides
 }
diff --git a/deployment/components/master-config/nfd-master.conf.example b/deployment/components/master-config/nfd-master.conf.example
@@ -3,6 +3,7 @@
 # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
 # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
 # enableTaints: false
+# enableSpiffe: true
 # labelWhiteList: "foo"
 # resyncPeriod: "2h"
 # klog:

diff --git a/deployment/components/worker-config/nfd-worker.conf.example b/deployment/components/worker-config/nfd-worker.conf.example
@@ -2,6 +2,7 @@
 #  labelWhiteList:
 #  noPublish: false
 #  sleepInterval: 60s
+#  enableSpiffe: true
 #  featureSources: [all]
 #  labelSources: [all]
 #  klog:

diff --git a/deployment/helm/node-feature-discovery/templates/master.yaml b/deployment/helm/node-feature-discovery/templates/master.yaml
@@ -108,16 +108,21 @@ spec:
             - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
             - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
             {{- end }}
+            {{- if .Values.spiffe.enable }}
+            - "-enable-spiffe"
+            {{- end }}
             - "-metrics={{ .Values.master.metricsPort  | default "8081" }}"
           volumeMounts:
             {{- if .Values.tls.enable }}
             - name: nfd-master-cert
               mountPath: "/etc/kubernetes/node-feature-discovery/certs"
               readOnly: true
             {{- end }}
+            {{- if .Values.spiffe.enable }}
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: true
+            {{- end }}
             - name: nfd-master-conf
               mountPath: "/etc/kubernetes/node-feature-discovery"
               readOnly: true
@@ -127,10 +132,12 @@ spec:
           secret:
             secretName: nfd-master-cert
         {{- end }}
+        {{- if .Values.spiffe.enable }}
         - name: spire-agent-socket
           hostPath:
             path: /run/spire/sockets
             type: Directory
+        {{- end }}
         - name: nfd-master-conf
           configMap:
             name: {{ include "node-feature-discovery.fullname" . }}-master-conf

diff --git a/deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml b/deployment/helm/node-feature-discovery/templates/spire-agent-cluster-role.yaml
@@ -17,7 +17,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: spire-agent
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   kind: ClusterRole
   name: spire-agent-cluster-role

diff --git a/deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml b/deployment/helm/node-feature-discovery/templates/spire-agent-daemonset.yaml
@@ -43,20 +43,6 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
-          livenessProbe:
-            httpGet:
-              path: /live
-              port: 8080
-            failureThreshold: 2
-            initialDelaySeconds: 15
-            periodSeconds: 60
-            timeoutSeconds: 3
-          readinessProbe:
-            httpGet:
-              path: /ready
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 5
       volumes:
         - name: spire-config
           configMap:

diff --git a/deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml b/deployment/helm/node-feature-discovery/templates/spire-server-cluster-role.yaml
@@ -4,7 +4,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-configmap-role
-  namespace: spire
 rules:
 - apiGroups: [""]
   resources: ["configmaps"]
@@ -15,11 +14,11 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-configmap-role-binding
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 subjects:
 - kind: ServiceAccount
   name: spire-server
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -43,7 +42,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: spire-server
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   kind: ClusterRole
   name: spire-server-trust-role

diff --git a/deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml b/deployment/helm/node-feature-discovery/templates/spire-server-configmap.yaml
@@ -18,7 +18,7 @@ data:
       ca_subject = {
         country = ["US"],
         organization = ["SPIFFE"],
-        common_name = "",
+        common_name = "nfd.com",
       }
     }
 
@@ -35,7 +35,7 @@ data:
           clusters = {
             "nfd" = {
               use_token_review_api_validation = true
-              service_account_allow_list = ["spire:spire-agent"]
+              service_account_allow_list = ["{{ include "node-feature-discovery.namespace" . }}:spire-agent"]
             }
           }
         }
@@ -49,6 +49,7 @@ data:
 
