search

vmware-tanzu / secrets-manager

VMware Secrets Manager is a lightweight secrets manager to protect your sensitive data. It’s perfect for edge deployments where energy and footprint requirements are strict—See more: https://vsecm.com/
https://vsecm.com/
BSD 2-Clause "Simplified" License
153 stars 25 forks source link

helm charts: ability for spire server to use different upstream authorities #601

Open v0lkan opened 6 months ago

v0lkan commented 6 months ago 
# UpstreamAuthority "disk": Uses a CA loaded from disk to sign SPIRE server
    # intermediate certificates.
    UpstreamAuthority "disk" {
        plugin_data {
            # key_file_path: Path to the "upstream" CA key file. Key files must
            # contain a single PEM encoded key. The supported key types are EC
            # (ASN.1 or PKCS8 encoded) or RSA (PKCS1 or PKCS8 encoded).
            key_file_path = "./conf/server/dummy_upstream_ca.key"

            # cert_file_path: If SPIRE is using a self-signed CA, cert_file_path
            # should specify the path to a single PEM encoded certificate
            # representing the upstream CA certificate. If not self-signed,
            # cert_file_path should specify the path to a file that must contain
            # one or more certificates necessary to establish a valid certificate
            # chain up the root certificates defined in bundle_file_path.
            cert_file_path = "./conf/server/dummy_upstream_ca.crt"

            # bundle_file_path: If SPIRE is using a self-signed CA, bundle_file_path
            # can be left unset. If not self-signed, then bundle_file_path should
            # be the path to a file that must contain one or more certificates
            # representing the upstream root certificates and the file at
            # cert_file_path contains one or more certificates necessary to chain up
            # the root certificates in bundle_file_path (where the first
            # certificate in cert_file_path is the upstream CA certificate).
            # bundle_file_path = ""
        }
    }

    # UpstreamAuthority "aws_pca": Uses a Private Certificate Authority from
    # AWS Certificate Manager to sign SPIRE server intermediate certificates.
    # UpstreamAuthority "aws_pca" {
    #     plugin_data {
    #         # region: AWS Region to use.
    #         # region = ""

    #         # certificate_authority_arn: ARN of the "upstream" CA certificate.
    #         # certificate_authority_arn = ""

    #         # ca_signing_template_arn (Optional): ARN of the signing template
    #         # to use for the server's CA. Defaults to a signing template for
    #         # end-entity certificates only.
    #         # ca_signing_template_arn = ""

    #         # signing_algorithm (Optional): Signing algorithm to use for the
    #         # server's CA. Defaults to the CA's default.
    #         # signing_algorithm = ""

    #         # assume_role_arn (Optional): ARN of an IAM role to assume.
    #         # assume_role_arn = ""

    #         # endpoint (Optional): Endpoint as hostname or fully-qualified
    #         # URI that overrides the default endpoint.
    #         # endpoint = ""
    #     }
    # }

    # UpstreamAuthority "awssecret": Uses a CA loaded from AWS SecretsManager
    # to sign SPIRE server intermediate certificates.
    # UpstreamAuthority "awssecret" {
    #     plugin_data {
    #         # region: AWS Region that the AWS Secrets Manager is running in.
    #         # region = ""

    #         # cert_file_arn: ARN of the "upstream" CA certificate.
    #         # cert_file_arn = ""

    #         # key_file_arn: ARN of the "upstream" CA key file.
    #         # key_file_arn = ""

    #         # access_key_id: AWS access key ID.
    #         # access_key_id = ""

    #         # secret_access_key: AWS secret access key.
    #         # secret_access_key = ""

    #         # secret_token: AWS secret token.
    #         # secret_token = ""

    #         # assume_role_arn: ARN of role to assume.
    #         # assume_role_arn = ""
    #     }
    # }

    # UpstreamAuthority "gcp_cas": Uses a Certificate Authority Service of
    # Google Cloud Platform to sign SPIRE server intermediate certificates.
    # UpstreamAuthority "gcp_cas" {
    #     plugin_data {
    #         root_cert_spec {
    #             # All fields are required
    #             # Project name + region name is used to retrieve a set of CAs
    #             project_name = ""
    #             region_name = ""
    #             # label key + label value is used to filter and select a subset of CAs
    #             label_key = ""
    #             label_value = ""
    #         }
    #     }
    # }

    # UpstreamAuthority "vault": Uses a PKI Secret Engine from HashiCorp Vault
    # to sign SPIRE server intermediate certificates.
    # UpstreamAuthority "vault" {
    #     plugin_data {
    #         # vault_addr: The URL of the Vault server.
    #         # Default: ${VAULT_ADDR}.
    #         # vault_addr = ""

    #         # namespace: Name of the Vault namespace.
    #         # Default: ${VAULT_NAMESPACE}.
    #         # namespace = ""

    #         # pki_mount_point: Name of the mount point where PKI secret engine is mounted.
    #         # Default: pki.
    #         # pki_mount_point = ""

    #         # ca_cert_path: Path to a CA certificate file used to verify
    #         # the Vault server certificate. Only PEM format is supported.
    #         # Default: ${VAULT_CACERT}.
    #         # ca_cert_path = ""

