Zero Trust Workload Identity Manager Helm Chart
This chart is used to serve as the template for Validated Patterns Charts
Homepage: https://github.com/validatedpatterns/ztwim-chart
| Name | Url | |
|---|---|---|
| Validated Patterns Team | validatedpatterns@googlegroups.com |
| Key | Type | Default | Description |
|---|---|---|---|
| defaultDenyNetworkPolicy | object | {"enabled":false} |
Default-deny NetworkPolicy for the ZTWIM namespace. When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress for pods without an explicit allow policy. Note: spire-agent uses hostNetwork and is NOT affected by NetworkPolicies. |
| global.hubClusterDomain | string | "hub.example.com" |
|
| global.localClusterDomain | string | "local.example.com" |
|
| networkPolicy | object | {"csiDriver":{"egress":[],"enabled":false},"oidcDiscoveryProvider":{"egress":[],"enabled":false,"ingress":[]},"operator":{"egress":[],"enabled":false,"ingress":[]},"spireServer":{"egress":[],"enabled":false,"ingress":[]}} |
Per-pod NetworkPolicy rules for SPIRE components and the ZTWIM operator. Only effective when defaultDenyNetworkPolicy is enabled. |
| spiffe.csi.agentSocketPath | string | "/run/spire/agent-sockets" |
|
| spire.agent.nodeAttestor.k8sPSATEnabled | string | "true" |
|
| spire.agent.workloadAttestors.k8sEnabled | string | "true" |
|
| spire.agent.workloadAttestors.workloadAttestorsVerification.hostCertBasePath | string | "/var/lib/kubelet/pki" |
|
| spire.agent.workloadAttestors.workloadAttestorsVerification.hostCertFileName | string | "" |
|
| spire.agent.workloadAttestors.workloadAttestorsVerification.type | string | "auto" |
|
| spire.bundleConfigMap | string | "spire-bundle" |
|
| spire.clusterName | string | "cluster" |
|
| spire.oidcDiscoveryProvider.ingress.annotations."route.openshift.io/termination" | string | "reencrypt" |
|
| spire.oidcDiscoveryProvider.ingress.host | string | "spire-spiffe-oidc-discovery-provider.{{ .Values.global.localClusterDomain }}" |
|
| spire.oidcDiscoveryProvider.ingress.operatorManaged | string | "true" |
|
| spire.oidcDiscoveryProvider.service.name | string | "spire-spiffe-oidc-discovery-provider" |
|
| spire.oidcDiscoveryProvider.service.port | int | 443 |
|
| spire.server.ca.commonName | string | "redhat.com" |
|
| spire.server.ca.country | string | "US" |
|
| spire.server.ca.organization | string | "Red Hat" |
|
| spire.server.datastore.connMaxLifetime | int | 0 |
|
| spire.server.datastore.connectionString | string | "/run/spire/data/datastore.sqlite3" |
|
| spire.server.datastore.databaseType | string | "sqlite3" |
|
| spire.server.datastore.maxIdleConns | int | 10 |
|
| spire.server.datastore.maxOpenConns | int | 100 |
|
| spire.server.federation.bundleEndpoint.profile | string | "https_spiffe" |
|
| spire.server.federation.enabled | string | "false" |
|
| spire.server.federation.federatesWith | list | [] |
|
| spire.server.federation.ingress.annotations."route.openshift.io/termination" | string | "passthrough" |
|
| spire.server.federation.ingress.host | string | "spire-server.{{ .Values.global.localClusterDomain }}" |
|
| spire.server.federation.ingress.operatorManaged | string | "true" |
|
| spire.server.persistence.accessMode | string | "ReadWriteOnce" |
|
| spire.server.persistence.size | string | "5Gi" |
|
| spire.server.persistence.storageClass | string | "" |
|
| spire.server.service.name | string | "spire-server" |
|
| spire.server.service.port | int | 443 |
|
| spire.trustDomain | string | "{{ .Values.global.localClusterDomain }}" |
Autogenerated from chart metadata using helm-docs v1.14.2
This chart supports deploying Kubernetes NetworkPolicies for network isolation in the ZTWIM namespace. Two layers are available:
A namespace-wide default-deny NetworkPolicy that blocks all ingress and egress traffic for every pod in the namespace unless an explicit allow policy exists. Enable it by setting:
defaultDenyNetworkPolicy:
enabled: trueNote: The spire-agent DaemonSet uses hostNetwork: true and is NOT affected
by NetworkPolicies. Agent-to-server communication uses node IPs and requires a
port-only ingress rule on the spire-server.
When the default-deny policy is enabled, additional NetworkPolicy templates allow defining fine-grained rules for each component:
networkPolicy.spireServer— ingress and egress rules for the spire-server pod (includes the spire-controller-manager webhook container)networkPolicy.oidcDiscoveryProvider— ingress and egress rules for the OIDC discovery provider podnetworkPolicy.csiDriver— egress rules for the SPIFFE CSI driver podsnetworkPolicy.operator— ingress and egress rules for the ZTWIM operator pod
Example — allow spire-server ingress from agents and egress to DNS:
defaultDenyNetworkPolicy:
enabled: true
networkPolicy:
spireServer:
enabled: true
ingress:
- ports:
- protocol: TCP
port: 8081
- ports:
- protocol: TCP
port: 9443
egress:
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
- ports:
- protocol: TCP
port: 6443
oidcDiscoveryProvider:
enabled: true
ingress:
- ports:
- protocol: TCP
port: 8443
from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
egress:
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
operator:
enabled: true
egress:
- ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 6443Patterns can supply these values via extraValueFiles in their
values-hub.yaml to keep network policy configuration separate from the main
chart values.