       Notifier "k8sbundle" {
         plugin_data {
+          namespace = "{{ include "node-feature-discovery.namespace" . }}"
         }
       }
     }

diff --git a/deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml b/deployment/helm/node-feature-discovery/templates/spire-server-statefulset.yaml
@@ -13,7 +13,6 @@ spec:
   serviceName: spire-server
   template:
     metadata:
-      namespace: spire
       labels:
         app: spire-server
     spec:
@@ -54,7 +53,6 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: spire-data
-        namespace: spire
       spec:
         accessModes:
           - ReadWriteOnce

diff --git a/deployment/helm/node-feature-discovery/templates/worker.yaml b/deployment/helm/node-feature-discovery/templates/worker.yaml
@@ -59,14 +59,19 @@ spec:
         - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
         - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
 {{- end }}
+        {{- if .Values.spiffe.enable }}
+        - "-enable-spiffe"
+        {{- end }}
         - "-metrics={{ .Values.worker.metricsPort | default "8081"}}"
         ports:
           - name: metrics
             containerPort: {{ .Values.worker.metricsPort | default "8081"}}
         volumeMounts:
+        {{- if .Values.spiffe.enable }}
         - name: spire-agent-socket
           mountPath: /run/spire/sockets
           readOnly: true
+        {{- end }}
         - name: host-boot
           mountPath: "/host-boot"
           readOnly: true
@@ -102,10 +107,12 @@ spec:
           readOnly: true
 {{- end }}
       volumes:
+      {{- if .Values.spiffe.enable }}
         - name: spire-agent-socket
           hostPath:
             path: /run/spire/sockets
             type: Directory
+        {{- end }}
         - name: host-boot
           hostPath:
             path: "/boot"

diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: ahmedgrati/node-feature-discovery
-  tag: b0290ef-dirty
+  tag: 42a3b9f-dirty
   # This should be set to 'IfNotPresent' for released version
   pullPolicy: Always
   # tag, if defined will use the given image tag, else Chart.AppVersion will be used
@@ -24,8 +24,8 @@ master:
     # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
     # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
     # enableTaints: false
-    # labelWhiteList: "foo"
     # enableSpiffe: true
+    # labelWhiteList: "foo"
     # resyncPeriod: "2h"
     # klog:
     #    addDirHeader: false
@@ -144,9 +144,9 @@ worker:
     #  labelWhiteList:
     #  noPublish: false
     #  sleepInterval: 60s
+    #  enableSpiffe: true
     #  featureSources: [all]
     #  labelSources: [all]
-    #  enableSpiffe: true
     #  klog:
     #    addDirHeader: false
     #    alsologtostderr: false

diff --git a/deployment/overlays/spiffe/spire-agent-cluster-role.yaml b/deployment/overlays/spiffe/spire-agent-cluster-role.yaml
@@ -18,7 +18,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: spire-agent
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   kind: ClusterRole
   name: spire-agent-cluster-role

diff --git a/deployment/overlays/spiffe/spire-server-cluster-role.yaml b/deployment/overlays/spiffe/spire-server-cluster-role.yaml
@@ -3,7 +3,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-configmap-role
-  namespace: spire
 rules:
 - apiGroups: [""]
   resources: ["configmaps"]
@@ -14,11 +13,11 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-configmap-role-binding
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 subjects:
 - kind: ServiceAccount
   name: spire-server
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -42,7 +41,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: spire-server
-  namespace: spire
+  namespace: {{ include "node-feature-discovery.namespace" . }}
 roleRef:
   kind: ClusterRole
   name: spire-server-trust-role

diff --git a/deployment/overlays/spiffe/spire-server-statefulset.yaml b/deployment/overlays/spiffe/spire-server-statefulset.yaml
@@ -12,7 +12,6 @@ spec:
   serviceName: spire-server
   template:
     metadata:
-      namespace: spire
       labels:
         app: spire-server
     spec:
@@ -53,7 +52,6 @@ spec:
   volumeClaimTemplates:
     - metadata:
         name: spire-data
-        namespace: spire
       spec:
         accessModes:
           - ReadWriteOnce