    #         # insecure_skip_verify: If true, vault client accepts any server certificates.
    #         # Default: false.
    #         # insecure_skip_verify = false

    #         # cert_auth: Configuration for the Client Certificate authentication method.
    #         # cert_auth {
    #             # cert_auth_mount_point: Name of the mount point
    #             # where TLS certificate auth method is mounted. Default: cert.
    #             # cert_auth_mount_point = ""

    #             # cert_auth_role_name: Name of the Vault role
    #             # If given, the plugin authenticates against only the named role.
    #             # Default to trying all roles.
    #             # cert_auth_role_name = ""

    #             # client_cert_path: Path to a client certificate file.
    #             # Only PEM format is supported. Default: ${VAULT_CLIENT_CERT}.
    #             # client_cert_path = ""

    #             # client_key_path: Path to a client private key file.
    #             # Only PEM format is supported. Default: ${VAULT_CLIENT_KEY}.
    #             # client_key_path  = ""
    #         # }

    #         # token_auth: Configuration for the Token authentication method.
    #         # token_auth {
    #             # token: Token string to set into "X-Vault-Token" header.
    #             # Default: ${VAULT_TOKEN}.
    #             # token = ""
    #         # }

    #         # approle_auth: Configuration for the AppRole authentication method.
    #         # approle_auth {
    #             # approle_auth_mount_point: Name of the mount point
    #             # where the AppRole auth method is mounted. Default: approle.
    #             # approle_auth_mount_point = ""

    #             # approle_id: An identifier of AppRole. Default: ${VAULT_APPROLE_ID}.
    #             # approle_id = ""

    #             # approle_secret_id: A credential of AppRole. Default: ${VAULT_APPROLE_SECRET_ID}.
    #             # approle_secret_id = ""
    #         # }

    #         # k8s_auth: Configuration for the Kubernetes authentication method.
    #         # k8s_auth {
    #             # k8s_auth_mount_point: Name of the mount point
    #             # where the Kubernetes auth method is mounted. Default: kubernetes.
    #             # k8s_auth_mount_point = ""

    #             # k8s_auth_role_name: Name of the Vault role. The plugin authenticates against the named role
    #             # k8s_auth_role_name = ""

    #             # token_path: Path to the Kubernetes Service Account Token to use authentication with the Vault
    #             # Default: /var/run/secrets/kubernetes.io/serviceaccount/token
    #             # token_path = ""
    #         # }
    #     }
    # }

    # UpstreamAuthority "spire": Uses an upstream SPIRE server in the same
    # trust domain to obtain intermediate signing certificates for SPIRE server.
    # UpstreamAuthority "spire" {
    #     plugin_data {
    #         # server_address: IP address or DNS name of the upstream SPIRE server
    #         # in the same trust domain.
    #         # server_address = ""

    #         # server_port: Port number of the upstream SPIRE server in the same
    #         # trust domain.
    #         # server_port = ""

    #         # workload_api_socket: Path to the SPIRE Agent API socket (Unix only).
    #         # workload_api_socket = ""

    #         # experimental: The experimental options that are subject to change or removal.
    #         # experimental {
    #              # workload_api_named_pipe_name: Pipe name of the SPIRE Agent API named pipe (Windows only).
    #              # workload_api_named_pipe_name = ""
    #         # }
    # }

    # UpstreamAuthority "cert-manager": Uses cert-manager in a target
    # Kubernetes cluster to sign SPIRE server intermediate certificates.
    # UpstreamAuthority "cert-manager" {
    #     plugin_data {
    #         # kube_config_file: Filepath to a kubeconfig to access the Kubernetes cluster. Empty path will attempt to use an in-cluster config.
    #         kube_config_file = "/etc/kubernetes/kubeconfig.yaml"

    #         # issuer_name: The issuer name to reference when creating CertificateRequests
    #         issuer_name = "spire-ca"
    #         # issuer_kind: The issuer kind to reference when creating CertificateRequests. Defaults to "Issuer" when empty.
    #         issuer_kind = "Issuer"
    #         # issuer_group: The issuer group to reference when creating CertificateRequests. Defaults to "cert-manager.io" when empty.
    #         issuer_group = "cert-manager.io"
    #         # namespace: The namespace to create CertificateRequests.
    #         namespace = "sandbox"
    #     }
    # }
v0lkan commented 6 months ago

Also from docs:

Configure AWS Secrets Manager The SPIRE Server can be configured to load CA credentials from Amazon Web Services Secrets Manager, using them to generate intermediate signing certificates for the server’s signing authority. This strategy can be managed by enabling and configuring the awssecret UpstreamAuthority plugin for the SPIRE Server. Configure AWS Certificate Manager The SPIRE Server can be configured to load CA credentials from Amazon Web Services Certificate Manager Private Certificate Authority (PCA) them to generate intermediate signing certificates for the server’s signing authority. This strategy can be managed by enabling and configuring the aws_pca UpstreamAuthority plugin for the SPIRE Server. Configure another SPIRE installation The SPIRE Server can be configured to load CA credentials from the Workload API of another SPIFFE implementation such as SPIRE. This enables a technique called “Nested SPIRE” that, as a compliment to HA deployments, allows independent SPIRE Servers to issue identities against a single trust domain. A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the spire UpstreamAuthority plugin for the SPIRE Server.